Got Third Party Risk? Ask the Right Questions.

What do CVSphoto.com, Jimmy John’s and the Detroit Zoo have in common?  All three businesses were in the headlines as payment card data breach victims. And, all three breaches were the result of hacked service providers that, once compromised, provided the cyber thieves with easy access to these companies’ customer information, including payment card data.

Third party risk can (and should) be managed.

Third party relationships make your life easier in a multitude of ways, from streamlining processes, to providing additional human resources, to ensuring operational efficiency. Unfortunately, these relationships also introduce increased business risk related to data security and compliance. If one or more of your third party vendors doesn’t maintain a strong security posture and is consequently compromised, your business could very well end up sharing the burden of recovery.

Here are three steps you can take to lessen your business's third party risk:

Step 1: Educate yourself on what types of businesses constitute a “service provider” under the Payment Card Industry Data Security Standard (PCI DSS). If you know who they are, you can start asking the right questions.

According to PCI Security Standards Council, there are four main categories of service providers:

1. Organizations involved in the storage, processing, and/or transmission of cardholder data (CHD), such as call centers, ecommerce payment providers, credit reporting services, collection agencies, third party processors, processing gateway services.
2. Organizations involved in securing cardholder data, including companies that provide destruction of or secure storage facilities for electronic and physical media; tokenization or encryption providers; Software-as-a-Service (SaaS) for e-commerce or mobile applications.
3. Organizations involved in the protection of the cardholder data environment (CDE), such as managed firewall providers, infrastructure providers, data-center hosting providers, monitoring services for intrusion-detection systems (IDS), antivirus, change-detection, compliance monitoring, audit-log monitoring, etc.
4. Organizations that may have incidental access to CHD or the cardholder data environment (CDE). “Incidental access” is access that may happen as a consequence of the primary activity and includes managed IT delivery services; companies providing software development, such as web application developers; providers of maintenance services such as HVAC or alarm systems.

Step 2: Identify any of your vendors that fall into one or more of the above categories, then ask each if they know they are a service provider in relation to PCI. If they don’t know or don’t even know what it means, this is a bad sign. In fact, PCI DSS Requirement 12.9 requires service providers to acknowledge in writing to customers their responsibilities for securing the customers’ cardholder data or the customers’ cardholder data environment. If they are not prepared to provide that information in writing, look elsewhere for the services that vendor provides, or require that they get an Attestation of Compliance (AoC).

Step 3: Find out if the service provider has had a Level 1 PCI assessment and has an AoC dated within the last 12 months. If they say yes, check to see if their business is listed on the Visa Global Registry of Service Providers. Then, each year as you validate your own business’s PCI compliance, make it a standard operating procedure to ask your service providers to provide their current AoC.

As your business connects with partners and vendors to gain more agility and scalability, it’s increasingly important to proactively identify any PCI-related service providers and then ask them the right questions to ensure they take data security seriously.

Check out this video of my colleague, Tim Cunningham, sharing additional best practices for managing third party risk.