Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

PCI Compliance: What To Know When Dealing With a Third Party Service Provider (Part 3)
You are here: Home \ Compliance \ PCI Compliance: What To Know When Dealing With a Third Party Service Provider (Part 3)
Human hand pointing with finger at tick
Posted on Tuesday, May 2nd, 2017 by

4 Precautions to Take When Outsourcing Your Payment Processing (3/3)

 

As I mentioned before in a blog post about what is considered to be “reasonable” cybersecurity, it’s critical for organizations to always be able to clearly demonstrate due diligence.

This is also accurate when outsourcing credit cards payment processing to third-party service provider (TPSP), as they do not shield your organization from legal liability or from the consequences of PCI DSS noncompliance.

Below is a list of recommended precautions to protect your entity from liability should there be a security incident in the TPSP’s databases.

 

Precautions to Protect Your Entity From Liability

 

  1. Establish clear written policies and agreements to identify procedures for all applicable security requirements, as well as measures to manage and report on these requirements;
  2. Determine which of the PCI DSS requirements apply to the TPSP, as opposed to those that remain within the entity’s responsibility. This will vary depending on the extend of the services rendered by the TPSP;
  3. Monitor of the TPSP’s compliance status (see the PCI Security Standards Council’s ‘Information Supplement: Third-Party Security Assurance’, version 3.0, August 2014) – this means obtaining the proper validation document, such as a Report on Compliance (ROC) completed by an Internal Security Assessor (ISA) or by an external Qualified Security Assessor (QSA), an Attestation of Compliance (AOC), a Self-Assessment Questionnaire (SAQ), an ASV Scan Report Attestation of Scan Compliance (AOSC) if the TPSP is providing services that are delivered via systems required to meet PCI DSS Requirement 11.2.2. Information.
    • To obtain an additional measure of assurance that the TPSP’s PCI DSS assessment is aligned with the agreed-upon services, consider obtaining a written verification that the said-services being provided fall within the scope covered by the AOC, ROC, SAQ and AOSC.
  4. Complete a risk assessment before engaging a TPSP. The results should be documented and, in case of doubt, can be completed by an experienced vendor, such as Hitachi Systems Security, which is familiar with the PCI DSS Risk Assessment Guidelines and the appropriate documentation process.

 

Overall, the vetting of candidates must demonstrate careful due diligence, and the entity must ensure that all security measures and requirements are maintained by the TPSP throughout the contract. All of this must be documented in written form for further reference. It’s also essential to be aware of nested or chained TPSP (defined by the PCI Security Standards Council as “any entity that is contracted for its services by another third-party service provider for the purposes of providing a service”).

Vanessa Henri
About author:
Vanessa is an academic and legal expert on data protection laws, as well as a certified data protection officer. Currently, Vanessa is Hitachi Systems Security’s Director of Legal and Compliance as well as Data Protection Officer. She oversees the performance of privacy advisory services by Hitachi Systems Security to its clientele, including services such as GDPR Posture Assessments. She advises boards of directors at the macro-strategic level on the implementation of privacy obligations through efficient reporting systems. She has published a variety of data privacy-related materials and has contributed as a speaker to various conferences about data protection laws, such as Code Blue, in Tokyo. Vanessa is a member of the Quebec Bar Association, and holds a master’s in laws from McGill University. She also teaches corporate cybersecurity practices at St Thomas University, in Miami, Florida. She is a certified Data Protection Officer.

Latest Webinars | Watch Now

 

The Next Generation of Managed Security, in collaboration with PCM.

Watch Now

Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, in collaboration with Nymity.

Watch Now

Subscribe

Recent Videos

What is Penetration Testing?

What is a Vulnerability Assessment?

What is a Control Assessment?


More