Three numbers that don’t look too important, but they are actually one of the first lines of defence in the war against payment card related cybercrime for organisations who have outsourced the payment card journey to third-party service providers.
The Payment Card Industry Data Security Standard (PCI DSS) contains requirements intended to help protect cardholder data. The requirements contained under 12.8 empower merchants to manage their in-scope third-party service providers to ensure they protect their customers card data effectively.
So, let us go on a journey through the five requirements under 12.8…
This requirement simply asks merchants to create a list of service providers to include a description of the service/s provided such as web hosting, payment service provider, IT management etc.
Sounds simple enough and that is because it is. Usually contained in a spreadsheet which can also be used for other 12.8 requirements.
The wording for this requirement is fairly long winded but it’s referring to the contracts in place between a merchant and their third-party service providers to ensure that they contain reference to the security of the customers card data.
Due diligence… There was a time when a lot of people didn’t know what due diligence was, and it is no surprise that some people still don’t. Simply put, it means performing various checks on third-party service providers to ensure that what they say they will or won’t do is actually happening.
An analogy would be when you buy a car – you ask questions about service history, optional extras, warranty and of course how fast it goes… that is a form of due diligence. In the business world, due diligence can be performed in a number of ways but they all have the same goal which is to get the third-party service provider to state what they have in place and you could even request evidence to substantiate the claims. Some are performed by sending a questionnaire and sometimes a site visit is performed to view the physical controls. This process is normally performed annually and on new engagements but can be performed more regularly for more sensitive/critical engagements.
This requirement looks to merchants to confirm third-party service providers’ PCI DSS status at least annually. A PCI DSS compliant third-party service provider who has undergone its own PCI DSS assessment will have their own Attestation of Compliance (AoC). This must be the official PCI SSC provided template and a glossy certificate should not be accepted.
The AoC will have a date entered in it to show when the assessment was complete. 11-months or thereabouts from that date the merchant needs to contact the 3rd party service provider and start asking for the new AoC once it has been delivered. The merchant can perform checks throughout the year, maybe as part of the service review meetings to ensure the service provider is maintaining compliance and discuss any areas of concern etc.
The final requirement in the 12.8 series is to maintain information about the requirements the merchant is responsible for, and those that the service provider(s) manage.
See this as an extension of the contract wording to identify liability boundaries in case the worst should happen, so you know where to point the finger. Again, this information is usually contained within a spreadsheet and then shared with the in-scope service providers to get their agreement as to the requirements managed.
At IntaForensics, we often find that merchants are not aware of their responsibilities towards their third-party service providers. A substantial number of the data breaches we investigate are caused via a third party and the vast majority of these are preventable.