PCI DSS compliance requires better management of vendor risk

PCI DSS Requirement 12.8 requires that if cardholder data is shared with service providers, an organization must implement and maintain policies and procedures to manage them. These policies and procedures must include, at a minimum, the following:

1. Maintaining a list of service providers.
2. Maintaining a written agreement that includes an acknowledgment that the service providers are responsible for the security of cardholder data in their possession.
3. Having an established process for engaging service providers, which must include "proper" due diligence prior to engagement.
4. Maintaining a program to monitor the PCI DSS compliance status of service providers.

We are all banks now

With the advent of PCI DSS and its expansion to millions of small and medium-sized businesses (SMBs), we are all banks now. SMBs that were used to purchasing outsourced IT and transaction solutions quickly, with minimal due diligence and no lengthy contractual negotiations, will now have to emulate the vendor contracting and management procedures of financial services companies and large businesses. Many of these SMBs do not even have a chief technology or information security officer. How, then, can they achiev...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance Tips Business Model for Information Security: Security right the first time Effective compliance document management in five days FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing New evaluation criteria for Web application security scanners Priorities for your sound regulatory compliance management policy Data loss prevention technology matures but is still no cure-all Threat management for information systems relies on categorization HIPAA-covered entities' first step should be a quality assurance plan Discovery of data breach under HITECH raises big compliance questions PCI compliance Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more Priorities for your sound regulatory compliance management policy Data breach notification law SB 20 strikes right balance: Simitian D.C. CTO sees compliance, cost savings benefits to cloud computing Does using ISO 27000 to comply with PCI DSS make for better security? Security and compliance can go together, when done in the right order Nonprofits are working to maintain donor trust with PCI compliance PCI DSS compliance fails to raise the bar on financial fraud PCI DSS compliance requires new vendor management strategy PCI DSS FAQ: The Payment Card Industry Data Security Standard and IT Industry-specific requirements for compliance Poor application security creates supply chain risk, security threat Business Model for Information Security: Security right the first time Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more NERC CSO warns of cybersecurity threats, risk to electric grid FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing McCain answers new FCC net neutrality rules with Internet Freedom Act SAP sees green in sustainability software for carbon compliance

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI compliance  (SearchCompliance.com) XBRL  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

e compliance?

Being required to exercise responsibility for the data security practices of third-party service providers via preselection due diligence, contractual protections and ongoing monitoring is old hat for financial services companies. Supervising regulators have imposed these standards to financial services for years. For example, as far back as 2001, the Interagency Guidelines Establishing Standards for Safeguarding Customer Information, jointly issued by the federal banking agencies to implement the Gramm-Leach-Bliley Act, required such an approach. The individual agencies have consistently adhered to it in their more recent pronouncements, such as the Federal Deposit Insurance Corp.'s (FDIC) Guidance for Managing Third-Party Risk issued in June 2008.

In my former role as in-house technology counsel for a bank regulated by the FDIC, I worked with the bank's information security officer, IT department and vendor management group in a talmudic exercise to parse all of these documents and translate their compliance mandate into a living, functional process. The result was a holistic vendor management program under which vendor relationships were assigned a risk rating at the due diligence stage of the relationship. For instance, possession of highly sensitive nonpublic personal information such as names combined with account or Social Security numbers would bump a potential relationship to the highest position on the risk scale. If a relationship was classified as high risk, the vendor was required to provide detailed financial, IT, security, operational and business continuity information; allow our team to visit its data center; and sign a contract that contained robust and detailed data security covenants, requirements for the vendor's continuing cooperation with periodic audits and ongoing monitoring during the course of the relationship.

The audit and monitoring clauses of these contracts were often hotly negotiated, especially by vendors in the e-commerce space whose typical clients were fast-moving Web startups. Such clients were not used to regulated financial institutions and their battalions of compliance-conscious personnel in stuffed shirts. The common laments I received were that complying with such requirements would be highly disruptive to the vendor's business, would jeopardize the security of other clients' data in a shared hosting environment, or would reveal sensitive information about the vendor's own security procedures that a hacker could then exploit. "I know it's a lot," I would always tell them, my voice softening in sympathy, "but we are a Bank." (I invested the term with gravitas, hence the capital B.) "These are regulatory requirements." In other words, I'm doing this not because as a lawyer I live to generate verbiage; I'm on a mission from God. The implication for the vendor was that if it couldn't abide by His commands, maybe it shouldn't be pitching services to financial service companies.

Resistance is futile

One answer suggested by some information security professionals is to outsource all collection, hosting and storage of cardholder data to a vendor. If an enterprise has no cardholder data, then PCI DSS does not apply. While compelling in its apparent simplicity, this position does not offer a complete solution. For one thing, there is a chicken-and-egg problem with Requirement 12.8: If a vendor has all of your data, common sense dictates that the need for risk management through due diligence and strong contracts (i.e., asking questions and covering yourself) is greatest. It would be perverse for PCI DSS to enable an enterprise to avoid these responsibilities precisely by moving to the highest-risk point of the outsourcing spectrum and maximizing its dependence on the vendor.

Secondly, even if this were the case, state data security law is increasingly requiring organizations to take responsibility for their vendors. California Civil Code Section 1798.81.5 requires a business that discloses information to an unaffiliated third party under a contract to include in the contract language that requires the third party to implement and maintain reasonable security procedures "appropriate to the nature of the information." Finally, regardless of the applicability of PCI DSS or particular state data security statutes, a business that entrusts sensitive personal information to a third-party vendor without due diligence or strong contractual protections is likely to incur grave reputational damage and possible liability to bank card issuers and others in the event of a data breach.

Accordingly, SMBs, like banks, must learn to think of vendor management obligations as fundamentally nondelegable. Therefore, in the second part of this tip, where I outline strategies to manage vendors, I shall assume compliance with PCI DSS Requirement 12.8 is mandatory.

Andrew M. Baer is an attorney and founder of Baer Business Law LLC, a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. Baer can be contacted at andrew@baerbizlaw.com or @BaerBizLaw on Twitter.