Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is becoming a major headache for millions of business that up to now were
oblivious. PCI DSS compliance is required by payment card associations, acquiring banks and, in Nevada, by statute. In all of the hullabaloo over encryption and other expensive IT upgrades, one of the PCI DSS requirements that has not received much attention is the implementation of due diligence, contracting and compliance monitoring procedures to manage service providers with whom cardholder data is shared. For some businesses, that will require an attitude adjustment.
PCI DSS Requirement 12.8 requires that if cardholder data is shared with service providers, an organization must implement and maintain policies and procedures to manage them. These policies and procedures must include, at a minimum, the following:
- Maintaining a list of service providers.
- Maintaining a written agreement that includes an acknowledgment that the service providers are responsible for the security of cardholder data in their possession.
- Having an established process for engaging service providers, which must include "proper" due diligence prior to engagement.
- Maintaining a program to monitor the PCI DSS compliance status of service providers.
We are all banks now
With the advent of PCI DSS and its expansion to millions of small and medium-sized businesses (SMBs), we are all banks now. SMBs that were used to purchasing outsourced IT and transaction solutions quickly, with minimal due diligence and no lengthy contractual negotiations, will now have to emulate the vendor contracting and management procedures of financial services companies and large businesses. Many of these SMBs do not even have a chief technology or information security officer. How, then, can they achieve compliance?
Being required to exercise responsibility for the data security practices of third-party service providers via preselection due diligence, contractual protections and ongoing monitoring is old hat for financial services companies. Supervising regulators have imposed these standards to financial services for years. For example, as far back as 2001, the Interagency Guidelines Establishing Standards for Safeguarding Customer Information, jointly issued by the federal banking agencies to implement the Gramm-Leach-Bliley Act, required such an approach. The individual agencies have consistently adhered to it in their more recent pronouncements, such as the Federal Deposit Insurance Corp.'s (FDIC) Guidance for Managing Third-Party Risk issued in June 2008.
In my former role as in-house technology counsel for a bank regulated by the FDIC, I worked with the bank's information security officer, IT department and vendor management group in a talmudic exercise to parse all of these documents and translate their compliance mandate into a living, functional process. The result was a holistic vendor management program under which vendor relationships were assigned a risk rating at the due diligence stage of the relationship. For instance, possession of highly sensitive nonpublic personal information such as names combined with account or Social Security numbers would bump a potential relationship to the highest position on the risk scale. If a relationship was classified as high risk, the vendor was required to provide detailed financial, IT, security, operational and business continuity information; allow our team to visit its data center; and sign a contract that contained robust and detailed data security covenants, requirements for the vendor's continuing cooperation with periodic audits and ongoing monitoring during the course of the relationship.
The audit and monitoring clauses of these contracts were often hotly negotiated, especially by vendors in the e-commerce space whose typical clients were fast-moving Web startups. Such clients were not used to regulated financial institutions and their battalions of compliance-conscious personnel in stuffed shirts. The common laments I received were that complying with such requirements would be highly disruptive to the vendor's business, would jeopardize the security of other clients' data in a shared hosting environment, or would reveal sensitive information about the vendor's own security procedures that a hacker could then exploit. "I know it's a lot," I would always tell them, my voice softening in sympathy, "but we are a Bank." (I invested the term with gravitas, hence the capital B.) "These are regulatory requirements." In other words, I'm doing this not because as a lawyer I live to generate verbiage; I'm on a mission from God. The implication for the vendor was that if it couldn't abide by His commands, maybe it shouldn't be pitching services to financial service companies.
Resistance is futile
One answer suggested by some information security professionals is to outsource all collection, hosting and storage of cardholder data to a vendor. If an enterprise has no cardholder data, then PCI DSS does not apply. While compelling in its apparent simplicity, this position does not offer a complete solution. For one thing, there is a chicken-and-egg problem with Requirement 12.8: If a vendor has all of your data, common sense dictates that the need for risk management through due diligence and strong contracts (i.e., asking questions and covering yourself) is greatest. It would be perverse for PCI DSS to enable an enterprise to avoid these responsibilities precisely by moving to the highest-risk point of the outsourcing spectrum and maximizing its dependence on the vendor.
Secondly, even if this were the case, state data security law is increasingly requiring organizations to take responsibility for their vendors. California Civil Code Section 1798.81.5 requires a business that discloses information to an unaffiliated third party under a contract to include in the contract language that requires the third party to implement and maintain reasonable security procedures "appropriate to the nature of the information." Finally, regardless of the applicability of PCI DSS or particular state data security statutes, a business that entrusts sensitive personal information to a third-party vendor without due diligence or strong contractual protections is likely to incur grave reputational damage and possible liability to bank card issuers and others in the event of a data breach.
Accordingly, SMBs, like banks, must learn to think of vendor management obligations as fundamentally nondelegable. Therefore, in the second part of this tip, where I outline strategies to manage vendors, I shall assume compliance with PCI DSS Requirement 12.8 is mandatory.
Andrew M. Baer is an attorney and founder of Baer Business Law LLC, a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. Baer can be contacted at firstname.lastname@example.org or @BaerBizLaw on Twitter.
This was first published in August 2009