In August the Payment Card Industry Security Standards Council (the PCI Council) published guidance aimed at businesses that engage third party service providers (TPSPs) to store, transmit or otherwise process cardholder data on its behalf.
The guidance sets out common sense steps and best practice relating to the vetting, engagement and management of TPSPs. It is written in plain English and is relatively user-friendly.
The guidance acts as a reminder of a central principle of PCI compliance - the use of TPSPs does not relieve a service recipient business of its PCI DSS compliance obligations.
What is PCI DSS?
In a nutshell, the Payment Card Industry Data Security Standard (PCI DSS) is the global recognised set of standards to be met by any business that stores, processes or transmits payment cardholder data.
PCI DSS was established and is maintained by the PCI Council which comprises five global payment brands - American Express, MasterCard, Visa Inc, Discover Financial Services and JCB International.
PCI DSS is not law. It is enforced through contractual obligations that flow between the global payment brands, the payment processing banks and ultimately to businesses that store, process or transmit payment cardholder data.
Cardholder data is the data found on cardholder's card and includes the cardholder's name, the expiration date and card number.
Why did the PCI Council produce the guidance?
The aim of the guidance is to help businesses to better understand their roles in achieving compliance with PCI DSS where the business's card holder data will be processed by a TPSP.
The guidance aims to address a common misconception that a business can dispense with its obligations under PCI DSS if it outsources the processing of cardholder data to TPSPs. The PCI Council has responded on this point in a number of materials (including in the FAQs on its website).
The guidance goes further by describing the division of compliance responsibilities between businesses and their TPSPs, and describing in detail the considerations businesses should have in mind in the event they appoint a TPSP to process cardholder data.
What does the guidance say?
The guidance describes best practice for the appointment and management of TPSPs. Much of the guidance describes 'common sense' steps to assist the business in achieving compliance with PCI DSS.
The best practice covers the following areas:
- Scoping - businesses should seek to determine the scope of TPSP's involvement with regard to the processing of cardholder data and assess the associated risk.
- Due Diligence - businesses should undertake due diligence to determine whether the proposed TPSP is appropriate and whether the appointment could negatively impact its PCI DSS compliance.
- Engaging the TPSP - if a business decides to engage the TPSP, it should define and document its expectations in the service agreement which should also detail the remedies available to the business, should the TPSP fail to comply with its obligations.
- Monitoring the TPSP - The business will need to monitor the TPSPs in order to comply with its PCI DSS obligations. With this in mind the guidance suggests that businesses should maintain a TPSP monitoring procedure and the guidance provides a high-level description of the key components of a procedure.
The guidance also includes helpful resources including a template roles and responsibilities matrix, describing the key responsibilities to be allocated between a business and its TPSP and which, when populated, can be appended as a schedule to the business's services agreement with the TPSP.
Wider data protection considerations
In recent years it has become clear that being PCI DSS compliant can help a data controller (the person that determines the purpose for which and the manner in which the personal data is processed - often the business service recipient) comply with the Data Protection Act 1998 (the Act).
In 2011, Lush Cosmetics (Lush) signed an undertaking with the Information Commissioner's Office (the UK's data protection authority) following a high profile data breach Lush experienced between October 2010 and January 2011.
Following the ICO's investigation, an ICO representative commented that Lush "failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place".
As part of the undertaking, Lush was required to ensure that all future payments were processed by an external provider compliant with the Payment Card Industry Data Security Standard.
The ICO's statement made it clear that payment processing goes to the heart of data protection compliance for retailers. By referring to PCI DSS in the undertaking, the ICO endorsed PCI DSS as a means of working towards compliance with Principle 7 of the Act - ensuring appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data.
However, being PCI DSS compliant does not guarantee compliance with Principle 7 of the Act, nor does it guarantee that a business's security is impregnable. The high profile and costly data breach experienced by Target in 2013 acts as a reminder that hackers can breach security measures put in place by businesses and service providers that claim to be PCI DSS compliant.
What does this mean for your business?
Firstly, the guidance acts as a reminder that every business that stores, transmits or otherwise processes cardholder data is ultimately responsible for ensuring its own PCI DSS compliance, whether or not a TPSP is involved.
Secondly, the guidance assists businesses that are working towards compliance - it sets a new benchmark for businesses that already have procedures in place and can be used as a framework (albeit only in relation to the engagement of TPSPs) for businesses that are starting from scratch.
Thirdly, being PCI DSS compliant can help businesses that are data controllers establish data protection compliance. However, PCI DSS compliance in itself does not guarantee data protection compliance nor does it eliminate the risk of data compromise.
Finally, by issuing this new guidance the PCI Council has given fair notice of what good practice looks like in relation to the vetting and management of TPSPs. This level of transparency (in what is otherwise a technical and jargon filled subject-matter) puts the onus on businesses to undertake the relevant adjustments and makes it difficult for non-compliant businesses to plead ignorance.