Many organizations outsource their work to third parties for meeting their business objectives. The objectives vary from simple low cost labour to risk management practices. Some organizations outsource part of the work while others outsource a major chunk of their work.
In this essay, I will be covering some aspects of outsourcing the payment card related activities. The key focus is on doing a review of what are the areas to be looked into when the payment card related processing is outsourced.
Being an Information Security Manager at a Bank, I would be concerned about the information security practices of the third party. A key area to be looked into is the risk posture of the vendor and how it is aligning the information security best practices.
Does it have ISO 27001 implemented, is it managed and reviewed periodically. What is the scope of the ISO27001 implementation? These are some of the questions to be asked to understand if the vendor is serious about the information security practices.
Coming to the specifics of PCI DSS, the 12.8 section of the PCI DSS standard discusses the controls to be implemented when the card holder data is shared with service providers.
12.8.1 requires the organization to maintain a list of all the service providers readily available.
12.8.2 requires the organization to have a written agreement with the vendor and also requires that the vendor (service provider) acknowledges the responsibility of securing the card holder data.
It would be easily addressed through adding these clauses in the business agreement or security agreement and is acknowledged by the service provider when they sign the agreement.
12.8.3 is more interesting. It requires the organization to have a formal process in engaging with service providers. This includes ensuring due diligence before engaging with the vendor / service provider.
There are many ways for doing it. The best way I should look for is to check the compliance of the vendor towards PCI DSS. An easy mechanism is to ask for a copy of the PCI DSS compliance certificate issued to the vendor. In addition, one can also check the PCI Security council website for a list of active service providers with a good compliance status. In short, it is advisable to ensure that one criteria for vendor selection shall be the PCI DSS compliance and certification.
12.8.4 is for monitoring the service providers PCI DSS compliance status. The best mechanism is to include legally binding clauses in the business agreement whereby the vendor is required to communicate the status of the PCI DSS status to the organization as and when there is a change in the status which includes renewal, failure to comply etc.
In addition, the organization shall periodically check the status of the service provider at the PCI Security council website for validating the status.
If these requirements are met, the organization can outsource the payment card related activities while ensuring the compliance towards the PCI DSS standard. A key advantage in addition to the low cost labour, is the transfer of risk to a third party