For merchants, long gone are the days of using a card reader with a dial-up connection to their payment processor. Today’s omni-channel retailers rely on multiple third party service providers to complete payment card transactions. These third parties—call center operators, payment gateways, loyalty solution providers, managed security services, data-center hosts, mobile app developers, and fraud prevention services—have access to or could impact the security of cardholder data. A quick review of recent security alerts regarding remote access tools and news articles regarding attacks on payment card systems highlights the fact that merchants still face the consequences that follow from an account data compromise event even if it was caused by their service provider. Indeed, contractual obligations merchants accept to be able to accept payment cards impose the ultimate responsibility on merchants for compliance with the Payment Card Industry Data Security Standard (PCI DSS), regardless of whether the merchant does it entirely on its own, relies on some service providers, or completely outsources all aspects.
Merchants are obligated under PCI DSS Requirement 12.8 to maintain policies and procedures to ensure that service providers are securing cardholder data. And although just a “best practice now” under PCI DSS 3.0, beginning July 2015, merchants will also be required to obtain a written acknowledgement of responsibility for the security of cardholder data from their service providers. But anyone who has gone through several rounds of selecting, vetting, and contract negotiation with various service providers has likely faced at least one of the following challenges: (1) denial of access to Reports on Compliance; (2) refusal to agree to maintain continuous compliance with PCI DSS; (3) rejection of demand for indemnification of the merchant if the provider allows unauthorized access to cardholder data; and (4) refusal to permit post-selection auditing. Ensuring compliance with Requirements 12.8 and 12.9 is a difficult task for merchants. Continue Reading