Payment Security teleconference
Third Party Management
31 January 2014
Michael Christodoulides &
Louise Hunt
All information correct at time of presentation
Introductions
Third Parties / Service Providers / Merchants Agents are integral to the security of the
payment card industry ecosystem. It’s Barclaycards experience that the majority of Merchants
make extensive use of third parties as part of the day to day to activities of running their
business.
With the release of version 3.0 of the PCI DSS and the increased interest in the use of verified
compliant PCI DSS compliant service providers, Barclaycard would like to take this opportunity
to walk our customers through some of the issues that can impact a Merchants PCI DSS
compliance.
Your conference call hosts today are Michael Christodoulides our Payment Security Manager
who specialises in Third Party Risk Management and Louise Hunt a Payment Security Risk
Manager.
Page 2
Agenda
This teleconference will encompass :
•
•
•
•
What is a 3rd Party / TP/ Service Provider
Due diligence when selecting a 3rd Party / TP/ Service Provider
PCI DSS V3.0: Impact to 3rd Parties and Merchants
Who is responsible for what – it depends, its your business
•
Contracts
•
Account Data Compromise responsibilities
•
•
•
Timescales
Conclusions and Impact on existing compliance programmes
Questions and Answers
Page 3
What is a 3rd Party / TP/ Service Provider
In the context of the PCI DSS a service provider is an entity that stores, processes, transmits
payment cardholder data or has an impact on the security of payment cardholder data.
Examples of service providers can include:
•
•
•
•
•
•
•
•
•
Payment gateways
Companies that provide outsourced services
Web hosting companies
Web development companies
Booking agencies
Payment card aggregators such as Fraud Analysts
Network and Log management companies
IT services
Marketing companies
Page 4
Due diligence when selecting a 3rd Party /
Service Provider / Merchant Agent
So, from a PCI DSS perspective, how do you select a Service Provider/Third Party?
•
First port of call should be the lists run by the Schemes e.g. the Visa Merchant Agent list or
the MasterCard Service Provider list.
 www.visamerchantagents.com and www.visamerchantagentslist.com
 http://www.mastercard.com/us/company/en/docs/SP_Post_List-1-15-14.pdf
But if your preferred supplier is not on these lists then what do you do?
•
•
•
•
Obtain their “Report on Compliance” and undertake you due diligence to ensure the services
you will be commissioning are in scope of their assessment.
No RoC? Then obtain their SAQ and do same, best to ensure the SAQ is verified by a QSA !
No SAQ? Then undertake your own due diligence to ensure they can manage your payment
cardholder data securely.
Encourage (i.e. instruct) your preferred service provider to join the Scheme lists, where it is
appropriate to do so.
Page 5
Who is responsible for what – it depends, its
your business
The Merchant is always responsible for securely managing the payment card data
that is entrusted to them by their customers.
The Merchant might decide to delegate operational to 3rd parties and if these
operational functions involve storing, processing or transmitting cardholder data or
have an impact on the security of cardholder data then the Merchant should also
ensure that payment card security continues to be managed correctly.
In the event of a data security breaches it is always the Merchant who has the
responsibility to close the breach, ensure remediation takes place and pay any fines
imposed due to incurring the data security breach.
The costs of selecting the wrong third party quickly mount when things go wrong.
Page 6
PCI DSS V3.0: Impact to 3rd Parties and
Merchants
PCI DSS V3.0 recognises that the PCI DSS payment card security relationships
between the Merchant and the Third Party have not always been as transparent is it
should be. To many assumptions on either side about who has/is responsible.
Therefore in PCI DSS V3.0:
Evolving Requirement: Maintain information about which PCI DSS requirements are
managed by service providers and which are managed by the entity
Evolving Requirement: Service providers to acknowledge responsibility for maintaining
applicable PCI DSS requirements. Effective 1 July 2015
There are new SAQ’s for PCI DSS V3.0 for E-commerce environments.
Page 7
Contracts
A few considerations about contracts, I’m not a lawyer but……:
•
•
•
•
•
•
•
Page 8
Ensure your contracts specify PCI DSS responsibilities, not just at a high level but by actual
requirement and sub clause. These might be in an accompanying schedule but they should
form part the contract.
Be specific about what happens in the event of a data security breach, who has responsibility
and who pays the bills! (e.g. forensics, stop loss, remediation)!
Include the requirement for an Incident response plan.
Include a right of audit/inspection.
Include requirement for a RoC or QSA attested SAQ for your scope of work.
Include requirement to be complaint with Scheme security bulletins (e.g. the Visa Security
Bulletin concerning Hosted Payment Pages issued April 2010).
Make the contract future proof for example do not get trapped to any one version of the PCI
DSS or associated standards and pronouncements issued by the PCI SSC or other industry
bodies.
Account Data Compromise responsibilities
So when things go wrong its always the Merchant who foots the bill!
ADC costs include:
•
•
•
•
•
•
•
•
Forensic Investigation/s
Initial remediation to stop the leak
Fully remediation to become compliant
Diversion of operational resources from intended business initiatives to zero income
payment card security activities
Managing customer expectations
Managing the Media
Rebuilding confidence in the brand
Allocating additional budget to payment card security on an on-going basis
•
For a copy of our data Compromise Leaflet, please contact a member of our team at
[email protected]
Page 9
Timescales
Well the reality is that you should be using PCI DSS compliant service providers now!
But many organisations have existing contracts that needed to be reviewed and
possibly re negotiated so how long will this take?
It’s going to take time and the driver will be PCI DSS V3.0. Therefore:
• Identify all your existing Service Provider contracts and review for payment security
implications.
• Put written agreements in place where none previously exist
• Ensure you are using a compliant Service Provider, ask for their RoC and AOC and make the
scope covers your business
• SP’s list with Visa Europe as a Merchant Agent –
• SP’ contact your Bank and obtain sponsorship to list on the MasterCard SP list
• Use the first half of 2014 to identify and review the services provided by all your providers.
• Use the second half of 2014 to review and, where necessary, renegotiate 3rd Party contracts.
• By June 2015 you must have written agreements that evidence the third party
responsibilities.
.
Page 10
Conclusions and Impact on existing
compliance programmes
First make sure you are ready for PCI DSS V3.0 and in particular:
•
•
•
•
Review your cardholder data flows to ensure they accurately include third parties and/or
companies that can potential impact payment card security.
Review your list of third parties and ensure contracts are appropriate for the services they
provide, provide security to cardholder data and assist the merchant in the event of a
security breach.
If you are currently assessing with PCI DSS V2.0 then take the opportunity to run a gap
analysis against v3.0
Include Scheme listing as part of your compliance programme e.g. ensuring your third party
is listed on the Visa Europe Merchant Agent List and the MasterCard Service Provider list.
Life is not a perfect world if there are problems that we can help with then do speak to us, here at
Barclaycard Payment Security Team, we can and want to help: [email protected]
Page 11
Any Questions?
Find us on
Barclaycard Business Solutions Payment
Security
www.youtube.com/watch?v=-ngt2buzI7Y
Page 12
www.youtube.com/watch?v=ucwDxTa-RLI
Awards and credentials
Elected Board member of the Payment Card Industry Security Standards Council (PCI SSC)
Winner of FSTech Awards Compliance Project of the Year 2013
Winner of FSTech Awards Anti-Fraud/Security Strategy of the Year 2013
Winner of Data Security Award , MPE Awards 2012
Winner of Merchant Award, MPE Awards 2012
Winner of Information Security Team of the Year, SC Magazine Europe Awards 2012
Winner of Information Security Team of the Year, SC Magazine Europe Awards 2011
Winner of the Data Security Award, European Card Acquiring Forum (ECAF) Awards 2010
Page 13