Many organizations are under the impression that if they outsource their credit card transactions, then they are not responsible for their PCI compliance. While this may minimize the scope of the PCI environment, it does not alleviate the responsibility for their PCI compliance.
Outsourcing credit card transactions may be a good business decision assuming that the organization has done their homework in choosing a vendor that can demonstrate their PCI compliance and security prowess. It excludes the organization’s internal network from the PCI requirements such as data encryption and vulnerability scanning. There will usually still be areas within the organization that fall within scope, such as the point of card scanning. For example, the policies for handling the cards at swipe time will still need to be in place. In addition, the merchant may need to prove that the vendor has the appropriate policies and controls during their audit or when completing their Self-Assessment Questionnaires.
Let’s look at a hypothetical scenario: A merchant has outsourced their credit card transactions. Now the vendor where they outsourced is compromised and credit card numbers have been lost. Who will the bank and card companies look to when imposing fines? Who will the card companies look to when recouping the cost of replacing the cards to their customers? Who will be the defendant in the lawsuits the card holders bring? Who will lose the confidence of those customers and potential future customers?
Companies need to do their due diligence to ensure their business partners and outsourced companies are meeting compliance and regulatory requirements. They need to stay abreast of the regulations and take the time to understand the specifics of where they are and are not responsible. Their management and legal team need to stay involved ensuring their business and technical partners have their best interest in mind. A third party vendor assessment is one way to be assured that their partners are meeting their requirements. Also, companies need to conduct a periodic formal gap assessment to make sure all regulatory requirements are being addressed and updated on a regular basis.
Dennis Thrift is Product Champion – Compliance & Risk at Zensar and Tim Trow is Senior Security Consultant at Zensar