In the age of digital commerce, more business are using third parties to manage operations, increasing the risk to any payments data they handle, says the Payment Card Industry Security Standards Council.
The council, which includes the major card brands and other global payment industry stakeholders, on August 7 published new guidance describing how organizations and business partners can secure card data in situations where multiple parties handle sensitive card data.
These relationships necessitate a clear plan of responsibility and expectations for data integrity that the business or merchant must communicate to the outsource partner, said Troy Leach, chief technology officer for the PCI Security Standards Council.
"The ecosystem is more complicated with alternative payments; we're seeing more use of options such as software-as-a-service to deliver technology," Leach said. "Merchants have to go in with their eyes wide open to see what security will be covered by the third party."
The new guidance states that when a merchant shares cardholder data with a third-party service provider, there are to be requirements that ensure continuity of data protection. PCI has published a supplement to help produce a third-party assurance program, addressing due diligence steps and risk assessments.
"There is a need for education that shows that security is a shared responsibility," Leach said. "There needs to be a way to manage and monitor the progress of the third parties in data protection."
Organizations should also ensure consistent processes for engaging third parties that includes setting expectations, a communication plan and mapping third party services and responsibilities to applicable PCI DSS requirements. PCI also recommends developing agreements, policies and procedures that consider common issues that may arise from the outsourcing relationship.
"When there is a breach, one of the things we've seen is there is a miscommunication of the scope of the responsibility," Leach said, adding the service provider was not aware that the merchant was relying on them to adhere to specific data protection practices.
Target Corp. attributed last year's massive data breach to a third-party relationship, but the new PCI guidance is not a response to that incident, Leach said, noting work on the third party data protection guidance began before the disclosures by Target and other retailers. However, breaches involving service providers could have been mitigated, or made more transparent, if the new controls and standards had been used, Leach said.
"More startups are entering the payments space, particularly around mobile and digital payments," said Nathalie Reinelt, an analyst at Aite Group. "It just makes sense to ensure these smaller organizations are adhering to the same data protection standards as merchants and traditional payment services firms."
While many of the startups are coming up with creative ways to process payments and reduce costs, merchants and business partners also need confirmation that the startups are investing in data security, Reinelt said. "When a breach occurs, it's the merchant's brand that is tarnished the most."