Third-party risk is major, but there is a roadmap to safety
While there is ample payment and fintech risk from third-party partnerships, there are several important steps that can allow third-party payment risk to be better managed, reducing the chances of a malicious cyber attack succeeding.
Collaboration with third parties is vital to any industry and mitigating associated risks should be one of the top priorities of companies.
That way, it ensures that everyone will have a safe and beneficial partnership that helps every company involved meet their goals, without fear of security risks.
The PCI SSC’s Information Supplement: Third-Party Security Assurance has set out a four-step guide to help businesses trying to manage their third-party service providers. The guide has been designed to be used throughout the lifecycle of the relationship.
Due diligence. This includes determining the scope of the services provided and conducting due diligence on the prospective partner. Guidelines cover investigating the financial stability of the partner, its reputation, experience in providing the proposed services and so on, as with any tender.
Organizations should also conduct a risk assessment to understand the level of risk associated with engaging the partner and inform the mitigating controls. Areas to assess include security governance, physical security, access authorization, incident response, malware, segregation and security controls.
Engagement. Setting expectations, being clear on roles and responsibilities and effective communication are critical as a basis for good risk management throughout the engagement. Organizations may also have to request evidence and obtain information about PCI DSS compliance from their third parties at this stage.
Written agreements, policies and procedures. Document agreements with third parties in writing. This seems obvious but organizations have encountered difficulties when third parties have outsourced services they agreed to provide. The risks of these nested or downstream relationships can be hard to control, especially if your organization is unaware of them.
Evaluate all national, state and industry-specific requirements that may apply. Include specific provisions around breach notification, termination of contract, post-termination considerations and what happens if the third party loses their PCI DSS compliance status.
Maintaining relationships and monitoring. Third-party relationships are potentially significant, so dedicate sufficient resources across your organization to managing them. This will involve almost every function of your organization, such as colleagues in the legal, finance and IT departments, as well as those in front-line risk management and procurement.
Establish and maintain a monitoring program for third-party compliance with PCI DSS. Undertake regular reviews with third parties. Share business plans and changes in strategic direction and encourage them to do likewise.