As a part of your business operations, do you accept credit card payments? Have you looked at the PCI DSS and thought ‘that’s a lot of stuff to do’? Have you outsourced PCI DSS responsibility to a third party payment processor in order to be PCI DSS compliant? Do you own the Merchant ID that payments are processed under?
If you answered yes to the questions above, I’ve got one more question for you…
May I see your PCI DSS Attestation of Compliance?
There’s an often-overlooked fact about engaging with a service provider: They cannot be used as a way to avoid the task of attesting to PCI DSS compliance within your business. If you own a merchant ID, you must complete a PCI DSS Attestation of Compliance. These misconceptions and common issues we see when it comes to the PCI DSS is a part of our ongoing blog series, “Common Misconceptions around the Payment Card Industry Data Security Standard (PCI DSS)”. In this post, we’ll discuss areas to be aware of when engaging with a service provider. Also see blog post “Controlling Inbound and Outbound Traffic Flow in an Azure-based Cardholder Data Environment” for examples of deploying vendor services in a PCI DSS-compliant environment.
“The Vendor is PCI compliant”
When a vendor says they are PCI DSS compliant, it means that they have validated that all of their own internal PCI DSS controls are compliant, and they can provide you with their own PCI DSS Attestation of Compliance (AoC) to that effect. It does not mean that just because the vendor says they are PCI DSS compliant, you are also PCI DSS compliant by association.
You can engage a vendor to provide a solution to help meet a requirement, or several requirements, but you are still responsible for how compliance for that requirement is met for your merchant ID. A vendor you engage should also provide you with a “demarcation of responsibilities” statement, which will define which controls they will assume responsibility for, and which ones you will still need to meet on your own, or will jointly be responsible for.
The Claims, and the Truth
You may hear claims from vendors, saying they can help achieve some of the following goals:
- We can remove PCI DSS responsibilities from your environment
- We provide an all-in-one PCI DSS certified solution
- We take care of PCI DSS compliance for your business
While these statements do have some level of truth to them in many cases, they may also be misleading. On reading these statements, a customer may believe that PCI DSS compliance will no longer be an issue they need to deal with once they sign on the dotted line. This is rarely the case, so it is important to understand what can and cannot be achieved by engaging a third party.
So how do you figure out which service providers will truly provide value as you continue to achieve PCI DSS compliance? Here are a few areas you should look out for, to make sure you’re engaging with a vendor who understands what ‘PCI DSS Compliant’ means.
- Look for vendors on the Visa Global Registry. Vendors who make it onto the Visa list have been held to a higher standard of process compliance. Additionally, the list will state what services they have been assessed against, and those particular features are the only services considered by Visa to be PCI DSS compliant. Any service the vendor provides outside of the services listed may not meet PCI DSS compliance requirements.
- Talk to the vendor. Engage with the vendor to better understand the solution they offer, and exactly what PCI DSS controls their service will help you maintain. Remember, even if you fully outsource your payment solution, there may still be some business processes that bring parts of your environment into scope.
Once you’ve selected a vendor and have begun to use their services, you should continue to reach out to the vendor to ensure they are maintaining the proper certifications / documentation. Those items should include:
- A control responsibility matrix or demarcation of responsibilities.
- A PCI DSS Attestation of Compliance performed within the last year and against the most recent version of the standard.
Vendors should provide a control responsibility matrix to confirm which controls they maintain on your behalf as a PCI DSS compliant service provider, versus the controls your organization still needs to maintain. This removes a lot of the fuzziness around ‘is the vendor handling this’ or ‘are we covered because we use…’, and provides a clear picture of what controls are left for your organization to maintain.
Additionally, ensure you are receiving their PCI DSS Attestation of Compliance (AoC) on an annual basis. Note, this is the full attestation, not a certificate image file saying they’re compliant. The full AoC will help you ensure they are attesting to the latest version of the PCI DSS, that a reputable company performed the AoC, and that the company has maintained PCI DSS compliance with any changes to the standard that may have been introduced over the past year.
While there are solutions out there that will claim to remove all PCI DSS responsibility from your organization, this is simply not possible when you are considered the owner of the merchant ID used to process payments. If the vendor says that you don’t need PCI DSS documentation, or they can’t/won’t provide their own compliance attestation to you, then you should probably continue your vendor selection process.
With a bit of research on the front end, combined with engagement of a service provider who continues to maintain compliance, the management of PCI DSS compliance within your organization can be dramatically simplified and streamlined.
Part 2 of this topic will be coming up next, and we will dive into a breakdown of some common service provider engagement levels, and PCI DSS considerations at each level.