With new PCI DSS compliance requirements due to come into force shortly, as well as regular reports in the press of data security breaches and cyber attacks, now is a good time for customers who outsource payments services to dust off and review their payments related agreements with service providers and shared hosting providers.
PCI DSS is shorthand for the Payment Card Industry Data Security Standard, which is published by the Payment Card Industry Security Standards Council, a global forum set up by five major payments brands – American Express, Discover Financial Services, JCB International, MasterCard and Visa – to develop and maintain payment card security standards.
PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data and sensitive authentication data.
>See also: UK payments – succeeding in a changing world
It provides a baseline of technical and operational requirements, which are designed to protect cardholder data through an actionable framework to develop robust payment card data security processes including prevention and of, and response to, security incidents.
For each of the covered entities, the PCI DSS requirements apply to all people, processes, technologies and system components included in, or connected to, the applicable cardholder data environment – not just to the systems that directly handle the card data.
What is changing?
The 30 June milestone represents the last stage of the Payment Card Industry Security Standards Council’s implementation of version 3.0 of PCI DSS, which was published in November 2013. Some of these requirements have been considered as best practice since the start of the year, but which will soon turn into mandatory requirements.
The changes under implementation since the earlier version 2.0 fall into the following categories: clarification; additional guidance and evolving requirement. Many of the changes simply provide clarification and additional guidance, but there are also quite a few ‘evolving requirement’ changes. These are what the PCI Security Standards Council refers to as ‘changes to ensure that the standards are up to date with emerging threats and changes in the market’.
PCI DSS sets out six overarching control objectives, which are then expanded into 12 PCI DSS requirements and corresponding testing procedures: build and maintain a secure network and systems; protect card-holder data; maintain a vulnerability management program; implement strong access control measures; regularly monitor and test networks; and maintain a policy that addresses information security for all personnel.
Merchants and service providers must manage and monitor the PCI DSS compliance of all associated third-party providers with access to cardholder data. Parties should clearly identify the services and system components that are included in the scope of the service provider's PCI DSS assessment, the specific PCI DSS requirements covered by the service provider, and any requirements which are the responsibility of the service provider's customers to include in their own PCI DSS reviews. PCI DSS compliance can be validated by completion of self-assessment or by the engagement of a third party.
Any person who undertakes sourcing of credit card information processing or storing will usually be dealing with either a service provider or a shared hosting provider for the purposes of PCI DSS. A shared hosting provider is an entity that produces shared hosting environments for multiple clients on the same server – i.e. it allows its customers to run their own application on a shared platform. Other entities will likely just be considered as a service provider.
Whilst all service providers with access to cardholder data must adhere to PCI DSS, Requirement 2.6 states that shared hosting providers must protect each entity’s hosted environment and data, and must additionally comply with the requirements in Appendix A.
These include ensuring that each entity only runs processes that have access to that entity’s cardholder data environment, restricting each entity’s access and privileges to its own cardholder data environment, providing logging and audit trails, and enabling processes to provide for timely forensic investigation in the event of a compromise.
>See also: Getting ready for a mobile payment world
If a customer proposes to outsource services which involve cardholder data, in addition to contract terms such as warranties, indemnities and liability, some key areas to address in the contract with the service provider include audit and periodic review, monitoring of security controls to promptly restore control failures, system change management, oversight and approval of subcontractors that access and process cardholder data, and compliance with applicable laws, regulations and standards, including PCI DSS.
Customers may require their service provider to comply with other relevant security standards, such as the ISO 27001 information security management standard.
ISO27001 is broader in scope than the PCI DSS, extending beyond payment card processing and applying to businesses in any sector.
Other requirements will include those arising under applicable laws and regulations such as the Payment Services Regulations 2009 (SI 2009/209), which implements the Payment Services Directive (2007/64/EC) in the UK, and the Data Protection Act 1998.
Sourced from Tim Wright, Pillsbury Winthrop Shaw Pittman