Know Your Customer
There’s an acronym we use in the payments industry: KYC. With KYC, which is Know Your Customer, we’re referring to ISOs’ and acquirers’ need to know the type of business each of their merchants conducts. If due diligence for KYC doesn’t take place, the ISO/acquirer could inadvertently be facilitating money laundering or a number of other illegal activities.
I’d like to suggest a new acronym to go along with the PCI 3.0 SAQs: KYSP or Know Your Service Provider.
As an owner of a business that is subject to the PCI DSS, you must be fully aware of not only who your service providers are, but how they can impact the security of your customers’ credit and debit card information.
Specifically, you should be able to list each of your business’s service providers, affirm the services they provide, and confirm that each provider listed is, in fact, PCI compliant as is required by the PCI DSS.
The PCI Security Standards Council (SSC) takes this topic very seriously. In fact, they formed a related special interest group which just today released Third-Party Security Assurance Guidance.
What is a Service Provider?
The SSC has defined the service provider as follows: A service provider is any “business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.”
Some common examples of service providers include:
- Independent Sales Organizations (ISOs)
- Transaction processors
- Payment gateways
- Web hosting companies
- Managed Security Services Providers (MSSPs)
- Third party marketing firms
- Vendors that perform POS maintenance
It’s important to keep in mind that while a service provider may not directly interact with your customers’ card data, their activity can affect the security of that data. For example, an MSSP who manages your firewall can affect the security of your card data because they manage your network segmentation.
What’s Required for PCI 3.0?
Requirements related to service providers are listed in section 12 of PCI DSS v3.0. All of the requirements in v2.0 have been carried over (and in many cases clarified) for v3.0. In addition, there are three new requirements for the merchant:
- 12.4.1: Information security responsibilities must be assigned such that separation of duties for security functions is maintained.
- 12.8.2: Maintain a written agreement that includes an acknowledgement that the service providers will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer’s cardholder data or sensitive authentication data, or manages the customer’s cardholder data environment on behalf of a customer.
- 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
Here is the related question as it will appear in all v3.0 Self-Assessment Questionnaires (SAQs): “Does your company share cardholder data with any third-party service providers (for example, gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.)?”
If your answer is “Yes,” then you will be asked to provide the “Name of service provider” and “Description of services provided” for each of your business’s service providers. You will also be asked the following: “Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?”
The “entity” here is your business and in essence, the PCI DSS requires that you have a written agreement with all of your business’s service providers. This agreement should include specifics on who is responsible for meeting each PCI requirement for which your business is in scope.
For their part, ISOs and acquirers are telling us that they’re receiving increasing pressure from the payment card brands (Visa, MasterCard, AMEX, Etc.) to advise them of the service providers their merchants are using. Within the Visa system, ISOs and acquirers are encouraged to “register” their merchants’ service providers.
Now is a perfect time to begin documenting your service providers in preparation for your business’s annual PCI self-assessment:
- Identify and list each of your business’s service providers;
- Understand and document the ways in which their activity can influence card data security; and
- Establish trusted points of contact with each firm and store written agreements in a common place.
Want to learn more about PCI compliance and service providers?
Check out these related PCI Compliance Guide posts as well as the SSC’s newly-issued Third-Party Security Assurance Guidance. And, as always, you’re welcome to give ControlScan a call at 800-825-3301, ext. 2. We are happy to help.