PCI Compliance and the Service Provider

February 26, 2013 • Published Categories PCI 101Tags , , , , ,

Why Merchant Service Providers Must Commit to Stronger Security

The complementary growth in cloud-based services such as data hosting and payment processing has created a new breed of service provider. These service providers and their systems interact with sensitive data from a variety of business entities, including merchants who accept electronic payments.

Today, even the smallest businesses are internet dependent, as the ability to pass information “through the cloud” becomes increasingly desirable.

The business models and applications that support online and mobile payment transactions require a high level of security in order to earn consumer trust. Merchant service providers must demonstrate an equally strong commitment to security when approaching a new client opportunity. In fact, demonstrated compliance with established security standards is often what sets a service provider apart from its competition.

Are You a Service Provider?

Not all organizations recognize their active role as a service provider, and this lack of awareness puts their business—and their customers’ businesses—at risk. Even if your business operates primarily as a merchant, acknowledging any and all service provider components will enable you to take a holistic view of your scope of compliance with the Payment Card Industry Data Security Standard (PCI DSS).

The following is the PCI Security Standards Council (SSC) definition of a service provider:

Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. (Source:www.pcisecuritystandards.org)

 

The “merchant as a service provider” role is further specified by the PCI SSC as “a merchant that accepts payment cards as payment for goods and/or services…if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.”

Service provider examples include data destruction entities, firms that provide managed security services, and outsourced application development firms. Another good example of the above described scenario is Mountain Media, a comprehensive ecommerce provider that develops and implements search-engine-friendly websites which also employ the company’s ecommerce software solution, Mountain Commerce. As an ecommerce solution and payment gateway provider, Mountain Media is subject to the PCI DSS for Level 1 Service Providers.

Demonstrating Your Commitment to Security

If your organization operates as a service provider, you may want to consider the business value of completing a PCI Level 1 assessment, effectively validating your organization’s PCI compliance status utilizing a Qualified Security Assessor (QSA). Even if your business is not subject to Level 1 Service Provider requirements, validated compliance via a QSA assessment demonstrates a strong security posture and dedication to information security to your clients. And, as mentioned, businesses exhibiting a solid security posture are often seen as one step ahead of their competition, resulting in more significant business opportunities.

Software application developer Velocitor Solutions realized many benefits from achieving Level 1 Service Provider PCI compliance, even though they weren’t technically subject to the requirement. Specializing in the design, development and deployment of mobile and wireless software solutions, the company was no stranger to network and data security; however, as field-based payment activities became more prevalent, an increasing number of clients began asking about PCI DSS compliance.

With the help of a PCI Qualified Security Assessor (QSA), Velocitor took a fresh look at its network environment and development processes from a data security perspective. The company assigned and applied new controls across its business environment, building awareness and enforcing discipline across the organization. With a formal PCI assessment of its business and software application development standards under its belt—and a formal Report on Compliance (RoC) to prove it—Velocitor now has as a feather in its cap when being evaluated by prospective clients. Read the full success story to learn more about how Velocitor Solutions successfully (and strategically) addressed their service provider status.

Getting Started

By validating and maintaining Level 1 Service Provider PCI Compliance, your organization, your customers—and, yes, your customers’ customers—directly benefit. Your organization’s PCI compliance means that the businesses your company serves are more secure and their process of validating and maintaining PCI compliance is also simplified. With a strong chain of PCI compliance in place, the end consumer’s payment information is significantly more secure than if there were a missing link in that chain.

If your company is serving as a merchant service provider, now is the time to evaluate and respond to your PCI-related obligations. The initial investment you make toward compliance will generate additional trust, rewarding your business with new and repeat opportunities. What’s more, your business will have important safeguards in place to protect the payment data it handles from hackers and data thieves.

Have questions regarding your PCI responsibility?

The security professionals at ControlScan are also available and happy to help answer additional questions you may have.

Subscribe to this blog for additional tips and webinar announcements.

One thought on “PCI Compliance and the Service Provider

  1. The PCI Security Standards Council definition of a Service Provider needs to be updated, and a separate definition established for Managed Services Provider, those entities who deliver various services to a Merchant but who do not transmit/receive, process or store cardholder or credit card transaction data in the performance of those services. Rather, the MSP only has remote access to systems and infrastructure within the Merchant’s environment that does transmit/receive, process or store cardholder or credit card transaction data, and therefore many of the PCI-DSS controls do not apply. Further, the PCI SAQ needs to be updated to have a section dedicated to MSPs rather than having to designate many of the controls for applicable to the current definition of Service Provider as N/A and then having to provide a reason for each.

    I brought this same issue to the PCI Security Standards Council in 2013 but received back a less than satisfactory response.

Leave a Comment