Many service providers say they are PCI compliant, and they very well could be, but don’t let that give you a false sense of security. Hearing “we’re PCI compliant” should prompt you to ask additional questions to determine what their compliance does—and doesn’t—mean to you.
Here are 5 important questions you should ask upon hearing “We’re PCI compliant”:
- Did the service provider self-attest to their compliance, or has their compliance been attested to by a third-party Qualified Security Assessor (QSA) in a Report on Compliance (RoC)?
- Does their PCI Compliance extend beyond physical security?
- Does their PCI Compliance extend beyond their infrastructure? For example, does it address the specific services your business is consuming?
- If the service provider is a hosting provider, does their compliance extend into the customer environment? For example, in a Platform as a Service (PaaS) configuration, are you as a customer responsible for device hardening, patching and scanning?
- Does the service provider maintain a written Responsibility Matrix to allow for easy identification of their customers’ responsibilities?
Additional Tips and Best Practices
Up-front due diligence will help ensure that the organization supporting your business is trustworthy and secure. Don’t find out after you’ve got them in your system that they’re not secure.
In the following video I share additional tips and best practices for data security and vendor management. Take a look…