advertisement
advertisement

Double-Check Your PCI Service Provider Contract

Written by Walter Conway
July 28th, 2010
Have you read your contracts with all your PCI service providers lately? These are the third parties that store, process or transmit cardholder data for you. PCI Columnist Walter Conway thinks you should check your contracts to know whether your service providers are doing all they can to help you become PCI compliant. He is specifically thinking about one particular PCI Requirement.

That Requirement is 12.8.2, which states that merchants need to "maintain a written agreement that includes an acknowledgment that the service providers are responsible for the security of cardholder data the service providers possess." Some disappointing service providers seem to treat this requirement as an annoying inconvenience. They either pretend it does not exist or isn't their problem. The result is that you, the retailer, are caught in the lurch.

This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.

Pages: 1 2

Posted in E-Commerce, In-Store, Payment Systems, Premium Content, Security/Fraud
advertisement

4 Comments | Read Double-Check Your PCI Service Provider Contract

  1. PCI Guy Says:
    July 28th, 2010 at 3:44 pm

    Another important question is: Who will be liable if the service provider’s system is breached, or if the software or systems provided to the merchant contain vulnerabilities that enabled a breach?

    In almost ever case, it is the merchant who will be held responsible by the acquirer and card brands, because those parties have no contractual relationship with the service provider. In theory, the merchant might be able to file a claim against the service provider, but many service providers require merchants to waive the right to such claims. Some even require merchants to indemnify the service provider against claims from third parties (i.e cardholders and acquirers).

    Even assuming the merchant did sue, and win, it would probably be a hollow victory: Most service providers lack sufficient resources to pay tens of millions of dollars (or more) in claims that could be made against them by the hundreds or thousands of merchants they service.

    Using a service provider does not automatically provide a merchant with a “free pass” to avoid liability, regardless of what the merchant’s agreement with the service provider might state.

  2. pcidssguy Says:
    July 29th, 2010 at 7:23 am

    I believe we need better consistency use of the term service provider. I’m familiar with QSAs and CIOs who expand the definition beyond storing, processing and transmitting cardholder data to anyone who accesses the cardholder environment. This wider net catches those who provide remote help desk support, on-site PC technicians and more. There doesn’t seem to be any issue having these entities agree to 12.8.2; however, enforcing strict interpretation of 12.8.4 – “maintain a program to monitor service providers’ PCI-DSS compliance status” – is tough. I don’t believe the PCI-SSC will process a ROC for Jim’s PC Rescue in Butte, Montana. Apologies if you’re a computer tech in Butte. Hopefully, the merchants controls limit risk from these other groups, but it seems that we need better tools and processes to help both the merchants and the vendors maintain secure operations.

  3. Chris Says:
    July 29th, 2010 at 7:48 pm

    This is a very timely article for me. I work in franchise/independent dealer model. Some our our retailers have seen advertisements from LogMeIn (web based remote control software) that suggests PCI compliance is no problem. However, upon contacting them about 12.8.2, we’ve learned they’re unable/unwilling to agree. Hence, not really PCI compliant as far as our QSA is concerned. It’s confusing to our retailers who see the ads for this and other software and then challenge us on why they can’t use the solutions. This article helps provide some “evidence” to our customers regarding this situation.

  4. Walt Conway Says:
    July 29th, 2010 at 8:57 pm

    @ PCI Guy and Chris,

    Many thanks for your comments (and sympathies, Chris, for your plight!).

    My recommendations to my clients is that their vendor “agreement” have at least the following points:

    • They attest that they are responsible for maintaining their compliance with all applicable payment card association rules including PCI DSS. (This can also help you meet 12.8.4.)

    • They accept responsibility for the security of all payment card data (as defined in the PCI DSS) in its possession.

    • They will notify you within _____ hours if they have a data breach (e.g. within 24 or 48 hours; I like 24).

    • They are responsible for 100% of any financial fines, penalties, and costs if they are solely responsible for a breach.

    Now, to be fair, they will want some commitment from you that you will follow all your security policies, update your systems and links to them as appropriate, that you will remain PCI compliant, too, and that you report any problems immediately.

    Maybe these can address some of the issues raised.

    I find it interesting that the Council changed the requirement from a “contract” to an “agreement” with version 1.2. This gives you and your service provider some room, although not being a lawyer I won’t pretend to comment on the difference between the two. What you want, though, is the service provider’s commitment in writing by a responsible officer of the company.

Leave a Reply

Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.

Weekly, Monthly Newsletters

Quickly catch-up on the latest in E-Commerce and Retail Tech with our free weekly report, with urgent bulletins as news merits—along with our monthlies on Mobile, Security, In-Store, E-Commerce and CRM.
advertisement

Most Recent Comments

"Is there really an improvement between a mag swipe and contactless tap if multi-factor authentication is required?" -Ed

The Backward World Of Loyalty: "I'd Like A VCR, A Wired Phone and a Plastic Loyalty Card, Please"

Walt Conway
The common thread in each case is immediacy. I carry no additional plastic in my wallet I can avoid. Then again, I'm not a typical consumer so maybe others have different experiences as retailers or consumers. Read more...
Omar Iftikhar
Loyalty should be the main driver for all your targeted services and promotions. Not a lot of retailers do that very well. The best at it in my experience is Best Buy. Being part of their Rewards Zone not only automatically assigns the points to your purchase, but also sends you an electronic copy of your receipt, and any follow up coupons and specials. Read more...

Neiman Marcus Goes Down, But Only For A Special Few

Steven P
We insist our staff check all changes (how ever small) on all the popular browsers. Its something we'd recommend to everyone. Read more...

The Never-Ending Dance Of Contactless Security

ed
Contactless should require multi-factor authentication for financial transactions. However, multi-factor authentication will nullify the main benefit of contactless transactions which is speed. Is there really an improvement between a mag swipe and contactless tap if multi-factor authentication is required? Read more...

Home Depot's Try At Not Shutting Down Completely Leaves Customers Running In Circles

Bill N
This is SO Home Depot -- a lack of vigor resulting in rookie mistakes. I see it all the time in the stores. Read more...

MasterCard Pushing EMV PIN. Visa? Not So Much

James L.
When our company switched from AmEx to MC for business travel expenses, I thought we finally had the opportunity for chip/PIN & signature cards to facilitate the travel in Europe. "They're not available in the US yet", I was told by the bank representative who conducted the training on the new related expense reporting website. It was interesting to see that the chip card with mag stripe was available to my colleages in Canada. I thought the idea with chip & signature was to allow its use in both US & EU markets. One card - dual authorization methods. Read more...
Dan
I want Chip & PIN. With Chip & Signature, sure it has a an EMV chip, but then a fraudster could just steal my card, run it through the chip reader and then sign my name. The PIN adds an extra layer of security as only I (should) know it. At the very least, I would like to see a dual method wherein if the US insists on using Chip & Signature, our cards would work as Chip & PIN in countries where that is the norm. I am just sick of this back and forth. America needs to get off its high horse and comply with the world payment standards. Visa says Chip & Signature, MasterCard wants Chip & PIN and then Amex is mysteriously quiet. All of this talk....the government, banks, acquiring banks and card networks need to work together to make it affordable and easy to fast track EMV. Read more...

In The Security Vs. Compliance Battle Of The Mind, Security Is Winning

Andrew Jamieson
I think that this has the potential to provide a terrific win for the merchants in scope for these sorts of systems, and also to the security posture of payments as a whole - exactly because it should ensure that people who know what they are doing are the only ones involved in the details. Read more...

Guess CIO On iPad Trial: "This Is The Consumerization Of IT."

John Pruban
Because Apple provides little support at the enterprise level, it is interesting to watch the struggles as retailers implement. In Mike's case, he talks at great length about the augmentation of the customer experience. The biggest hole we see retailers struggle with here is basic wireless coverage. The experience goes bad quickly if, while your walking around, you get into the middle of a function and can't recover. Read more...

Brook
This phone is not "from Verizon". The operating system was written by Google. The hardware was manufactured by Samsung. The reason a person might buy such a device is to run Android software. Verizon is just the service provider that links the device to the telephone backbone and the Internet. Verizon has no right to tell users what software they can or cannot run on their devices. And "Google Wallet" or Verizon's (vaporware so far) competing product should be treated as just what they are: software. The users should be able to download and install their own choice. Read more...

Macy's In Australia: No, John, It's Not All Thanks To eBay

Ric
John Donahoe is so anxious to impress his Wall Street Masters that it comes as no surprise he exaggerated and got the facts wrong during the conference call. Read more...

In Theory, E-Commerce Sites Are Way Too Slow. But Do Customers Care?

Jason Goldberg
I love it when the data in vendor studies directly contradicts the conclusion, and thanks for calling it out. In the case of page load speed, while I am skeptical of the urban legends quantifying the effect of page load (1 conversion drop per 100ms, etc...), I have seen a number of first hand examples of improved performance directly improving bounce rate and conversion. So my own experience tells me that speed is an important factor in customer experience. I just don't believe it can be reduced to a simple equation. Read more...
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.