How About A Little Service Provider Responsibility Here, PCI-Wise?Written by Walter Conway
A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
Among all of the PCI requirements, there is one that reflects a fundamental imbalance. That requirement is 12.8.2, which requires all merchants to: “Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.” This is a great requirement, but it places the entire burden on the merchant. Where is the corresponding requirement that a service provider actually agrees to deliver that written acknowledgement?
This situation can be addressed with one simple change to 12.8.2. It would apply to service providers only. The change is to add wording that requires service providers to deliver this “acknowledgement” in writing to their customers.
Have more PCI phrasings you want changed? You now have your chance. The good news is that you still have time, although not much. Participating Organizations now have until April 15 to submit up to five ideas for improving PCI DSS (as well as PA-DSS). Therefore, your first step is to speak to the PCI contact within your company and see what feedback she/he is preparing.
Depending on what you learn, you may want to consider the following suggestions. I’ve based them on issues I see at retailers and other merchants. I hope the suggestions stimulate some thinking about what changes retailers want and need to see in the upcoming revisions to PCI.
Participating Organizations can make as many as five comments. The comments may:
- Request clarification of a particular PCI requirement or testing procedure.
- Request additional guidance on how to meet a requirement.
- Suggest a change to an existing requirement or testing procedure.
- Offer a completely new PCI requirement.
- Provide feedback to the PCI Council on just about any topic without necessarily requesting any changes.
Let’s take them one at a time.
My nominee for requesting clarification is: At what point does a system reseller or integrator become a PCI service provider? I’ve written about how PCI pretty much ignores system resellers and integrators, even though they play a crucial role in many retailers’ POS implementations. In many cases, the reseller/integrator’s work includes configuring firewalls, changing default passwords and other security-related functions. When they do this, a retailer (or their QSA) could view the reseller/integrator as a PCI service provider, because their actions directly affect the security of each transaction.