Earlier this month the PCI Security Standards Council, an organization responsible for maintaining best-practice standards in the industry, released new guidance meant to protect private consumer information as it is handled by third-party service providers. The document, written with input from 160 organizations, is meant to be a supplement for the PCI DSS requirements already in use, and defines a third-party service provider as a "business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data."
Troy Leach, CTO for the PCI Security Standards Council, told SCmagazine that this is a timely publication because an increasing number of businesses are electing to employ third-party service providers to handle transactional data, a practice considerably invigorated by the advent of cloud computing. He says, "One goal [of the supplement] was to detail scope, as that continues to be one of the most difficult things for merchants – to figure out where their payment card data is."
The report recommends that companies thoroughly research third-party providers before entering into a contract, taking special note of what technologies and locations a third-party provider uses. It is also wise to keep constant track of a provider's practices, making sure that organizations are conscientious of PCI DSS requirements. And the most important part of the new document suggests that once an agreement is made, a contract promising full compliance in regards to industry regulation should be formally written and signed by both parties.
Finally, businesses should be sure to clarify how cardholder information will be digitally disposed of in the case of the contract being terminated.
A third-party service provider is often a good idea, simplifying a company's operations and bringing industry expertise to the table. However, it remains the primary business's responsibility to insure its clients are protected. Therefore, third-parties should be rigorously vetted and monitored for the safety of all card-holding clients.