Double-Check Your PCI Service Provider Contract

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Have you read your contracts with all your PCI service providers lately? These are the third parties that store, process or transmit cardholder data for you. I think you should check your contracts to know whether your service providers are doing all they can to help you become PCI compliant. I am thinking specifically about one particular PCI Requirement.

That Requirement is 12.8.2, which states that merchants need to "maintain a written agreement that includes an acknowledgment that the service providers are responsible for the security of cardholder data the service providers possess." Some disappointing service providers seem to treat this requirement as an annoying inconvenience. They either pretend it does not exist or isn't their problem. The result is that you, the retailer, are caught in the lurch.

If your contracts do not address this Requirement specifically, your service providers are not doing all they should be doing to help you be PCI compliant. As a retail CIO, this oversight means you have to do more work to become compliant and, what may be worse in this time of tight budgets, you are not getting all you are paying for.

I would like to compliment those many PCI service providers that are not just compliant themselves but actually help their customers become PCI compliant. These organizations acknowledge in writing that they are responsible for protecting their clients' cardholder data. Let me give you one example.

This Level 1 service provider offers the following wording in its contract: Service provider "is responsible for the security of credit card information in its possession." That is succinct, and in this QSA's opinion, it addresses 12.8.2 pretty directly. Then, for good measure, the provider calls out the actual PCI Requirement and adds: Service provider agrees "to maintain proper security and responsibility for cardholder data while it is in its possession."

This service provider and all the others that take this responsibility merit a gold star. Sadly, I can't give a gold star to every service provider I've seen.

Compare the response above to what I read from another service provider. This one's marketing materials note how secure it is and then describes all the great ways the provider helps its merchants maintain PCI compliance. When asked to acknowledge its responsibilities under 12.8.2, this provider sent the following E-mail to its customer: Service provider "is not able to meet that request."

That one sentence was the complete response. No offer to talk about it was made, nor was there room for negotiation. I guess the reply meets my succinctness test, but it is an epic FAIL as far as PCI is concerned. This service provider's position is unacceptable.Equally unacceptable is a service provider that simply refers its customers to the lists maintained online by Visa and MasterCard. Being on the list is a good first step, but it is not the same as committing to protect the data in the provider's possession. How is a retailer supposed to be PCI compliant if Requirement 12.8.2 is not in place? I'm not sure the service provider in this case qualifies as a "lying vendor", because it may well be secure, but it sure is a disappointing vendor.

Based on my experience, many merchants encounter some level of resistance when it comes to asking their service providers to acknowledge their responsibility to protect the cardholder data they possess. I can think of two possible solutions the PCI Council can take to address this situation.

One option would be to add a PCI Requirement just for service providers to require that they include the language in their contracts. The additional requirements for shared hosting providers (Appendix A of the PCI-DSS) form a good precedent for such a service-provider-only requirement.

Alternatively, the PCI Council could make a single addition to the Attestation of Compliance (AOC) for Service Providers (Appendix E) to include an item noting whether the 12.8.2 contract language is provided to their merchants. This item would fit nicely in Section 3, and it would only apply to service providers.

I do not hold out much hope for this approach right now--the Council is pretty busy revising the DSS. It is looking at the SAQs and other documents, however, so it may not be beyond hope that the Council could include a relatively small change like the one I am suggesting to help merchants of all sizes.

Because neither of these solutions is likely in the near future, the answer rests with the merchant. Retail CIOs need to include this item when they issue an RFP or meet with prospective service providers. These CIOs need to know up front whether they are dealing with a disappointing service provider. If a retail CIO decides to use a disappointing service provider anyway, I suggest that CIO start working on a compensating control for 12.8.2 right away.

Personally, I cannot figure out why these disappointing service providers work so hard to achieve and maintain their PCI compliance and then drop the ball at the very end. I'm only guessing, but maybe their lawyers won't let them acknowledge their responsibility for fear of lawsuits. If that's the case, do merchants really want to work with a service provider that is run by lawyers and that will leave its clients holding the bag if they suffer a data breach?

Do you have any disappointing service providers? How have you addressed Requirement 12.8.2? What has been your experience with getting your service providers to include the required language in your contracts? I'd like to hear about your experiences. Either leave a comment or E-mail me at [email protected].