Have PCI, Will Travel

Guestview Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Get out your "traveling pants," because you're going to have to start visiting any company to which you entrust credit card data.

According to a summary of the forthcoming PCI 1.2 standard publicly released by the PCI Standards Committee a few weeks ago, if you use third parties to collect, process or store confidential data for you, then you need to do more than simply get a letter from them once a year that says they are doing right by your data, they're PCI compliant or what have you.

Merchants cannot just outsource the handling of confidential data to the lowest bidder and assume that all is well for the 364 days from one PCI assessment to the next. The real questions are, can merchants afford these visits and are there any ways to accomplish this task that are less obtrusive than the phrase "vendor visitation program" implies?

Why you should be "your brother's keeper." We've talked to many merchants who say they are having enough problems just managing their own security and compliance, so the very idea that they need to take on the problem of verifying that their business partners are secure/compliant is simply beyond their current capabilities.

However, over the last 25 years, a giant spider web of service providers has emerged, complete with extensive sub-contracting of software development and data management. In fact, it is extremely likely that the typical retailer has no idea where its data (including credit card data, customer and employee PII) is actually being kept, because their contractual visibility only goes "one layer deep."

Retailers know which company they contracted with, but they don't know with whom their service providers contracted. I would say it's a "rat's nest" but I already said "spider web," so you get the idea.

BITS started the party, but PCI brought the "hard stuff." The whole idea of making sure that service providers are properly protecting data has been well codified by BITS, the Financial Services Roundtable (www.bitsinfo.org) as part of the security criteria that the group developed for financial institutions to use when evaluating their service providers.

Although their criteria are excellent, the PCI assessment process is more formalized, because it uses an independent assessment process (the QSAs). The additional rigor of the PCI process has resulted in some service providers whose customers, including retailers and financial services firms (e.g., call centers, software development, data center collocation), are both on the receiving end of voluminous, highly customized questionnaires that combine BITS and PCI as well as receiving many more visits from their own customers.

Typically, only the largest retailers have vendor visitation programs today. But if the PCI 1.2 changes play out the way we're expecting, the number of visits to service providers will increase several fold. But it turns out that all this traveling gets expensive, what with gas prices and all. So, we're expecting changes in the market.

Enter the "we'll visit your service providers" service providers. Why should merchants visit their service providers when they can just hire another service provider to do it for them? Yep, this is actually a real business—a real business that's likely to get a lot bigger over the next two years.

Of course, the service can't be just visiting the service providers. These businesses will have to "amp it up" and do more full-blown assessments. That's how these service providers will differentiate on the high end. On the low end, the focus will be getting more service providers "checked off" for less money. But the risk, of course, will fall to the retailer.

To minimize the risk, the best plan is to adhere closely to the PCI standards but to not limit their application to cardholder data. After all, most merchants have tons of data entrusted to third parties. It would be a shame to have a vendor visit/assessment program that only focuses on protecting one type of data. So whether you visit your service providers yourself or hire someone to do it for you, it's important that you not only follow the standards but develop a "holistic" plan that investigates the protection of all confidential data.

This comprehensive or holistic approach for investigating and managing third-party security is one of the PCI Best Practices that we at the PCI Knowledge Base developed for the National Retail Federation. If you're a retailer, we want to get you involved in the best practices study too. It's 100 percent anonymous. Just send us an E-mail at [email protected]