The PCI compliance process strongly encourages payment outsourcing. Only merchants who fully outsource get to use the "short form," or version A of the PCI Self-Assessment Questionnaire.
For some merchants, who never wanted to collect or retain card data in the first place, this is regarded as a good thing. But it's also a very expensive thing. You wind up paying anywhere from thousands to hundreds of thousands of dollars per month to service providers to manage data that you didn't want in the first place. One of the merchants I interviewed for our Retail PCI Best Practices study described it as a "racket"—a way to generate a predictable revenue stream moving from the retail industry to the financial services industry.
Is PCI easier for service providers? If you're considering outsourcing card data collection, or processing, or any other task to a service provider, ask yourself this fundamental question: If PCI compliance is so hard for merchants to achieve, why is compliance any easier for service providers that hold the payment data for hundreds or thousands of companies? The answer is: It isn't easier. Actually, it's harder. In fact, the structure of many service provider operations makes full "enterprise-wide" compliance impossible. However, as long as they can provide an environment for their customer's data that is sufficiently segmented to prove compliance, they can get an assessor to approve them.
Rewrite your service provider contract. We've conducted more than 175 hours of interviews for the PCI Knowledge Base, and it's clear that even though the use of outsourcing is on the rise, the use of due diligence procedures to review the service provider's practices is still limited to the largest organizations, who have sufficient Internal Audit staff to make on-site visits to key service providers.
But most merchants bet the safety of their data on a 1-2 line statement in their contract (or contract addendum) with their service provider that requires them to be PCI compliant. Contracts or addenda that merely require PCI compliance and their acknowledgement of responsibility for security are sufficient for PCI purposes, but merchants need to be sure that a detailed inspection and reporting process is specified, so as to allow for due diligence to ensure the ongoing protection of corporate assets (i.e., your customer's data).
Being "duly diligent" is a pain. The more you outsource, the more money and effort you have to devote to ensuring the proper handling of your business by the service providers you select. Most merchants cannot afford to implement some of the due diligence specified in their agreements, so the contracts have to be written such that due diligence is a right and/or an option that may be exercised under certain specified conditions, rather than an obligation. Otherwise, failure to conduct due diligence reviews could leave the merchant in breach of contract.
Do low-cost surveys to demonstrate due diligence. If you cannot afford to do on-site inspections of service provider security, gather data via surveys. Right now, you have to do this yourself. But it's worth it to prove that you have conducted a due diligence investigation in case, God forbid, there is a security breach.
Understand the service provider perspective. When it comes to compliance and data security, the role of service provider sort of sucks these days. This is mainly because they have to comply with not only PCI but also SAS 70 and, if they provide services to banks, they must meet the BITS Master Security Criteria (MSC), too. As if that weren't enough, they are constantly being visited by the Internal Audit staff of their largest customers and receiving customized questionnaires. In short, customized due diligence reviews won't scale. But help is on the way.
Service provider ratings are emerging. We've talked to a couple of organizations that see payment and data security outsourcing as enough of a trend to justify creating third-party ratings services. The goal is to give merchants an objective, independent way to compare the effectiveness of various service providers in terms of their procedures, data security, etc., so that selecting service providers can be done on criteria other than price. This avoids commoditization. It also simplifies life for the service providers, who would prefer not to fill out hundreds of customized evaluations, which often combine some elements of PCI, SAS 70 and the BITS MSC, but never in the same way.
The bottom line is that merchants should only outsource payment processing or the management of any confidential data when they can implement a review process that is sufficient to demonstrate to a court that they are meeting legal standards of "due care" for customer data or other confidential information. Even though PCI compliance is easier if you outsource, merchants still own the brand, and liability (in the legal sense) cannot be outsourced.