The PCI Lessons From Google's Employee Data Breach

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

When Google this month fired a programmer for using the search giant's database to investigate an intriguing teenager, it showed that even the most sophisticated and respected technology brands can have a trusted employee go rogue. This lesson should not be lost on retail executives, who may rely on several third-party service providers to process or analyze their payments.

In Google's case, the employee reportedly abused his privileges to access confidential user information. In a payments context, a similarly trusted employee at one of your service providers could have access to your payment card transactions and maybe even your systems. But could PCI prevent a data compromise?

The answer is probably not. But the more important question is: If a malicious employee at a service provider stole your payment data, would the fact that you are PCI compliant reduce your exposure? That answer is a more encouraging yes, quite possibly—especially if you thoughtfully complied with Requirement 12.8.2.

That requirement is the PCI Council's way of telling retailers "we have your back." Requirement 12.8.2 says that service providers should be responsible for your data.

Every retailer has at least one, and likely several, payment service providers. These third parties may provide payment processing, Web hosting, datacenter management, payment application support, customer service, a call center and even encryption or tokenization.

Requirement 12.8 addresses how you manage your service providers. Subsection12.8.2, in particular, says that a retailer will "maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess."

The test for whether your third-party contracts meet this requirement: An explicit provision in your written agreement that is an "acknowledgement by the service providers of their responsibility for securing cardholder data."

I am a QSA, not a lawyer. It seems to me, though, that if a retailer working with its counsel develops an agreement that says each service provider is responsible for the data entrusted to it, then—should a Google-like episode occur—the service provider, not the retailer, will be on the hook.

For example, let's say a service provider employee with broad access to a retailer's payment data goes rogue and steals a few hundred thousand payment card numbers together with other information.The card brands will likely discover the breach using their common point of purchase approach and consider the retailer the source of the breach. The brands may then order a forensic investigation, which the retailer will have to pay for.

If the breach is determined to lie elsewhere, wouldn't it be great if the responsible party paid instead of the retailer? That payment issue is the kind of thing that PCI Requirement 12.8.2 can do.

The PCI Council doesn't provide much in the way of specific guidance or scope telling retailers what should be in their service provider agreements. That is up to the individual retailers to negotiate. Some service providers will work with you to comply with 12.8.2. Others are more disappointing. I've written about both types of providers.

In defense of service providers, retailers need to understand that they should not expect 100 percent security from a vendor or anyone else. Perfect security doesn't exist.

But what retailers do have a right to expect—and what PCI compliance requires—is that a service provider will accept responsibility for the data in its control, including its and its employees' actions.

I wish this requirement came much earlier in the PCI list. One reason is because 12.8 and its four subsections may get short shrift. Many merchants attack the PCI Requirements in order and, as such, Requirement 12 gets left to the tail end of the compliance process.

Another reason I wish 12.8 were, say, 3.8, is that it deals with unpleasant situations, so it can take a long time to get right. After a retailer has spent a lot of time and energy meeting the other 225 requirements, there just is not a lot of enthusiasm (or time until the Report on Compliance is due) remaining to arm wrestle with an uncooperative vendor.

It would be interesting if in every service provider's Attestation of Compliance, there were a box or blank paragraph where that provider could state "How we facilitate our merchants complying with 12.8.2." Until that day arrives, however, retailers need to work with their service provider partners individually.

What do you think? What has been your experience in working with your service provider partners to meet Requirement 12.8.2? When you develop RFPs, do you ask questions like "How will you facilitate the company becoming and remaining PCI compliant?" I'd like to hear your thoughts. Either leave a comment or E-Mail me at [email protected]. You can also speak to me personally, if you happen to be at the PCI Community Meeting.