PCI Service Provider Dilemma: A Chain Can Control The Manager But Not The Managed

When a retailer outsources any function to a third party, it can protect itself through legal contracts (the threat to sue) and through early termination or simply not renewing the service (the threat to stop giving the third party money). But in the PCI payment-card-data-protection world, responsibilities and punishment for non-performance become a lot murkier.

In this week's PCI column, Walter Conway makes an eloquent argument that chains must take special care to protect their data when changing processors. But Walt only briefly touches on the responsibility issues involving those processors. In Requirement PCI 12.8, the PCI powers-that-be mandate that the retailer properly manage the service provider, but they don't say what happens if the service provider does something wrong anyway.

Consider a Fortune 500 manufacturer's VP of Sales and Marketing. Let's say she's put in charge of managing a large advertising agency doing work for the chain. When things go wrong with that agency, the CEO might ask her what's happening. But after the CEO reviews E-mails and sees that the VP did indeed instruct the agency properly—and that she tried to monitor that provider as closely as practical—he is satisfied that she is not at fault. Let's call that Action Responsibility, where you're responsible only for your own actions.

But during the same day, the CEO also learns that a huge client prospect has slipped away into the coffers of a direct rival. In that case, even though the sales VP did everything properly, all sales execs knows that a dead account is their fault, regardless of what they did.

This is the same rationale that holds that a CEO is at fault for major company problems even if he did not personally do anything wrong. It simply comes with the territory. This point could be called Results Responsibility, where you're responsible for whatever happens in your area, either through your own actions or the actions of people who report to you on projects for which you are responsible.

Does PCI 12.8 see retailers as having Action Responsibility or Results Responsibility? And which should they have?

Requirement 12.8 speaks to a rule that a retailer must do a range of things to properly manage the service provider. But it's mum on what happens if the service provider opts to ignore your dutiful management efforts.

The phrasing in subsection 12.8.2 gets the closest by saying "Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess." But it still doesn't say whether the retailer is responsible should that properly managed service provider get breached.

A parent can give all of the proper instructions to a child, but if the child disobeys and breaks the vase in the shop, the parent is still responsible. Is that the intent here? Sure, the retailer can always sue the wayward service provider. But that sidesteps the issue of PCI responsibility. Where does it stop?

The payment landscape is sharply changing. Companies—such as Blippy—are actively using payment card data, even though they may not accept payment card payments. To be precise, the data they are using has nothing to do with the data they are getting if they do choose to accept a credit card. And yet those companies are clear of any PCI responsibilities.

Mobile companies—led by Apple—are trying to carve out a new payment environment where mobile charges appear on a carrier's bill. If Apple, for example, uses iTunes to process payments and another company uses eBay's PayPal, how does that play into PCI?

Perhaps we are at a stage where PCI needs to expand to anyone who uses credit and debit transactions? Perhaps a processor and other outsourced services should, in effect, have to subcontract PCI responsibilities from the retailers. That way, if a processor screws up and a chain's data is damaged, any fines and punishment would go directly to that processor and not impact the retailer at all.

Responsibility should have its basis in fairness. And with today's expanding payment arenas, fairness is something we're seeing far less of.