Companies are beginning to extend the protection of PCI-driven security controls to other confidential data, which is great. What is even better is that some service providers are finding they can leverage their PCI compliance to gain a competitive advantage when prospecting for customers who are looking for a simplified, independent guarantee that their data will be secure when it's entrusted to the service provider.
In short, PCI is becoming a "security brand" with value in the marketplace.
We have talked with several service providers who, after going through the self-described "hassle" of having their data management services assessed for compliance, find that they are getting requests from insurance companies and healthcare providers, as well as from banks and retailers, where PCI is mentioned in the same breath as SAS 70 certification as a form of independent validation of the security of the service provider.
When looking for a service provider, one of the standard things to ask for is their SAS 70 Type II audit. It is important to know that financial controls are in place and the business is solid. But the controls covered by this AICPA standard do not include the detailed data security controls that are at the heart of PCI DSS.
Indeed, there really is no other shorthand way of asking a service provider what specific technical and procedural controls are in place to protect customer data other than PCI. In short, we recommend that companies who outsource the collection or management or storage of confidential data—beyond credit card data—look to PCI compliance as shorthand (or, God forbid, a checklist) for the set of controls it includes.
Since it's inception, PCI compliance has been treated as a "state," not unlike Nirvana, which an organization attempts to achieve to avoid fines, stop annoying letters from acquiring banks, etc. But PCI is becoming a marketing tool for service providers wishing to differentiate themselves on the basis of how well they secure the data they have under management. But to use PCI as a marketing message, the data that is subject to the controls cannot "merely" include credit card data. Some companies are talking about "beyond PCI compliance" as a way of saying that they apply PCI controls to other data. Others use the same term to indicate they apply additional controls that are not part of PCI, such as encrypting data over private networks or adding controls specifically designed to secure virtualized servers. So, even when it comes to standards, there is still plenty of room for "Wild, Wild West marketing."
As PCI-related services become more common because of increased outsourcing of payment processing and related functions, due diligence of service provider claims will necessarily increase. We've noted in previous columns how important it is to ask for more than a simple letter to indicate PCI compliance from a service provider. Increased reliance should also generate increased due diligence. What we expect to emerge, along with the enforcement of the payment application data security standards (PA DSS) next year, are a group of "meta service providers" who offer service provider monitoring on a nearly continuous basis. Some assessors and auditors do this today, but it is typically limited to annual PCI or SAS 70 reviews. We're suggesting a more automated monitoring service and process because, frankly, continuous service provider monitoring is what's needed to catch security breaches before they become multimillion record debacles.
If you've been through a PCI assessment (third-party or self-assessment), you should have a list of service providers related to PCI. Get out that list and start asking around to find out how long the list would be if you included any service provider responsible for collecting, managing or storing ANY confidential data. Then, see if you can find out who is primarily responsible for communicating with these service providers. Usually, Contracts Administration or Global Sourcing or some other department will own most of these relationships, but there will be others they don't cover because IT often manages its own service providers. Also, see if you can get Internal Audit interested in reviewing service providers (if they're not already). The goal of all this is to develop a more consistent, thorough and "continuous" service provider security review process. The same level of monitoring (and even alerting) should be in place for service providers as is in place for confidential data that is collected, managed and stored internally. It may seem like a pain, but it's definitely a best practice as PCI becomes more of a competitive advantage.
If you have a question about Service Providers, you can ask the PCI Knowledge Base panel of more than 75 PCI experts in our discussion forums. We have one specifically focused on Service Providers and Outsourcing. Also, if you're a retailer, we want to get you involved in the PCI Best Practices study we're doing with the National Retail Federation. It's 100 percent anonymous. Just send us an E-mail at [email protected]