Are Your Service Providers PCI Compliant?

December 19, 2017/ Jessica Velasco /

Working with Service Providers Who are Not PCI-Compliant May Cost You

Outsourcing certain facets of your business operations to third-party vendors and service providers can be a great way to save time and money, while making your business more efficient. However, outsourcing operations can also create vulnerabilities, especially if you can’t verify that your vendors—or the additional vendors they employ—are PCI-compliant.

Verifying Compliance is Not Always Possible

According to the card schemes like Visa and Mastercard, the term “service provider” describes any group that processes cardholder data on a merchant’s behalf. This includes storing, transmitting, or analyzing data.

While it’s mandatory that all service providers be PCI-compliant, it’s not always mandatory to verify compliance. This can lead to errors in implementation, inconsistencies, or only partial compliance. Plus, effective compliance monitoring can be incredibly difficult. In many cases, vendors will employ additional vendors to operate like sub-contractors, who might also hire additional vendors underneath them. In some cases, these sub-contracted vendors may not be required to maintain PCI-compliance at all.

It’s not surprising that when data breaches occur, the source is typically a service provider, rather than the first-party’s own internal systems. For example, the massive Equifax breach revealed in September 2017 was not the product of Equifax’s own security, but on outside software that the company used.

In the end, though, Equifax is the one who carries the responsibility…as well as the reputational damage. That’s because PCI DSS Requirement 12.8 stipulates that businesses need to monitor their service providers’ compliance and accept responsibility for any incidents that occur as a result.

Remember: if any link in this chain of accountability is weak, then the entire chain is weak.

How to Verify Compliance

If you’re an online merchant, you probably already know that maintaining compliance is a scary prospect. Any new service you contract might be a vulnerability. So, how can you enjoy the benefits of third-party service providers while also minimizing the associated risks? There is a basic two-step process that should help:

Step 1: Maintain a List of Service Providers

You should first assemble a complete, up-to-date list of all service providers you use, and provide this information to your acquiring bank. Your acquirer can then register your service providers with the card schemes, who can use that information to help pinpoint issues in the event of a potential breach.

Step 2: Request an Attestation of Compliance

An Attestation of Compliance—or AoC—is a formal document you can request from any service provider with whom you work. The AoC serves as verification of compliance with PCI DSS regulations on the vendors part. Of course, as mentioned above, some service providers might reply that they do not need to maintain compliance, due to preexisting relationships with other businesses. In this case, you can request an AoC from the sub-contracted service providers in question.

If you successfully document service providers, you will at least be in compliance with PCI standards. You would still be responsible for reimbursing or otherwise assisting customers in the event of a breach, but you avoid fines and other penalties imposed under the PCI DSS.

Which Level Are Your Vendors?

It’s important to point out, though: not all vendors are compliant under the same set of PCI regulations. Businesses involved in handling more detailed and sensitive information can be required to maintain a stricter, specialized set of rules based on the number of transactions processed:

• Level 4 Compliance: The least-demanding set of PCI DSS regulations, reserved for merchants processing fewer than 20,000 Visa or Mastercard eCommerce transactions each year.
• Level 3 Compliance: Between 20,000 and 1 million eCommerce transactions annually.
• Level 2 Compliance: Between 1 million and 6 million eCommerce transactions annually.
• Level 1 Compliance: Any more than 6 million eCommerce transactions annually.

Service providers authorized under less-stringent PCI DSS levels can have limited access to customer data. However, for more detailed and sensitive work, vendors may require higher levels of compliance. That higher compliance standard comes with additional requirements, such as on-site internal audits, network scans, and more.

Due to the stricter requirements associated with higher levels of PCI compliance, relatively few vendors will meet standards for PCI Level 1. However, the added scrutiny has a positive effect on your ability to prevent hacks and other data vulnerability attacks.

Last Update: December 19, 2017