Before we begin, there’s one thing to make very, very clear: You can't outsource all compliance. That includes PCI compliance.
I do not care what some vendor says. No single service makes you compliant. Only you can make you compliant.
While vendors can take you most, if not all the way to compliance. You must still confirm their compliance as part of your supply chain management efforts.
You can outsource a lot of things, but not the responsibility.
So, how do you keep this from being a hideously complex effort that stalls your compliance and security efforts?
There's A Better Way
The PCI DSS is a control-focused security standard. Ideally, this means that all firms with an attestation of compliance (AOC) are doing the same kinds of things to protect data.
In fact, the DSS is so specific, it includes requirements that you must check your service providers’ PCI compliance, and keep information about which requirements they manage. This is typically handled one of two ways: 1) The provider’s services are included in your own PCI assessment, or 2) The service provider undergoes their own PCI assessment.
In the first method, you must obtain evidence for the service provider’s security controls, just like you do for your own systems. This could include sensitive items like configuration standards, security testing results, and policy documents. Gathering evidence for just a single vendor can be a headache, image doing it for 10, 20, or a hundred providers! The situation is bad for the vendors too, since they will get nearly identical requests from all their clients.
However, for a service provider with a valid AOC, their relevant security controls are already confirmed. Your QSA will review their AOC and examine your contract with the provider. Many requirements can be considered “in place” without needing to gather new evidence from the vendor. This makes your own path to compliance much easier, especially if a PCI compliant service provider handles most of the requirements applicable to you.
Remember: requesting copies of your PCI-certified service providers’ AOCs each year will help you meet these requirements.
Show, Don't Tell
Customers like assurances that using your services will save them money, reduce risk, or solve problems. Most service providers have basic security and compliance information on their web sites or in their marketing materials. You probably do too; it’s an easy way of showing your customers that you can meet their security needs.
That said, the information is often frustratingly vague. Generally, there are one of three “experiences” we can look forward to from service providers:
- Those who are PCI compliant: When we see claims of PCI compliance, especially that include the official and properly used PCI logos, we know that we can expect a good AOC from the provider.
- Those who list other standards or specific security details: While not PCI compliant, having detailed information on their service architecture security or reports from audits usually means we will be able to get the details and figure out compliance.
- Those who have basic or no claims of security: At best, we will need to ask a lot of questions and help them generate evidence. At worst, the provider will not cooperate with the assessment. In most cases, this leads to merchants finding a new service provider.
Being able to show compliance, however, is the real differentiator. Undergoing assessment shows that you value customers enough to hold yourself to the same standard they must meet. More importantly, you only need to prove compliance and security once, saving you and your customers time and money.
As a service provider, you must consider how your customers might use your services, even if you do not intend to handle credit cards. For example, if your customers set up e-commerce sites on your hosting platform, they will need your help meeting PCI requirements related to infrastructure security.
The Responsibility Matrix
The big caveat to all this is that merchants, their QSAs, and service providers must agree on who handles each PCI requirement. While providers are responsible for the security of their infrastructure, their customers own the security of the systems they build or use with those services. For some requirements, like access control and incident response, each party owns part of the controls related to their own systems.
This is where a responsibility matrix comes in. Based off the service provider’s AOC, a responsibility matrix lists all PCI requirements and shows whether the responsibility for implementing each control belongs to the service provider, their customer, or both. When the responsibility is shared, the matrix has a brief description of how the provider handles the control for their systems, and what the customer must still do for their use of those systems.
Service providers are not required to create a responsibility matrix. In fact, merchants are the ones who need to document those details as part of meeting PCI Requirement 12.8. However, just like getting the AOC in the first place, a responsibility matrix helps save everyone time. It ensures customers know what exactly the provider is willing to support and serves as a road map for using vendor services in a PCI complaint way.
More: Whether you’re just beginning to navigate PCI compliance or are making a change to the way you do compliance, Anitian has the resources you need to handle the all intricacies and speed bumps that come with the compliance process. Check out more articles from out blog, read up on our comprehensive compliance services, or just reach out one our friendly account execs for more information.