The Payment Card Industry (PCI) Security Standards Council recently published new guidance supporting PCI Data Security Standard 3.0 (PCI DSS 3.0). This guidance was released to help merchants reduce the risk of compromising payment card data when engaging third parties as service providers (e.g., call centers and e-commerce payment providers). The guidance provides a series of payment security best practices to use when engaging service providers and is designed to help merchants and their service providers better understand their respective roles and responsibilities in securing and protecting payment card data.
Some of the best practices include the following:
- Conducting a rigorous vetting process, including due diligence and risk assessments prior to entering into a business relationship
- Setting proper expectations with service providers by explicitly detailing the service provider’s obligations to safeguard PCI data
- Considering contractual provisions that would require transparency into a service provider’s PCI DSS 3.0 compliance requirements
- Implementing monitoring and reporting processes to manage and report on a service provider's compliance with its PCI DSS 3.0 requirements
It is important for merchants to remember that, no matter which services are provided by a service provider, the merchant is ultimately accountable for ensuring its own compliance with PCI DSS 3.0 requirements. Accordingly, even if a merchant has already implemented some of these practices, it should review the PCI Security Standards Council’s latest guidelines and consider them prior to entering into a business relationship with any service provider that may have access to PCI data.