Wednesday, July 22, 2009

PCI and Your Third-Party Service Providers – First, the Bad News

(Originally published July 10,2009)
It’s happening again. I’ve now run into it a couple of times in the past few weeks. I’m working with a university to get them PCI compliant. Somebody on campus is using a third-party service provider that is not on Visa’s list of compliant service providers .

My usual procedure (and what I recommend to you) is to get the vendor on the phone and say something like; “I notice you are not on the list of PCI-compliant service providers; what are your plans to get on the list?” Then stop. Let them talk. Many times the vendor is well aware of the situation, and they will happily share their plans with you. But oh, those other times...

Twice recently I’ve had a vendor submit their scanning report. Like that’s supposed to make me feel warm and fuzzy that they’re compliant!?! That says they passed a scan by an ASV. Whoopee. When I see this, red flags go up. How about the rest of PCI compliance, like almost the entirety of PCI DSS? If they process more than 300,000 transactions a year – and you do not want to deal with any service provider who doesn’t – they are a Level 1 service provider and they need a QSA to sign-off on their Attestation of Compliance. Where is that Attestation of Compliance? Is it current?

My favorite is when the vendor replies that they are compliant as a Level 3 (or 2 or whatever) merchant. That response is completely irrelevant and inexcusably misleading. That they are compliant as a merchant is meaningless to you when you use them as a service provider. They can self-assess as a merchant – they cannot as a Level 1 service provider. That extra step is meant to protect you. If you get that kind of reply, you are likely dealing with an over-eager and/or ill-informed sales rep…ask to talk to an adult.

What about all your small vendors that serve a market niche? Do they need to be compliant? Yes, they do, and it will cause some of them to find another business. PCI effectively eliminates small vendors that can’t afford to become and stay compliant. While sad in for the vendor, it is better your school. You don’t want to entrust your brand and your financial data to an unsecure, vulnerable outside vendor.

But there is a lot of good news. That’s in the next post.

No comments:

Post a Comment