PCI and Your Third-Party Service Providers – Now Some Good News

(Originally published July 16,2009)
I wrote (ranted…?) last time about working with schools and their non-validated service providers. I focused on some disappointing if not downright misleading behavior by a few providers. Now, I’d like to share some more pleasant news: more and more service providers are getting validated.

In one case the school was using a non-validated service provider. That is, the service provider wasn’t on Visa’s list. When we contacted the provider, they knew exactly what we were asking about, and they sent a document describing their plan to become a Level 1 Service Provider, complete with timetable and identifying their QSA firm. They had made substantial progress and hoped to be validated within weeks. Clearly these folks had been thinking about this for a while.

In another case we spoke to the vendor who ended up giving us (!) a little lecture on the importance of PCI. Then he displayed a pretty thoughtful insight: from his point of view, he wanted to outsource the payment process, too. This vendor would maintain all their functionality (which the user loved) but outsource the payment part of it. They had already built links to a number of other payment vendors so the school could choose one to which they were already connected. If you recall my earlier blog post on SunGard, I really endorse this approach for both schools and service providers. Besides, when the service provider offers a solution like that, it can make the consultant look pretty smart, too. (I wonder if I remembered to thank him...)

There is good news on the payment application front, too. More Higher Education application providers are going through the PA-DSS validation process. In fact there are so many apps on that list currently that I recently had to download it to Excel so I could search through it. Others are working on providing a hosted solution which can go a very long way to helping a school become compliant. Again, my personal preference is to get the payment processing out of the school’s PCI scope and outsourced to a validated processor that does this for a living. I see this direction as (hopefully) a trend.

To summarize, there is good news on the third-party provider front. These days, I’m encountering more vendors who “get it” with PCI. They realize that PCI isn’t going away, and that their customers are not going to stay with a supplier who will not support a school’s own compliance efforts. It makes my life easier, too: nobody wants to tell a client to stop using an application they have been happy with for years.

My compliments to all you service providers who are validated and to those who are getting close. Good job! For the rest of you service providers…did I mention I can suggest a good PA-QSA firm…?(end of shameless promotion).