Monday, October 20, 2014

What is a PCI Service Provider? (FAQs)

Working with third parties can be either a joy or a constant source of frustration. Or sometimes a little of both. I frequently come into contact with departments in our university who wish to work with an outside party, but have little understanding of what is involved.

One difficult term is "service provider." It's difficult because it can mean different things to different people. And lately the PCI Security Standards Council has been emphasize that "touching" cardholder data may be a little too narrow a definition. Scope can be extended out to entities that can affect the security of cardholder data without actually touching it.

I tried to come up with a short list of questions and answers that help clarify the issue when we are talking about what I call PCI Service Providers. These are the types of entities that are defined in the Glossary and which we are required to manage per Requirement 12.8. There are other types of service providers I will touch on later.

Note: Parts of this post that are in the color green are examples from one single, particular merchant and are not intended to serve as advice or a recommendation.

What is the official definition of a Service Provider?
From the Payment Card Industry Security Standards Council (PCI SSC) Glossary

Service Provider
  • Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
How does a Merchant determine if an entity is a PCI Service Provider?
  1. If a third party business entity processes cardholder data on behalf of a Merchant, and the transactions are processed using a Merchant ID (MID) obtained by the Merchant from the Merchant's acquiring bank, that entity is a PCI Service Provider for the Merchant and falls within the Merchant’s scope of PCI DSS compliance.
  2. If a third party business entity provides services for, or on behalf of a Merchant, and those services control or could impact the security of cardholder data or of transactions that are processed through the Merchant's MID, that entity is a PCI Service Provider for the Merchant and falls within the Merchant’s scope of PCI DSS compliance.
What are a Merchant's obligations to its acquiring bank in regards to its PCI Service Providers?
  1. The Merchant must register all PCI Service Providers with its acquiring bank. 
What are a Merchant's obligations under PCI DSS in regards to its PCI Service Providers?
The Merchant must manage all PCI Service Providers according to PCI DSS Requirement 12.8 and all sub-requirements.
  1. The Merchant must verify that all PCI Service Providers are compliant with PCI DSS.
  2. A written agreement must be maintained in which the PCI Service Provider acknowledges responsibility for the security of the Merchant’s cardholder data.
    • For services provided in 2015, the entity must be assessed under version 3.0 of the PCI DSS, unless the relevant services have been previously assessed under PCI DSS version 2.0 and that assessment is valid during the 2015 service period.
    • (My organization's standard for validation is a registered Visa or MasterCard Level 1 Service Provider, validated as compliant for all the services that are covered in the agreement between the PCI Service Provider and the Merchant. Each Merchant must decide its own standard)
  3. The Merchant must exercise proper due diligence before engaging a service provider.
  4. The Merchant must monitor the PCI compliance of all PCI Service Providers at least annually.
  5. The Merchant must maintain information about which PCI DSS requirements are managed by each PCI Service Provider, and which PCI DSS requirements are managed by the Merchant.
What if a business entity that is not a Visa or MasterCard Level 1 Service Provider wishes to work with the Merchant?
  1. Each Merchant must decide this question itself, based on its own risk assessment process, following PCI DSS v3, Requirement 12.2.
  2. My organization has operated under the following internal guidelines. You should work with your own QSA to determine what is best for your organization.
    • Any such business entity must be approved in writing by [the owner of Merchant Services] before doing business with the University. Before such approval is given, the entity must meet the same standard of PCI DSS compliance validation as a Level 1 Service Provider would meet. That is, the submission of a valid and properly signed Attestation of Compliance (AOC) and the executive summary section of the accompanying Report on Compliance (ROC) prepared by a PCI Qualified Security Assessor in good standing with the PCI SSC at the time of the assessment.
    • The submission of a PCI Self-Assessment Questionnaire, or SAQ, is not sufficient for validation of compliance for PCI Service Providers.
All Merchants must develop their own policies and procedures for working with third-party Service Providers. There isn't a one-size-fits-all solution. How about you share your approach in the comments section?
For additional guidance, please see the PCI SSC Information Supplement on this subject, Third-Party Security Assurance, written by the Third-Party Security Assurance Special Interest Group and published in August 2014 by the PCI Security Standards Council.

Friday, October 17, 2014

Unsolicited and Unwelcome Contacts

Good Afternoon!

Over the past several days many people associated with the Treasury Institute for Higher Education have received emails and phone calls from a representative of one side in a long-running labor dispute in Nevada between a labor group and a casino owners group.

These uninvited calls/emails are part of one side's aggressive tactics to force a particular outcome in the dispute at the Green Valley Ranch Resort (our host facility for the upcoming 2015 PCI-DSS Workshop). To all our friends and participants that were disturbed by this outreach, the Treasury Institute sincerely apologizes as well as the Green Valley Ranch Resort.

Please do not respond or engage these representatives, and refer all requests to Professional Development Group II, Inc. (our meeting's planning and organizing company) or the Institute’s Executive Directors.  We will continue to work directly with the resort to ensure that the upcoming workshop is unaffected by these tactics.

Jon K. Speare
Executive Director
The Treasury Institute for Higher Education

Friday, October 3, 2014

Report from Orlando

[Here is another in our series of  posts from Joe Tinucci, Assistant Treasurer of the University of Colorado. Thanks for the report, Joe! --gaw]

If you have been around the PCI DSS for any length of time, you know that the standard is developed and maintained by the PCI Security Standards Council (PCI SSC).  Every year the PCI SSC holds a series of Community Meetings around the globe; this year's North American meeting was held in Orlando, FL, on September 9 - 11, 2014.  This meeting serves as a good opportunity to find out what is on the Council's mind regarding current issues and the direction of the PCI DSS, to network with other merchants, and to talk to the payment card brands.

There were several trends and/or important issues apparent at the meeting; a short summary follows.

Evolution of the Payment Card Industry Data Security Standard (PCIDSS)
There was a lot of discussion of the best practice guides and information supplements issued by the Council over the past couple of years to clarify the PCI DSS.  It was clear from the conversations that these best practices will be integrated into the next version of the PCI DSS.  So, if you want to plan for tomorrow’s requirements, look at today’s guidance and best practice documents.

Compliance as Business-As-Usual
It was emphasized repeatedly that real system security cannot come from a once-a-year compliance event but must be integrated on an ongoing basis into a business-as-usual process.  Several speakers noted that ongoing compliance monitoring saves a significant amount of time and money over an annual point-in-time assessment.  It was also pointed out that most of the cardholder data breaches in the past year or two were of compliant entities who had let their security posture degrade, or whose compensating controls for PCI DSS requirements that could not be met directly didn’t adequately compensate for the risks / threats they were intended to counter.

Compensating Controls May Not Be Adequately Compensating
I got the sense from the official and unofficial discussions at the meeting that future guidance will tighten up on the issue of compensating controls.  A compensating control is put in place because an entity cannot meet one or more of the PCI DSS requirements, and is intended to address the risk but with a different approach.  Since many of the breaches of compliant merchants appear to have been at the point of a compensating control, extra attention will be given to the justification for a compensating control, the implementation of the control, the verification that the control is actually meeting the goal of the security control it was intended to replace, and the maintenance of the control.  If you need compensating controls, you need to fully document why, what, how, for how long, and who accepted the risk of not implementing the required control.

Risk Management Approach
If there was a clear theme to the meeting it was that merchants and service providers have to adopt a risk management approach rather than a check-the-box mentality to security, whether for cardholder data or any other sensitive data.  Documented risk assessment, ranking, management, and acceptance processes are crucial to best using limited resources to best advantage.  Also, it was noted that the PCI DSS was moving toward risk-based requirements in future versions.

Scoping is Essential
Reducing the scope of the merchant environment wherever it contains cardholder data is an essential technique for reducing the risk for a merchant; that is, limit the machines and systems that hold sensitive data to the fewest possible to process card transactions.  Written documentation of how and why the scope was determined, how the isolation of the cardholder data environment is accomplished and maintained, and how that isolation was tested is a current best practice and very soon to be a requirement.  This includes documentation of how the merchant determined that the scope of isolation from the rest of the network / infrastructure / environment was verified through penetration testing.  The Council has a much-anticipated workgroup creating penetration testing guidelines; once these are issued institutions will need to quickly bring their security staff up to speed on this security technology / technique.

Web Site Security for Ecommerce Transactions
There is a new emphasis on the security of merchant web sites / web applications that hand over the processing of payment card transactions to a third party service processor.  Multiple recent breaches have been initiated with a compromise of the merchant web site, even though the actual payment was processed by the third party gateway processor.  The newest version of the PCI DSS, version 3.0, splits apart the old assessment used with third party service providers in two – one for completely outsourced situations and the other for any other type of ecommerce web site.

Managing Third Party Service Providers
Many organizations outsource the actual processing of a payment card transaction to a third party service provider.  There was a lot of discussion of best practices in managing these service providers, including the requirement to renegotiate contracts to be much more specific about which party is responsible for each of the PCI DSS requirements. Documentation should be provided for how third party service providers were vetted, how their performance is monitored, and to whom they are providing data from the merchant’s customers and the compliance status of those other parties.

Chipcards Are Coming But Are Not The Complete Answer
Chipcards, or smartcards with an onboard computer processing chip that conforms to the Europay / MasterCard / Visa (EMV) standard, are being issued (slowly) by financial institutions and merchants must be prepared to process them.  The implementation of EMV cards is being spurred by an October 2015 deadline by which liability is switched from the card issuer to the accepting merchant for card-present fraud if the merchant cannot process EMV card transactions, as well as announcements of large retailers that they will be upgrading their equipment to accept EMV transactions (most of the announcements have come after massive breaches, with Target and Home Depot providing some recent examples).  EMV cards provide much better protection against counterfeit plastic but do not provide much additional protection against other types of fraud.  Also, other countries that have adopted the EMV standard for the card networks have seen fraud migrate from card-present transactions to card-not-present and ecommerce transactions.

Joe Tinucci is the Assistant Treasurer at the University of Colorado, where he manages the University's banking relationships.  As part of that job, he also drives the PCI DSS compliance process for approximately 160 card-accepting merchants across diverse card-acceptance environments in four campuses. Joe can be reached at (303) 837-2185 or