The Payment Card Industry Security Standards Council (PCI SCC) has updated its guidance to help merchants better determine whether third party service providers have implemented security measures to protect credit and debit cardholder data.
The updated guidance is part of a broader PCI third-party security assurance program being implemented to bolster credit and debit card security.
Under the initiative, Internet and cloud service providers, online storage firms, call centers and other companies that offer services to retailers must show they have the security controls needed to protect any cardholder data they handle.
Starting next July, merchants that want to remain compliant with PCI requirements will be required to obtain a written assurance from each of their service providers attesting to each provider's readiness to handle credit and debit card data securely.
The new guidance, developed by a PCI special interest group representing merchants, banks and third-party service providers, aims to speed the process by offering tips to merchants on how to conduct risk assessments.
The guidance includes tips on how merchants and service providers can share responsibility for implementing PCI security measures.
The guidance also offers recommendations on how merchants can set expectations, establish a communications plan and specify security responsibilities when signing up a third party. The guidance can help PCI members develop consistent third-party agreements and policies.
The new guidance, and the third party assurance program, was prompted by the growing use of outsourced service providers by merchants. said Troy Leach, chief technology officer at the PCI Security Standards Council.
Merchants often mistakenly assume that service providers have strong security controls, Leach said.
Often, service providers have relationships with other third parties. With such nested relationships it becomes especially important for merchants to ensure that cardholder data is adequately protected along the entire chain, Leach said.
Sign up for Computerworld eNewsletters.