In 2005, CardSystems Solutions, which was a top payment processor for credit cards such as Visa, MasterCard, and American Express, was hacked. The consequences were enormous: 40 million credit card accounts were exposed in the cyber-attack, and CardSystems Solutions was bought out by the end of the year.
You’ve probably never heard of CardSystems Solutions, but Visa, MasterCard and American Express got your attention. Even though a vendor may be responsible for the data breach, the brand name is the one that suffers the public relations disaster.
Since 2005, cyber-attacks have only become more sophisticated. More than ever, companies and their vendors must work together to protect cardholder data and achieve compliance to the newest iteration of the Payment Card Industry Data Security Standard. Here are five ways PCI DSS 3.0 makes security a shared responsibility:
1. PCI DSS 3.0 compliance is not optional.
Any business handling cardholder data must be PCI compliant or risk fines from the major credit card companies following a breach. However, the financial fallout goes beyond penalties: Enterprises may find themselves spending money to clean up a PR nightmare. Proactive vendor risk management can stave off liabilities before they become breaches.
2. Neither are periodic vendor assessments.
Periodic vendor assessments can help companies know what they don’t know. With the CardSystems example, the organization had been audited and found to be standards-compliant in 2004 (the PCI hadn’t quite been introduced then), but an investigation after the breach found it wasn’t in 2005. Assessments must be thorough as well, partly to ensure a vendor that says it’s compliant actually is. Following PCI DSS 3.0 is beneficial to merchants, but some third parties may think they are following the standards but in fact aren’t. Vendors should want to know what they can do better to protect cardholder data.
3. Responsibilities must be defined.
A new requirement of PCI DSS 3.0 mandates a clear delineation of what party (the company or its vendor) is responsible for what part of the compliance. On first glance, this might be contentious because vendors may feel they are being charged with more responsibilities than they want. Coming to this delineation may require negotiations, and after the initial shock, here’s where companies and vendors can work together to decide how they will achieve PCI DSS 3.0 compliance.
4. Documentation will get better.
With PCI DSS 3.0, service providers now must provide documentation when they are handling cardholder information. Also, noncompliance becomes a bigger headache for vendors. Though this may seem to set up an adversarial relationship between the third party and its customer, again, it offers the opportunity for the two sides to become partners to achieve compliance. A company that knows a vendor is striving to follow PCI DSS 3.0 can focus its risk management efforts toward the where they are most needed, either with the vendor or toward more challenging third parties under contract. And of course, the reputation of a vendor in compliance is more likely to grow.
5. The little guys will get the help they need.
For smaller merchants and vendors, PCI DSS 3.0 is going to be a challenge because many who never were concerned about compliance suddenly must follow the updated guidelines. For example, a new requirement directs companies to regularly inspect point-of-sale (POS) machines for tampering, but some merchants may not have a clue how to do this. Companies can share the security responsibility by guiding their vendors through the new requirements of PCI DSS 3.0. By informing third parties what they need to do and offering advice on how to do it, enterprises encourage compliance and minimize their own risk.