4 Precautions to Take When Outsourcing Your Payment Processing (3/3)
As I mentioned before in a blog post about what is considered to be “reasonable” cybersecurity, it’s critical for organizations to always be able to clearly demonstrate due diligence.
This is also accurate when outsourcing credit cards payment processing to third-party service provider (TPSP), as they do not shield your organization from legal liability or from the consequences of PCI DSS noncompliance.
Below is a list of recommended precautions to protect your entity from liability should there be a security incident in the TPSP’s databases.
Precautions to Protect Your Entity From Liability
- Establish clear written policies and agreements to identify procedures for all applicable security requirements, as well as measures to manage and report on these requirements;
- Determine which of the PCI DSS requirements apply to the TPSP, as opposed to those that remain within the entity’s responsibility. This will vary depending on the extend of the services rendered by the TPSP;
- Monitor of the TPSP’s compliance status (see the PCI Security Standards Council’s ‘Information Supplement: Third-Party Security Assurance’, version 3.0, August 2014) – this means obtaining the proper validation document, such as a Report on Compliance (ROC) completed by an Internal Security Assessor (ISA) or by an external Qualified Security Assessor (QSA), an Attestation of Compliance (AOC), a Self-Assessment Questionnaire (SAQ), an ASV Scan Report Attestation of Scan Compliance (AOSC) if the TPSP is providing services that are delivered via systems required to meet PCI DSS Requirement 11.2.2. Information.
- To obtain an additional measure of assurance that the TPSP’s PCI DSS assessment is aligned with the agreed-upon services, consider obtaining a written verification that the said-services being provided fall within the scope covered by the AOC, ROC, SAQ and AOSC.
- Complete a risk assessment before engaging a TPSP. The results should be documented and, in case of doubt, can be completed by an experienced vendor, such as, which is familiar with the PCI DSS Risk Assessment Guidelines and the appropriate documentation process.
Overall, the vetting of candidates must demonstrate careful due diligence, and the entity must ensure that all security measures and requirements are maintained by the TPSP throughout the contract. All of this must be documented in written form for further reference. It’s also essential to be aware of nested or chained TPSP (defined by the PCI Security Standards Council as “any entity that is contracted for its services by another third-party service provider for the purposes of providing a service”).