Vendor Third-Party Risk Management in PCI DSS

Published on : 02 Mar 2022


Vendor Third Party Risk Management

Given the operational efficiency and low overhead cost, collaboration with a Vendor Third Party for the processing of online payments is very common. However, like a double-edged sword, outsourcing business operations and services can be a huge risk for Merchants dealing with them. One of the major risks that merchants often deal with Vendor Third Party collaboration is the online payment card-related cybercrimes.

Ensuring implementation of high-level security standards and compliance with PCI DSS from the vendor can be challenging.  Typically for large business and enterprises, incurring the heavy cost of PCI DSS comprehensive implementation and ongoing compliance is not a big deal, but for smaller business such as Independent Service Organizations or Third Party Service providers, mostly with a staff strength of 50-100 people, it gets very difficult and expensive to maintain such ongoing expenses. This is when Vendor Third-Party Risk Management plays a key role in minimizing risks.

Explaining what Vendor Third-Party Risk Management is all about in this blog, we have also shared details on the PCI DSS Requirement 12 on Vendor Third-Party Risk Management. But let us first understand who is a vendor third party in the payment card industry. 

Who is a Vendor Third Party?

n the payment card industry, a vendor third party is any service provider or vendor who stores, processes or transmits cardholder data (CHD) on behalf of the merchant. Since they have access to sensitive card data their operations have a direct security impact on the cardholder data environment (CDE). For those reasons, merchants need to evaluate their risk before proceeding with any vendor for business collaboration.  Merchants need to have in place a vendor third-party risk management to mitigate risk and ensure compliance. So, now that we know who is a vendor, let us further move on to understand about vendor third party risk management.

free consulting

What is Vendor Third-Party Risk Management?

Vendor Third-party Risk Management (VTPRM) is a risk management process that specifically focuses on identifying and mitigating risks concerning vendors that businesses collaborate with for outsourced services. It is a process of evaluating the vendors and service providers, to determine the risk exposure and the security measures that they have in place. It is an essential and integral process in various compliance and cyber security programs. Specifically, in PCI DSS, merchants are expected to have in place vendor third-party risk management programs to track and monitor all their vendors and service providers dealing with sensitive card data. Further, as per PCI DSS requirements, vendors are also expected to ensure compliance with the payment security standard. 

That said, it is also important to note that Vendor Third-party Risk Management is confused and interchangeably used with Third-party Risk Management programs. However, they are two different programs wherein Vendor Third-party Risk Management just focuses on vendors and service providers whereas Third-party Risk Management encompasses evaluating all types of third parties. The scope of the Vendor Third-party Risk Management program greatly depends on the organization, its industry, and the regulatory and compliance requirements. But in general Vendor Third-Party, Risk Management is seen as a best practice in cyber security and compliance programs including PCI DSS.

What does PCI DSS say about Vendor Third-Party Risk Management?

PCI DSS Compliance applies to any organization that deals with card data, be it processing, storing, or transmitting card data. In that sense, PCI DSS applies to vendor third party and service providers offering outsourced services.  So, organizations that have outsourced their payment operations, system management, and data processing services are required to also ensure that vendors are compliant with PCI DSS requirements.

PCI Council in its PCI DSS requirement 12.8 requires merchants to manage their third-party vendors. The requirement focuses on vendor management and also mandates organizations develop and execute policies and processes to manage vendors and service providers having access to cardholder data. The below-given table explains the PCI DSS 12.8 Requirement concerning vendor management briefly. These are requirements which are additionally applicable to Third Party vendors. So, these are not the only requirements but are required additionally.

 

PCI DSS Requirement 12.8Maintain and implement policies and procedures to manage service providers with which cardholder data is shared, or that could affect the security of cardholder data.
PCI DSS Requirement 12.8.1
Maintain a list of service providers including a description of the service provided.
Merchants are required to maintain a detailed list of service providers and vendors they deal with along with a detailed description of all the services provided. This makes it easier to monitor all service providers having access to the card data. It also helps determine the level of risk exposure to the card data outside the organization's environment.
PCI DSS Requirement 12.8.2 Maintain a written agreement that includes an acknowledgment that service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environmentMerchants are expected to have in place contracts and agreements with the vendors they work with to ensure roles and responsibilities are well defined and reasonable security measures are implemented to protect the card data.
PCI DSS Requirement 12.8.3
Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
Merchants are expected to conduct a thorough risk assessment on all their vendors and service providers to evaluate the risk exposure before getting into a contract with them.
PCI DSS Requirement 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.PCI DSS compliance applies to any organization dealing with card data. So this includes the vendors and service providers as well who have access to the card data of the merchant’s customers. So, it is the responsibility of merchants to ensure that their vendors are compliant with PCI DSS. For these reasons, merchants are required to monitor and evaluate their vendor’s compliance status annually. They need to maintain information and collect evidence from vendors on their status of compliance by asking Attestation of Compliance (AoC).
PCI DSS Requirement 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.Merchants need to have a detailed document comprising not just the list of vendors and service providers they work with but also the specific requirements applicable to each of them based on their service offering. This means there should be roles and responsibilities clearly documented to ensure accountability and compliance with PCI DSS.

PCI DSS Requirement 12.9
Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

An acknowledgment by the service providers to their customers on their acceptance to demonstrate commitment to ensuring the security of cardholder data also ensures accountability towards meeting PCI DSS Compliance requirements.

Final Thought 

Due diligence, Documentation of compliance evidence, and monitoring vendor third party forms the fundamental pillars of Vendor Third-Party Risk Management. Ultimately Vendor Third-Party Risk Management is all about conducting the required due diligence, engaging with vendors ensuring complete accountability with documents of contracts, and agreements, in place, and monitoring them from time to time. Ensuring vendors meet the PCI DSS requirements is one way of ensuring they have taken measures to safeguard customer card data.  

 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.