PCI Requirement 12.8 is Your Friend

Each QSA has parts of the PCI DSS that they view as particularly important. For some, it is encryption; for others, firewall rules. For me, it is Requirement 12.8, which enforces the policies for managing service providers. It is not just me who thinks that merchants need to enforce security provisions with their service providers. I now have the Federal Trade Commission as company.

For those of you not familiar with PCI 12.8, it has four parts:

  • 12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:
    • 12.8.1 Maintain a list of service providers.
    • 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
    • 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
    • 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually

Of particular interest is the second sub-section requiring a written agreement between you, the merchant, and your service provider in which they (the service provider) acknowledge responsibility for the security of your data.

This means that when a merchant (or a service provider) outsources a payment function to a service provider, they need to apply the same risk assessment considerations as if they were doing the function internally.

I bring this up because, while doing some research on security breaches, I came across the recent hacking of the Federal Trade Commission’s site by the Anonymous group. According to this article from Dark Reading, the FTC seems to have given their a contractors a pass on security. The article reports that:

…the $1.5 million contract to develop the sites initially included security provisions during the acquisition process but then dropped those requirements [emphasis added].

While some personal information was compromised, it appears the FTC breach was more of an embarrassment than anything.

The lesson for merchants is clear: PCI Requirement 12.8 is your friend. Make sure your service providers commit to protecting your – and I emphasize “your” – cardholder data. Otherwise you may find your organization on the wrong end of a headline.