In August, the Payment Card Industry (“PCI”) Security Standards Council published the Third Party Security Assurance Information Supplement (“Supplement”) to help organisations reduce their risk by better understanding their respective roles in securing card data.
The Supplement was developed by the PCI Special Interest Group (“PCI SIG”) consisting of merchants, banks and third-party service providers, to help meet PCI Data Security Standard (“PCI DSS”) Requirement 12.8.
Under PCI DSS Requirement 12.8, an entity must maintain policies and procedures to ensure that service providers are securing cardholder data. In addition, under PCI DSS 3.0, effective from 1 January 2015, entities will be required to obtain a written acknowledgement of responsibility for the security of cardholder data from their service providers.
The Supplement focuses on practical recommendations to help meet the Requirements. Examples include:
- Conducting due diligence of Third-Party Service Providers (“TPSP”)
- Implementing a process to help organisations understand how services provided by TPSP meet the PCI DSS Requirements
- Developing written agreements and policies and procedures
- Monitoring TPSP compliance status
The Supplement could not come at a better time. Worldpay, a payment processor, reported in August that at least 6.57 million cards in the UK have been put at risk over the past three years as a result of security breaches. UK consumers are now becoming increasingly wary, and a survey commissioned by payments-provider PayPoint in May found that 55 percent of UK consumers view payment security as the most important factor in deciding how to pay.