The Myth of Instant PCI Compliance Through Outsourcing

If your business is accepting credit cards as a form of payment for good and services you must be PCI Compliant! This is mandatory by the card brands Visa, Master Card and American Express.

The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive framework designed to protect cardholder data. Unfortunately, some businesses mistakenly believe that by outsourcing payment processing to a service provider, they automatically achieve PCI compliance. However, this oversimplification can lead to serious risks, including actual non-compliance.

The Reality

1. Partial Scope Reduction:

• What It Means: Outsourcing payment processing reduces the scope of PCI compliance for you as the merchant. The third-party provider handles actual cardholder data (CHD) capture, storage, and transmission.
• The Caveat:

Partial Scope Reduction means that only a portion of the requirements are addressed. You as the merchant remain responsible for other critical aspects of PCI compliance, including:

• Regular Security Assessments: Conducting ongoing security evaluations and vulnerability scans to identify and address potential risks.

• Security Policies & Procedures: Developing, implementing, and enforcing comprehensive security policies and procedures within the organization.

• Incident Response Plan: Establishing and maintaining a plan to quickly and effectively address any security breaches or incidents.

• Compliance Monitoring: Continuously monitoring compliance with all relevant security standards and regulations.

• Employee Security Awareness Program: Educating employees about security best practices and potential threats through a structured awareness program.

• Information Security Policy: Creating and maintaining an information security policy to guide the organization’s security practices and ensure regulatory compliance.

• And others, consult with a PCI expert to ensure you are following the guidelines that apply to your business.

2. Shared Responsibility:

• What It Means: While the third-party provider handles Cardholder Data (CHD), you as the merchant still interacts with the payment ecosystem. This means you have to ensure your systems align with PCI DSS standards.
• The Catch: You (the merchant) remain accountable for securing your environment, including any systems that interact with the third-party service. Additionally, you must ensure that all service providers you work with are PCI compliant.

3. Ongoing Compliance Efforts:

• What It Means: PCI compliance isn’t a one-time event. It requires continuous monitoring, employee awareness, vulnerability assessments, and reporting.
• The Reminder: Outsourcing doesn’t exempt you from these ongoing efforts. Regular assessments are crucial.

4. Reporting and Documentation:

• What It Means: You must submit compliance reports (e.g., Self-Assessment Questionnaires or Reports on Compliance) to your payment processors/ acquiring bank. Contact them, and ask them exactly what they need from you before you are caught by surprise!
• The Reality Check: Outsourcing doesn’t eliminate this requirement. You must demonstrate compliance, even if you rely on a third party for the heavy lifting.

Best Practices

Understand Your Role:

• What It Means: Know which aspects of PCI compliance are your responsibility and which are that of the third party. Your payment application provider will be able to supply you with a responsibility matrix, allowing you to visualize what needs to be done on your end.
• The Key: Collaborate with the third party to ensure alignment.

Due Diligence:

• What It Means: Choose a reputable third-party provider. Verify their compliance status and security practices. Ideally a PCI Level 1 Service Provider.
• The Reminder: Regularly review your third party’s compliance documentation. Request a current Attestation of Compliance (AOC)

Monitor Changes:

• What It Means: As the payments landscape evolves, so do compliance requirements.
• Stay Informed: Keep up with updates to PCI DSS and adjust practices accordingly. You can ask your payment processor, acquirer or monitor the PCI Security Standards website at https://www.pcisecuritystandards.org/

Outsourcing payment processing applications streamlines operations, and helps you with the heavy lifting, but it doesn’t grant instant PCI compliance. You must actively participate, understand your obligations, and maintain vigilance. Compliance is a shared responsibility, and thorough due diligence is essential to protect both your business and your customers’ data .

Remember, while outsourcing helps with the heavy lifting, it’s not a silver bullet. Stay informed, stay compliant!

We recommend contact your Payment Process/Acquirer and PCI Expert to ensure you re doing what is required for your business. If you are not getting all the answers that you need you can contact our PCI Assist Team!