The Payment Card Industry Data Security Standard (PCI DSS) aims to improve credit, debit and cash card transaction security and protect cardholders from breaches of their personal information.
Since its establishment in 2004 and the formation of the Council in 2006 by Visa, Mastercard, Discover, JCB and American Express, the standard has been regularly revised, and businesses are again adjusting their security controls to comply. This time, it’s with version 4.0, which, among other provisions, requires more strict multi-factor authentication when accessing the cardholder data environments, updates password requirements, and more clearly defines roles and responsibilities needed for each requirement.
Additionally, managing third-party risk has become a top priority for businesses under the new guidelines. Since 61% of companies have reported a third-party data breach in the last 12 months, it’s something companies should already be focusing on.
Here are some key impacts for businesses that aim to manage third-party risk in a way that is compliant with PCI DSS 4.0:
1. More Thorough Due Diligence: PCI DSS 4.0 advises enhanced due diligence processes when engaging third parties. Organizations are now expected to evaluate the security measures and compliance status of their vendors more rigorously. The diligence process can include:
2. Ongoing Monitoring: The new guidelines stress the importance of continued monitoring of third-party vendors. Regular assessments and reviews are advised to ensure vendors remain in compliance for the duration of the contract and can include:
3. Stricter Contracts: Incorporating PCI DSS compliance clauses into contracts with third parties is advised under the guidelines. Contracts must clearly define the security responsibilities and obligations of the vendors.
4. Incident Response: Vendors must have well-defined incident response procedures under PCI DSS 4.0 and must coordinate effectively with the contracting organization in case of any data breaches or security incidents.
5. Secure Data Handling: Organizations are advised to thoroughly understand where and how cardholder data is handled by third parties. The guidelines cover both data flow and data storage.
6. Assessing Risk: The updated guidelines call for third-party risk assessment to become an integral part of all comprehensive risk assessments.
7. Evidence Documentation: Organizations should thoroughly document all TPRM activities. This includes records of due diligence, monitoring activities, contractual agreements, and risk assessments related to third-party vendors.
8. Awareness and Training: The revised standards highlight the importance of ensuring that third-party vendors are trained on PCI DSS requirements. This includes vendors’ staff.
What the updated guidance boils down to is that organizations that have handled third-party risk reactively in the past need to learn to be proactive to thrive in the future.
So what else can companies do to comply with PCI DSS 4.0?
There are several best practices to remember when creating a system that will relieve the burden of assessing TPSP security. These will save time and effort and shore up vulnerabilities in their security practices. These include:
Some organizations have the resources in-house to upgrade their security practices to the point of compliance with PCI DSS v4.0. But for others, it’s a Herculean effort that will require finding a security and risk-management partner.
The good news is that capable partners exist today. A partner capable of delivering robust TPSP security will provide a central platform to automate all third-party service providers’ onboarding, inventory, and management. They will build comprehensive third-party profiles with continuously updated cyber, business, financial, compliance and reputational insights.
The right partner can also centralize vendor contracts’ distribution, discussion, retention, and review to ensure key security requirements are included and enforced. They can also automate risk assessments and remediation across every stage of the third-party lifecycle while continuously tracking and analyzing external threats to TPSPs to ensure timely identification and mitigation of risks.
Using payment cards online will be safer in the future than it has been, and that will be largely thanks to organizations across the business landscape implementing the requirements of PCI DSS.
However, businesses that lack the resources to make the necessary changes must not fear the requirements. They can partner as required to manage risks to their organizations and the many third parties who help their business run.