Merchant Use of Third Parties

Are you aware that more often than not in cases of payment card compromise a third party contributed to the breach?

Learn what to do to protect your organization and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS) when working with third parties.

In over half of the payment card breaches TrustWave investigates, they find that a third party contributed to the breach by opening the compromised merchant to risk. This sobering statistic shows that a merchant can’t stop at their own computer network environment when it comes to complying with the Payment Card Industry Data Security Standard (PCI DSS) and protecting cardholder data.

If you use a PC product or third party integrated product for your transaction processing, then you have responsibility to take reasonable and appropriate steps to safeguard cardholder account information. It is critical that every merchant ensure that its vendors, processors, software providers, payment gateways or other service providers adhere to the same security requirements.

Merchants using a third party need to confirm whether account information is being passed and/or stored on merchant internal systems, whether account information is being passed and/or stored on third-party vendor internal systems, or both. In addition,Internet merchants using shopping cart software that receives and passes cardholder information are responsible for safeguarding cardholder account information and identifying use of a third-party shopping cart to their acquirer/processor.

In the event of a breach, the card associations will hold the compromised merchant responsible, regardless of a third party’s contribution. As a result, a merchant should contractually require that any entity providing any service to them related to the storage, processing or transmission of cardholder data meets the PCI DSS requirements. Keep in mind, this may also include IT firms or any entity connected to an organization’s environment even if those services are completely unrelated to cardholder data.

Working with third parties can help you run your business more efficiently and allow you to concentrate your efforts on your core business goals. The suggestions and links below can help you benefit from working with third parties while maintaining the security of your business.

Know Your Third Parties

To begin, you must first confirm what third parties provide you with what services. For each third party you contract with, gather information on the following:

  • The name of the vendor and start/end date of their contract
  • Services/products provided
  • How these entities connect to your environment
  • What access do they have to the computer network?
    • How much access do they need?
    • Their PCI DSS compliance status
      • Plans to maintain PCI DSS compliance
      • Whether PCI DSS compliance stipulations appear in the contract

Payment Applications

Seventy-two percent of all compromises investigated by TrustWave’s SpiderLabs division stemmed from weak Point-of-Sale (POS) software. Of that 72 percent, not one of those applications adhered to Visa’s Payment Application Best Practices (PABP)—a set of guidelines developed by Visa to aid payment application vendors in developing secure payment applications.

While a merchant must comply with the entirety of the PCI DSS, the first, and perhaps most important step they can take to protect themselves is using a PABP-adherent payment application. Visa maintains a list of PABP-validated applications.

For all payment applications, merchants should:

  • Ensure their payment application is on Visa’s list (including the application’s version number)
  • Confirm that the payment application they use has been implemented in accordance with the PCI DSS
  • Stay current on all patches released by the vendor for their payment application

Card Payment Service Providers

The card associations define service providers as any entity that processes, stores or transmits cardholder data on behalf of association members, merchants or other service providers. A key step you can take to protect your business is to use a PCI DSS-compliant service provider. When dealing with service providers, consider the following:

  • Choose a service provider listed on either Visa’s or MasterCard’s list of PCI DSS-compliant service providers
    • Visa
    • MasterCard
    • Before signing a contract with a third party, require that they show proof of PCI DSS compliance
    • Any contract should:
      • State that the third party is responsible for the security of any cardholder data they process, transmit or store
      • Assign liability in the event of a breach
      • Require notification should any change in their computer network affect their PCI DSS compliance

Miscellaneous Third Party Due Care

Even if a third party connected to your network does not directly handle cardholder data, they can still put you at risk. If a third party needs access to your network (e.g., to support a device)—even if it is completely unrelated to the processing, storage or transmission of cardholder data—take the following into consideration:

  • If possible, move the supported device to a segment of the network that does not touch cardholder data
  • If not:
    • Ensure any sessions between you and the vendor are encrypted using Secure Shell (SSH), Secure Socket Layer (SSL). Virtual Private Network (VPN), Transport Layer Security (TLS) or a combination
    • Require a unique ID and password for each third party
    • Limit the permissions granted to that vendor (only allowing access to what’s necessary)
    • Only allow traffic through the firewall from a trusted vendor location (and do not leave that access open at all times—require the vendor to call-in before the connection is enabled)

Merchants should keep and maintain a list of these sorts of vendors and ensure their permissions, user IDs and passwords expire with their contract.

Incorporating the information above into your data security policy will not guarantee your PCI DSS compliance. It is merely a broad overview of topics you should consider when engaging third parties.

Merchants who use a third party vendor that stores data

  • Merchant requirement to identify if cardholder data is stored on the internal systems of a Merchant Servicer or Third Party Servicer. NOTE: Your merchant application asks what software and vendor you use.
  • Merchant requirement to notify us (i.e. within 3 days) of any changes or additional third parties.
  • Merchant requirement to only use Third Party Servicers or Merchant Servicers that are on Visa CISP or comparable PCI list
  • Merchant requirement to only use Third Party Servicers or Merchant Servicers that are registered with their acquiring bank
  • Merchant requirement to have an agreement with third party
  • Merchant requirement to retain legal control of data if they use a third party
  • Merchant requirement to notify Global if merchant or third party have a security breach

The merchant application is being redesigned to better support collection and tracking of cardholder data storage locations to ensure merchant and vendor compliance. In addition, the third-party database will identify whether or not the third party Certified Application Provider (CAP) stores transaction data. As indicated above, Third Party Servicers and Merchant Servicers must be Visa CISP compliant in addition to being registered with the acquiring bank. If the third party database indicates that CAP stores data, then a new field for “Registration” must indicate “Yes” for a new merchant to use this vendor effective September 30,

2004. To view, click “CAP THIRD PARTY DATA”.