Like any business, you take payments for the services and products you provide. At one time, the only payments you could take were cash or check, since you started out as a small operation just building your customer base. As the number of customers grew, you learned that taking other types of payment methods would be more accommodating for people who are ordering in other states and for international customers. So you need to work with a service provider who offers debit card, credit card and electronic payment services to businesses.
What is a PCI-Compliant Service Provider?
Many businesses are under the impression that major credit card companies and payment brands (VISA, MasterCard, Discovery, and others) are payment card industry (PCI) compliant service providers as they handle all the transactions, storage, and transmission of card information for payment processing. Yet many players provide electronic payment services, and each company must meet PCI compliance to protect customers’ personal financial information from data breaches and fraud.
In fact, any company that is involved with the storage, processing or transmission of cardholder data is considered a service provider. So a company that impacts the security of such data is also considered a service provider. A service provider can be any of the following:
- Third-party marketing firms
- Payment gateways
- Transaction processors
- Outsourced application development companies
- Managed security service providers
- POS maintenance vendors
- Independent sales organizations
- Hosting companies
- Data destruction firms
As a business owner, it will be your responsibility to evaluate every company that handles your electronic payment services, not just those service providers who are involved in payment transactions. Each service provider must be PCI-compliant so you can rest assured that your customers’ information is protected and handled correctly.
Meeting PCI-DSS Compliance
The best way to narrow down your search for PCI-compliant service providers is to check their PCI data security standards (PCI-DSS) compliance status. This method ensures that they have the internal security controls in place required by the PCI Data Security Standards Council (PCI-SSC). The PCI-DSS is a global standard that was adopted by all payment card brands to apply to service providers and is set by the PCI-SSC. To meet compliance, a service provider must have the following goals for their internal controls:
- Creating and maintaining secure networks
- Protect cardholder data when in storage, and during transmission through public networks by using encryption methods
- Having a vulnerability management program to protect software programs, systems, and applications
- Applying strong access control measures to prevent unauthorized employee access
- Monitor secure networks to track access to cardholder data and regularly test security systems
- Develop and maintain an information security policy for all your employees
A reliable service provider who is dedicated in maintaining PCI compliance will have undergone a PCI assessment and security validation. Each payment card brand has its own set of validation and compliance levels for assessment, yet most follow the same validation requirements:
The service provider must obtain a PCI DSS Level 1 assessment conducted by a Qualified Security Assessor (QSA) to create an annual report.
If their operations don’t fall under the Level 1 assessment requirements, they must perform a PCI DSS Level 2 through 4 annual Self-Assessment Questionnaire (SAQ) when not required to send in a compliance report.
The service provider must obtain a vulnerability network scan provided by an Approved Scan Vendor (ASV).
The network scan needs to be performed every quarter as a way to validate that the service provider is adhering to all PCI-DSS security requirements for Internet-facing infrastructures and environments.
A service provider must attest that it has performed all annual assessment requirements based on the PCI data security standards.
This attestation can be done by submitting an Attestation of Compliance.
Selecting PCI-Compliant Service Providers
The best way to select a PCI-compliance service provider is to check their compliance status. Each payment card brand has a registry list of service providers that have met all standards. For service providers who go through a self-assessment, you should ask to see the PCI-DSS compliance documentation. If the service provider cannot provide proof of either having an on-site assessment done by a QSA or a self-assessment, then it would be in your best interests to work with a different company.
After checking their PCI compliance documents, you can validate their security procedures by asking the following questions and performing background research:
Has your company ever experienced a data breach?
How a company recovers from a data breach and the amount of damage that has been experienced can help you determine if the service provider is one that you can trust with your cardholder’s private information. Ask the company how many data breaches they have experienced and what types of procedures were in place to minimize data loss. You will also want to find out what steps the service provider takes in regard to offering identity fraud protection toward customers who have had their personal financial information compromised.
What procedures are included in your incident response plan?
An incident response (IR) plan provides written steps that companies take to detect a data breach, how they respond to the incident, and how do they limit the effects of the security risk. An in-depth incident response plan can assure you that they have the procedures in place to identify threats, contain them and fully recover from the threat as quickly as possible.
What types of background checks are performed on authorized employees?
Employees who will be storing, handling or transmitting cardholder data must undergo a background check in accordance to PCI-compliance standards. In addition to performing regular background checks upon hiring employees for their business, the service provider should also be performing more in-depth background checks to ensure that employees are knowledgeable and experienced in maintaining PCI-DSS requirements.
Does your company have any complaints filed against their business, or recommendations provided by clients?
Not only should the company be eager to provide client recommendations to attest to the reliability and trustworthiness of their operations, they should also be inclined to provide any information about complaints that have been filed against them through the Better Business Bureau (BBB). This information can give you a greater transparency on how the service provider handles complaints and issues.
I.S. Partners, LLC Helps Companies Maintain PCI Compliance
Here at I.S. Partners, LLC, we provide third-party assessments so that service providers meet PCI-DSS requirements. We have a team of Qualified Security Assessors on staff who are certified by the PCI Data Security Standards Council. Our firm can perform audits on security management and data storage systems to ensure that compliance has been met on an annual basis.
