How to Select the Right PCI-Compliant Service Provider
Any entity involved in transacting credit card business has an obligation to comply with Payment Card Industry Data Security Standards (PCI DSS), which is a published standard for managing credit card information. Following PCI DSS to the letter not only protects your customers from threats of fraud and theft, it also protects your business from sanctions that may be applied by other participants in the payments infrastructure if your systems are breached.
Many service providers exist that can not only help achieve PCI compliance, but also help companies reduce their compliance scope.
What is a PCI-Compliant Service Provider?
As the title suggests, a PCI-compliant service provider has demonstrated, to the satisfaction of the card networks, that they are in full compliance with PCI-DSS requirements. Demonstrating this compliance may happen in a range of ways: just as merchants may be assigned to one of four tiers of compliance requirements based on their volume of transactions, so service providers may be assigned to one of two tiers based on the number of sets of customer credit card data they manage annually.
Tier Two (Level Two) Service Providers
Tier Two is reserved for service providers that manage less than 300,000 credit card data sets a year (and can be achieved without the sign-off of an independent auditor). An SAQ (Self assessment questionnaire) is enough for these service providers to attest compliance.
Tier One (Level One) Service Providers
Tier One is reserved for service providers that manage over 300,000 credit card data sets a year. These service providers are required to be assessed on-site by a Qualified Security Assessor (QSA) in a more rigorous and comprehensive test.
Why it Matters that your Service Providers are PCI Compliant
As with most serious standards and regulations, PCI DSS extends the responsibilities of those under its umbrella to their partners. Thus, if your system is subject to PCI-DSS requirements, it is also your responsibility to ensure that your partners also comply - failure to do so can threaten your own business’ compliance standing.
This makes perfect sense: allowing, say, an off-site provider access to systems where you store customer personally identifiable information (PII) logically creates an opportunity for data leakage, if that partner itself has sub-par security protocols in place.
So ensuring your service providers are PCI-compliant solves for both the same primary reasons it’s important for your business to comply with PCI DSS itself: it protects your customers, and shields you from potentially damaging industry sanctions.
The Best way to Ensure Service Provider PCI Compliance
Obviously, you’ll need to ask all the right questions, and ensure you see the relevant documentation from your potential service provider partners.
For Level-2 service providers, check in on
- Annual Self-Assessment Questionnaire (SAQ) D
- Quarterly network scan by an ASV
- Penetration Test
- Internal Scan
- AOC Form
For Level-1 service providers, check in on
- Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
- Quarterly network scan by an Approved Scanning Vendor (ASV)
- Penetration Test
- Internal Scan
- Attestation of Compliance (AOC) Form
That said, before you get to the point of double-checking documentation, it’s wise to start your shortlist of potential partners from one of the card network lists, as they have already done much of the work of verification:
- Visa Global Registry of Service Providers
- The Mastercard SDP Compliant Registered Service Provider List
- Details on AmEx’s approved service provider program
Avoiding Trouble with non-PCI-Compliant Service Providers
Having used the card networks to validate your shortlist, it’s vital to ensure that you check the current state of the provider’s PCI compliance. Data breaches do happen, and, while they are supposed to be reported, there have been numerous cases where organizations have (successfully and unsuccessfully) sought to avoid publicity.
So, be direct and ask questions like:
- Has your company ever experienced a breach? If so, when, and how was it remediated?
- Does your company have any complaints against it from, among others:
- Customers
- Payment processors
- Payment gateways
- Card networks
- Has your company ever had a relationship with a payment processor terminated by the other party, and if so, why?
- What types of background checks are performed on authorized employees?
- What processes do you have in place to verify your own partners that come under PCI-DSS scope?
While these may seem intrusive, without the full and complete confidence that your service providers are fully PCI compliant, you are putting your own compliance - and thus your access to the broader payment ecosystem - at risk.
Key PCI-Compliant Service Providers
There are three particularly key service providers you’ll need to ensure are fully PCI-compliant:
- Merchant service providers, or PSPs. These are the intermediaries between your business and the other players needed to process credit card payments (gateways, card networks, acquiring and merchant banks). While the largest and best-known providers are essentially guaranteed to provide excellent PCI compliance across their services, as you dip into smaller, more specialized (e.g. high risk) providers, it becomes increasingly important to ask questions.
- PCI service providers. Slightly more difficult to define, these are the providers that support your payment system in less obvious ways. For instance, if your system runs on a cloud platform, you’ll need to ensure that it is fully PCI compliant; and if you use a managed services provider to maintain and administer your system, it too will need to demonstrate its compliance. As with PSPs, at the high end you should be in good shape, but as you start to consider smaller, more specialized providers (colocation sites, for instance, or boutique consulting firms), you must focus on your verification processes.
- Tokenization service providers. As merchants increasingly add automation to their payment systems, they are using tokenization service providers to collect, store, and transmit PII in order to reduce the risk of their own systems being penetrated. Ensure you have an established protocol for evaluating the PCI compliance of the token vault, the protection of data both in-motion and at-rest, and the provider’s operating procedures. Basis Theory is one such provider. With Basis Theory, you can keep your systems out of scope, and give yourself opportunities to automate and to optimize your costs.
Choosing the Right Service Provider For Your Business
When choosing a PCI-compliant service provider - regardless of level - each organization should consider a number of factors to ensure the provider is the right fit.
Organizations should consider the provider's experience and expertise, reputation, and cost, to name a few factors, to ensure that provider's services meet the true business need.
Remember, however, that PCI compliance is an ongoing process. The right provider at a single point in time may not be the right provider in the future. Continue to monitor your security environment and continue to assess which providers can help your organization as your business model and customer base grows.
If you are interested in a fully programmable vault that helps you create engaging commerce flows, connect with any partner, effortlessly manage compliance, and keep control of your payments data, contact us to learn more.