PCI DSS & 3 RD PARTY SERVICE PROVIDERS A PUSH-ME, PULL-ME RELATIONSHIP Katie Todd, CTP Asst. Director of PCI Compliance & Merchant Account Services Columbia University Global Treasury Operations Tuesday, May 24, 2016
AGENDA Defining Third Party Service Providers (TPSPs) How does CU Manage TPSPs Lessons Learned Best Practices for Managing TPSPs PCI Requirements Q & A
THINGS TPSP MAY SAY None of our other customers ask for this. You re the Merchant, you re the one that has to maintain PCI compliance, not us.
WHAT IS A TPSP? Any business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. (Source:www.pcisecuritystandards.org)
TRADITIONAL TPSPs ACQUIRERS & PAYMENT PROCESSORS PAYMENT GATEWAY PROVIDERS
OTHER SERVICE PROVIDERS
COLUMBIA UNIVERSITY Approximately 350 Merchant Accounts Over 80 Departments Level 3 Merchant 16 Schools and Medical Center 16K Employees 30K Students
HOW MANAGING DOES CU MANAGE TPSPs TPSPs Who s Involved? PROCUREMENT SERVICES IT SECURITY TREASURY Morningside Manhattanville Medical Center Nevis Labs Lamont- Doherty Faculty Practice Offices
HOW MANAGING DOES CU MANAGE TPSPs TPSPs HOW DOES COLUMBIA DO IT? PROCUREMENT SERVICES Services Compliance Checklist
MANAGING TPSPs HOW DOES COLUMBIA DO IT? PCI if this section does not apply check here Does the project scope include integrating a method for accepting credit yes no card payments? If yes, provide a list of services that will be provided and attach documentation that demonstrates the Supplier has achieved PCI DSS compliance. Validation documentation may vary (You must contact Treasury to review specific documentation requirements)
HOW MANAGING DOES CU MANAGE TPSPs TPSPs HOW DOES COLUMBIA DO IT? PROCUREMENT SERVICES TREASURY SPECIFIC DOCUMENTATION Services Compliance Checklist If PCI is Checked IT SECURITY RISK ASSESSMENT SOW AoC ASV
LESSONS LEARNED THEN NOW
LESSONS LEARNED Bridging the communication gap. You MUST have a clear process in place. Be aware of modified or invalid PCI documentation.
NEW INITIATIVES OnBase Repository Documentation RSAM Registration Risk Assessment Collaboration
BEST PRACTICES (1): Have a clear policy & procedure in place for engaging service providers. (2): Identify specific services the service provider will provide. (3): Perform proper due diligence and risk assessment.
Here are 5 important questions you should ask upon hearing We re PCI compliant Did they self-attest to their compliance, or has their compliance been attested to by a third-party Qualified Security Assessor (QSA) in a Report on Compliance (RoC)? Does their PCI Compliance extend beyond physical security and their infrastructure? * If the service provider is a hosting provider, does their compliance extend into the customer environment? * Does the service provider maintain a written Responsibility Matrix to allow for easy identification of their customers responsibilities?
ADDITIONAL BEST PRACTICES Promote transparency Set expectations Responsibility matrix Develop a TPSP monitoring program
REVIEWING DOCUMENTATION
REVIEWING DOCUMENTATION
BEST PCI REQs PRACTICES FOR MERCHANTS continued 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data. 12.8.1 Maintain a list of service providers including a description of the service provided. 12.8.2 Maintain a written agreement. 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
PCI REQs THAT APPLY TO TPSPs Requirement 3: Protect stored cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses information security for all personnel.
SUMMARY COLLABORATION HAVE A CLEAR PROCESS DOCUMENTATION DUE DILIGENCE MAINTAIN DOCUMENTATION
REFERENCES: https://www.pcisecuritystandards.org/documents/pci_dss_v3.0_third_party_security_assurance.pdf