The payment industry has a long tradition of outsourcing, partnering, and collaborating across a wide set of organizations. Many parties are involved each time a customer buys something with a plastic card, pays a bill or sends funds overseas. The wider business world is waking up to the concept of the extended enterprise. This is when several organizations work together to achieve something that none of them could have realized alone.
Collaboration is one of the strengths of the payment industry. Third-party collaboration can be massively beneficial to all parties involved but it may also bring with it a greater sense of security risk. After all, a partnership is only as strong as its weakest link, so if one partner has a weaker security setup than the others it can be a danger to all parties.
Unlike a traditional supply chain, where value and risk travels up and down a set of organizations in a linear fashion, the extended enterprise is a complex network of relationships. Risks arise from the underlying outsourced activity, but also from involvement with third parties. Being interconnected, all organizations are affected by the culture and practices of others in their network.
Indeed, in one high-profile case, attackers breached the security of a large U.S. retailer via their air-conditioning vendor and stole the data of millions of credit and debit cards. This type of risk is hard to monitor for, short of completely self-isolating your business from others, which is very difficult, however this risk can be managed.
Effective risk management within an extended enterprise is no longer merely understanding your organization’s supply chain in a linear fashion and managing it as such. It’s about understanding the network of different relationships your organization may be part of, and how you manage the risks that arise together.
In August 2014, the Payment Card Industry Security Standards Council (PCI SSC) released Information Supplement: Third-Party Security Assurance to help organizations and their business partners reduce risk by better understanding their roles in securing card data.
The PCI SSC defines a "third-party service provider" as an entity that is not a payment brand (i.e., card scheme) directly involved in the processing, storage or transmission of cardholder data on behalf of another entity.
Various businesses could fall into this category, depending on the services they provide. For example, those securing cardholder data, installing or otherwise supporting point of sale equipment, protecting the cardholder data environment (e.g., at a data center), or those who may have incidental access to cardholder data or the data environment, such as providers of managed IT services.
The PCI SSC makes clear that the use of third-party service providers does not relieve an organization of ultimate responsibility for its data security compliance. Nor does it exempt them from accountability and the obligation for ensuring that its cardholder data and cardholder data environment are secure.
So, while an organization may outsource a function, it cannot outsource the responsibility or liability for PCI compliance.
