Evaluating Managed Service Providers’ PCI DSS Compliance

You need a managed service provider to outsource information technology services for your organization, but since you are in the payment card industry, they will need to be PCI DSS compliant. So you Google the service you need, compile a list of possible vendors, review their website and see that critical PCI DSS logo, so you are good-to-go, right? Maybe.

The PCI Data Security Standard (“DSS”) is a set of information security standards published by the PCI Security Standards Council (“SSC”) for companies that store, process or transmit cardholder data. The PCI DSS includes twelve requirements that companies are required to implement in order to be PCI DSS compliant. When considering PCI DSS compliant service providers it is critical to understand which of their service offerings have been validated as PCI DSS compliant and which requirements were included in the assessment. If I had a nickel for every time a client said “they are PCI DSS so we are OK” I could buy a gallon of gas.

A datacenter hosting provider is a good example to illustrate the challenges you may face when selecting a managed service provider. Datacenter hosting providers may have multiple service offerings from the traditional “rack and pipe” offering where they provide the facility, network connectivity and power, but the hardware and management of the devices remain in your controls, to a fully managed solution where the hosting provider is responsible for managing the complete information technology environment. Add to the mix the cloud service offerings from many of the datacenter hosting provider and it can be quite challenging to determine where your compliance requirements end and the datacenter hosting provider’s responsibilities begin.

The first step to determine the managed service provider’s PCI DSS compliance status is to ask them for evidence of a recent onsite assessment by a Qualified Security Assessor (“QSA”). Upon completion of a PCI DSS assessment, an Attestation of Compliance (“AOC”) and Report on Compliance (“ROC”) are issued. As part of your vendor selection process ask the managed service provider for the AOC and ROC. Some organizations may not provide the full ROC, as it may contain confidential information, but only provide evidence of which requirements were included in the PCI DSS assessment. However you should not stop there. During a recent PCI DSS engagement, I reviewed the PCI DSS evidence from a managed hosting provider with my client and at first glance it appeared that 11 of the 12 requirements were covered by the datacenter hosting provider’s ROC. The client was under the initial impression that the datacenter hosting provider would take care of 11 PCI DSS compliance requirements, leaving only one requirement for my client to deal with. Of course that was not the case. The majority of the requirements covered in the scope of the managed hosting provider’s ROC applied only to their infrastructure but did not extend to the hosted clients’ environment. This is why your due diligence should not stop at this first step.

The next step is to review the scope of the assessment with the managed service provider to determine if their PCI DSS compliant processes apply only to their internal processes or do they extend to the managed services they are purchasing. In my client example above, only a fraction of the requirements actually included the client’s infrastructure. Without performing this critical step of clearly articulating the division of responsibilities between you and the managed service provider, proper division of responsibility may not be understood. Even more important, critical security controls may not be properly implemented to secure the cardholder data environment.

The last step is to ensure the vendor management steps outlined in PCI DSS requirement 12.8 are followed for the managed service provider. This includes implementing a written agreement that documents the managed service providers PCI DSS requirements in relation to the services they provide and annually verifying their PCI DSS compliance.

As companies in the payment card industry look for ways to increase efficiencies and reduce information technology costs, managed service providers will continue to be an important partner to achieve that goal. However, as processes and technology that have an impact on cardholder data are outsourced, increased focus should be place on the PCI DSS requirements and overall security of the data.