In late 2007, nearly four years after the inception of the Payment Card Industry Data Security Standard, Visa reported that only 65% of all Level 1 merchants were compliant with the standard.
And while the veracity of this number is highly debated, it's clear through my tenure as a Qualified Security Assessor (QSA) and security consultant that both large and small organizations are still struggling with PCI, mostly because of a few specific requirements. For many, outsourcing responsibilities, including those related to PCI, will bring these companies closer to full compliance, reducing overall risk and exposure in the handling of cardholder data.
Deciding which operations an organization should outsource, however, is a complicated matter, but one that can be illustrated by the efforts of ACME Bank, a pseudonym for a real customer of mine. Using ACME as an example, let's examine the compliance pros and cons of outsourced services.
Case study: ACME Bank to offer online expense management services
ACME Bank wanted to provide online expense-management reporting for its corporate accounts. The desired service would allow corporate financial accountants to view, report, sort, dispute, approve and label employee expenses as they appear online, in real time.
The capabilities required to architect and plan an effective service were certainly within the functional capabilities of ACME bank's technical team. However, the service needed to be PCI-compliant and required robust security controls. As a result, an internal team sought out an analysis of the compliance and security benefits that a service provider would offer ACME Bank.
Benefit 1: Reduction of PCI footprint -- Often, the handling of financial data can be haphazard at best. Through the outsourcing of cardholder storage, processing, reporting, or hosting, willing organizations are able to reduce and in many cases reprieve the entire infrastructure from the burdens of PCI.
In utilizing a service provider to provide online reporting for its customers, ACME Bank was able to transfer all of the key PCI responsibilities to its online expense-management provider, including:
- Transferring cardholder data securely to corporate customers and employees
- Managing all user access and credentials to cardholder data
- Delegating the need for burdensome logging of all access to cardholder data
- Re-assigning complicated encryption and key management functions
ACME Bank eliminated all cardholder data within its online infrastructure. Subsequently, the outsourcing eliminated the need for PCI compliance and other costly, disruptive assessments by third parties. Any necessary remediation efforts were also negated from this entire environment, saving the organization an estimated several hundred thousand dollars.
Benefit 2: Reduction of high-priced labor -- Because of a high demand for IT resources, the salaries of today's compliance and security experts often eclipse six figures. Due to the sensitive nature of cardholder data, as well as the necessary 24x7 monitoring for security incidents, ACME Bank estimated that it was able to save itself 4-6 full-time employee positions for the online infrastructure alone. This savings significantly compounded when ACME considered the costs of employing additional OS admins, network engineers, security staff and application experts to manage this new offering. Using an outside team, personnel savings were estimated at $700,000 annually in total compensation.
Benefit 3: Cost of breaches -- It should be no surprise that the cost of a breach is often devastating; fines can exceed tens of millions of dollars. Negative criticism and rumors may also take their toll on a company's value when financial services firms are suspected of having lax security controls, as financial firms are more prone to negative criticism following a report of a data breach.
Through outsourcing and properly constructed contracts, ACME Bank shifted the burden of breaches and any subsequent fines to its service provider, which hosted, processed and stored all cardholder data for ACME's corporate customers.
Drawbacks to PCI compliance outsourcing
With all of the benefits of outsourcing, though, there are some pains that are worth considering:
Consideration 1: Inflexibility and the loss of data control -- When outsourcing, the management of the data that is stored on your service provider's premises may not be as easily accessible to partners, customers and the like. Careful consideration and planning should ensure that your service provider accommodates current and future needs.
Consideration 2: Financial stability of service providers -- Still a concern today is the financial health of the service providers being entrusted with an organization's valuable cardholder data. The service providers under consideration should stand on firm financial ground, offer geographically redundant sites, and be able to provide a healthy list of notable clients and partners who have been with the company for a significant period of time. In the event of an emergency or financial crisis, there should be specific triggers within the contract that allow for the recovery of all data and systems that are stored on location.
Consideration 3: Personnel security -- Not to be discounted when looking for a service provider are the rigors of the background checks performed upon your service provider's personnel. Sensitive cardholder data will be entrusted to these employees. Any contractual agreement should allow for background checks, preferably performed by a mutually agreed-upon third party.
Conclusion
Although there are challenges and considerations with outside services, external providers can often reduce costs and relieve compliance burdens. Most if not all credit card processors and hosting companies provide the ability to securely access sensitive cardholder data through application, network, physical, and database level controls that are often remiss in many large organizations. Many of the services have already undergone PCI assessments themselves. In choosing a certified PCI service provider, merchants can be assured that their infrastructure has met the rigors of a third-party assessment. Visa maintains a list of up-to-date PCI-certified service providers (pdf).
About the author:
Spyro Malaspinas, CISSP, CISM, CISA, GCIH, CCNA, CSPFA, CCSE+, NSA, Six Sigma, is a principal at ThreeFactor Security and can be reached at spyrom@threefactor.com. Spyro formerly served as the PCI practice leader at Symantec Corp., a sr. security consultant at VeriSign Inc., and security architect at IBM. He has performed compliance assessments, remediation, risk and compliance program management functions for some of the largest merchants and service providers found globally.
