How to Choose the best PCI Compliance Service Provider

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to protect cardholder data. If your business processes, stores, or transmits credit card data, you are required to comply with PCI DSS.

One way to achieve PCI DSS compliance is to outsource it to PCI Compliance service provider or a QSA. A PCI DSS service provider can help you assess your security posture, implement security controls, and monitor your compliance.

Here are some quick tips for selecting the best PCI Compliance service provider:

• Make sure the provider is certified by a Qualified Security Assessor (QSA) and has been listed in PCI SSC QSA portal
• Ask about the provider’s experience with businesses of your size and industry to make sure that the provider has the expertise to help you meet your specific PCI DSS compliance needs
• Get references from other businesses that have used the provider. This is a great way to get feedback on the Qualified Security Assessor (QSA) services and customer support
• Compare the provider’s pricing and services to get the best value for your budget

Few benefits of using a PCI Compliance service provider:

• Reduces the time and effort required to achieve compliance
• Improves your security posture
• Minimizes the risk of data breaches
• Increases customers confidence in your business

Important considerations to be kept in mind while selecting a PCI compliance service providers.

1: Analyze the PCI compliant service providers

Before outsourcing services, it is important to evaluate the service provider’s financial stability, offerings, customer references, industry experience, and other such details. It is a standard due diligence practice to verify the service provider’s financial records for up to three years.

Technical expertise may be evaluated on the basis of previous projects, used platforms, and associated manpower. Competence can be validated through on-site assessments of followed practices or live monitoring using virtual environments. For verification of PCI DSS compliance and its scope, review Attestation of Compliance and Report on Compliance. These documents are main deliverables of the PCI DSS compliance exercise.

Step 2: Ensuring PCI DSS compliance

While certain companies take security very seriously, others simply try to meet PCI DSS compliance’s minimum mandatory requirements. A continuous validation and remediation process is vital, as is designated manpower to maintain security.

The PCI council mandates annual PCI DSS compliance audits. Under PCI DSS compliance requirement 12.8, outsourcing entities should regularly monitor their service provider’s compliance. You can ensure a service provider’s PCI DSS compliance levels using the following steps:

• Conduct surprise audits and regular validation. Do frequent random audits initially until the operation stabilizes. Constant monitoring can locate problem areas, which can be appropriately addressed.
• The service provider’s information security policy and approach to security are particularly relevant for effective PCI DSS compliance. The focus should be on effective management of existing resources, rather than adding new variables.
• The definition of scope is an important aspect of PCI DSS compliance. Scope refers to the extent to which a service provider falls within the compliance guidelines. For example, a service provider may be PCI DSS compliant at one of its operations, and not others. The best approach is to segregate the PCI environment from the rest of the network and ensure implementation of your designated PCI controls. Reducing scope through network segmentation lessens exposure and the possibility of internal fraud. Segmentation also enables you to scope out network areas not dealing with PCI data. This makes PCI DSS compliance cheaper to maintain by reducing security overheads, as well as makes it easier to respond to incidents.
• Ascertain implementation of strong access control measures. Access to cardholder data should be restricted by business need-to-know. This is the toughest part of achieving PCI DSS compliance. In an outsourcing relationship, access control should be defined by the outsourcer. Practices such as role-based access control on the principle of least privilege are robust for securing sensitive information. It is mandated that access be based on white-lists, denying all other access requests.
• Under PCI DSS compliance requirement 11.2, external vulnerability scans must be conducted by an approved scanning vendor (ASV) every quarter. The service provider may have an environment with public facing IPs, or on certain cases [such as access through multi-protocol label switching (MPLS) environments and end-to-end connectivity], it may have none. An ASV audit will only be applicable in the former. It is recommended that virtual private networks be used even with MPLS environments, since the transmissions are not encrypted.

Step 3: Clearly mention project prerequisites

It’s essential to define project requirements in the service level agreement between the client and PCI compliant service providers. Needs like network segmentation, redundancy in terms of data/security, load balancers, and servers should be explicitly defined by the client.

Since PCI DSS compliance does not mandate redundancy, such needs must be defined by the outsourcer. For instance, companies requiring high data availability may request 100% redundancy. Similarly, you should explicitly define segmentation requirements with the PCI compliant service providers.

Restriction of physical access to cardholder data storage locations is another aspect. It is a common practice to use physical swipe cards with unique IDs, defining user-access privileges. These may be used in conjunction with closed-circuit televisions and layered security measures to prevent access to sensitive data center areas. PCI DSS compliance requirement 9.1 mandates appropriate facility controls, which could be either or both of these measures.

It is interesting to note that PCI DSS is based on extensive layered logical and physical security measures and is very much within the ambit for compliance by data centers (including those providing managed services).