The Payment Card Industry (PCI) Council has released updated guidelines to help merchants insure their Payment Service Providers (PSP) have implemented the necessary security measures to protect sensitive payment card data.
The update comes as part of PCI’s third-party security assurance program intended to boost credit and debit card security. The program forces Internet and Cloud service providers, online storage firms, call centers and other companies that offer services to retailers to disclose the needed security controls for protecting cardholder data.
Beginning July 2015, all merchants interested in maintaining PCI Compliance must obtain written assurance from each of their 3rd party service providers stating the level of security and the provider's readiness to handle credit and debit card data securely.
The full guidelines were developed by PCI’s special interest group and offer tips on merchant PSP relations when it comes to the shared responsibility for implementing PCI security measures. Furthermore, the guidance is intended to help develop consistent third-party agreements and policies with merchants and the 3rd party providers themselves.
According to Troy Leach, chief technology officer at the PCI Security Standards Council, the new set of guidelines comes as the result of more and more merchants outsourcing 3rd party services. Leach added that most merchants refrain from heavy investigating their service providers, believing they possess strong security controls.
“Often, service providers have relationships with other third parties. With such nested relationships it becomes especially important for merchants to ensure that cardholder data is adequately protected along the entire chain,” Leach added.
What are your thoughts? Is maintaining a tight relationship with your PSP important, or does it seem like overkill? Let us know in the comment section below.