Outsourcing your PCI requirements

A great deal of businesses are hearing the benefits of pushing all their compliance duties to 3rd parties. The trend is greatest with merchants exploring end point Point of Sale Devices. They may achieve this through tokenization or proprietary encryption methods. Whether it is format preserving encryption (FPE) or an entirely new approach, there remains several important truths that must be understood and managed.

Paying for an end point device does not remove the duty of the business to ensure card holder data (or any other type of sensitive data) is secured and protected necessary to the unique risks of the organization. It does place much of the operational duties upon the service provider, but the management remains a critical part of the process. In fact, most would argue it is the people and process that truly make the difference.  (This has been highlighted in recent data breach notifications)

So what are somethings to consider?

I prefer to break down these requirements into strategic components that represent an intent by professionals and business owners to secure and maintain a integrity within the operations.  I welcome additional thoughts and direction.

  1. Identify – sensitive data requires a thorough assessment of the organization’s people and process to locate the pathways of, in this example, Card Holder Data.  The pathways provide direction at the system level, and allow for creating work flows to improve, restrict, and eliminate.  It is key to maintaining a sensitive data program to consider where the data resides, and to leverage mini-assessments to ensure future states match the compliant state of the organization.
  2. Verify – Assurance that data has been restricted and eliminated by incorporating a third party provider is only fruitful if the card holder environment is truly managed.  This also includes the service providers systems – backend and frontend.  Security specialists must verify on an ongoing basis (consider adding to the corporate patch management process) that these systems are operating securely and in a compliant fashion – today and tomorrow.
  3. Control – When operations occur there are business cases that suggest a need for access to sensitive data.  In these instances, alternative approaches should be examined.  Creating exceptions will expand the necessary security control vigilance required – even in an outsourced FPE environment.

Additional thoughts and approaches?

James DeLuccia

2 responses to “Outsourcing your PCI requirements

  1. Pingback: Outsourcing your PCI requirements « Providing answers to your questions about credit card, electronic payments and POS data security

  2. Some outsource job may be done by specialized security scanners developed especially for compliance.
    I represent Positive Technologies (www.ptsecurity.com), which is an information security company that provides various services and develops security scanner called MaxPatrol.
    Recently, I participated in implementation of PCIDSS auditing scripts included into MaxPatrol for RHEL 4, 5, 6 beta (by the example of FC12).
    As a result of the research, some recommendations (our reading of the matter) were derived. You can find them at
    Hereafter, the whole cycle will be published.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s