In Part I, we discussed the evolving nature of payments and how universities face a complex ecosystem of various vendors. Managing risk around all these vendors and ensuring compliance can be a tall order. In Part II, we look at more specific ways that universities can vet, validate, and assess vendor partnerships to ensure that PCI compliance is achieved and maintained.
Questions to Ask Your Vendors
Whether you’re partnering with a payment application vendor, payment terminal vendor, payment processor, software as a service, or some other third party service provider, you’ll want to ask the right questions to ensure that they have solid controls in place for card data security. Consider the following questions, which are taken directly from the PCI Security Standards Council, to make sure you feel confident that your vendors are able to adequately protect sensitive data that they may touch or control.
Security of Products and Solutions
-
Does your solution/product ensure the secure capture and transmission of cardholder data?
-
Does our agreement with you (the vendor) include clauses that state that you will maintain PCI DSS compliance for your product/service (or become PCI DSS validated)?
-
Does your product/solution store payment card information locally (in my store/shop location)?
-
Does your product/solution protect payment card information with strong encryption?
Security of Installation
-
If vendor is installing a payment application from the PCI Council’s List of Validated Payment Applications, ask: Are you a PCI Qualified Integrator or Reseller (QIR)?
Ongoing Support & Maintenance
-
Is your product/solution installed on my network or systems?
-
Is the solution installed on systems owned and maintained (hosted) by the service provider?
-
Is the solution installed on systems owned and maintained (hosted) by the service provider?
-
Is the solution/product required to integrate with my other systems—for example, payment terminals, accounts receivable, or other systems that contain cardholder data?
Data Breach Protocol
-
In the event that there is a data breach and your product/solution is involved:
-
If I experience penalties, do you offer support and protection?
-
How and when do you notify me if there is a breach?
-
What monitoring for data breaches and suspicious activities do you provide?
-
-
Does the vendor/service provider carry insurance to cover data breaches related to their product/solution?
-
Does the vendor/service provider assist with notification of my customers in the event of a data breach and your product solution is the root cause?
Best practices for managing vendors
Protecting your organization from liability requires due diligence and adherence to certain best practices for managing third party providers. Consider the following steps to ensure that you remain protected:
Have written policies and agreements in place. These should clearly dictate procedures and any security requirements, including how to report on requirements.
Identify PCI DSS requirements that are applicable to TPSPs. This can help separate responsibilities between your entity and your TPSPs in order to evaluate who owns which compliance responsibilities.
Conduct a risk assessment of a TPSP prior to engagement. Use an experienced vendor to complete and document a risk assessment of all potential partners, such as the PCI DSS Risk Assessment Guidelines.
Require updates on each TPSP’s compliance status. This type of monitoring can ensure that your vendors are remaining compliant in their own right. Additionally, you’ll want to be sure to obtain the correct validation document (per the PCI Security Standards Council’s ‘Information Supplement: Third-Party Security Assurance’), which may include a Report on Compliance (ROC), an Attestation of Compliance (AOC), or a Self-Assessment Questionnaire (SAQ). You may also consider requiring additional written verification that the provided services fall within the scope of one of these compliance attestation documents.
At the end of the day, vetting vendor candidates and exercising due diligence is critical to keeping a finger on the pulse of PCI compliance —and how that compliance may shift as a result of certain partnerships. Also beware of nested TPSPs (or entities that may be contracted to provide services by another TPSP) and how they may impact your PCI compliance.
Partners in PCI Compliance
For treasurers and other university stakeholders responsible for managing PCI DSS compliance, we have good news. Arrow Payments specializes in helping you reduce scope and streamline compliance across departments and campuses.
Better yet, our expertise in point-to-point encryption (P2PE) can help reduce your scope —and associated costs —of PCI compliance. We understand the complexities of managing payments operations in a higher ed environment. Schedule a free consultation today to see how we can help ease your burden and potentially provide cost savings.
