By now, we’re all well aware that PCI-DSS compliance is required for any business accepting online payments via credit/debit card. Even the savviest IT veterans who understand the ins and outs of the PCI equation can unknowingly be fooled by the claims hosters and software as a service (SaaS) providers make regarding technical responsibility.
Oversights are not often made for lack of knowledge; it’s just that there are numerous “invisible” or virtual elements coming together behind the scenes of your service provider’s infrastructure and managed support, but if each party’s scope of responsibility is not rooted out and clearly defined, hidden details can endanger your business.
Currently, the final report provided by qualified security assessors (QSAs) only allows room for very high level, black and white disclosures. Without a place to disclose some of the important gray area, it’s difficult for the auditor to tell the true or whole story. Observing two important nuances about your enterprise’s relationship with a third party will help IT stakeholders go deeper into the details and determine which pieces of the PCI DSS compliance pie they’ll have to eat, and which slices the hoster or SaaS provider can confidently consume.
Beware of service providers that make PCI compliance sound easy.
It’s very counterintuitive, but if a hoster or SaaS vendor promises you the moon and the stars, be on guard. While it’s tempting to assume that each service provider’s compliance provisions are made equal, this is not the case. Capabilities actually vary wildly depending on exactly what is offered and how far into the infrastructure stack the managed services are applied. For instance, in hosting, if your virtual infrastructure is compliant up to the hypervisor, this doesn’t necessarily also guarantee compliance with your entire network, OS, data, or applications. Secure or compliant SaaS applications are often not hosted on infrastructure that offers even a basic level of protection from common and dangerous eCommerce threats like SQL injections, cross-site scripting (XSS) attacks, and others. Unfortunately, some suppliers take advantage of the high level, generic way attestation of compliance (AOC) certificates are written and use their PCI compliance badge as marketing tools, without the technical ability to support the security required.
Make sure you (and they) understand the single most important piece of paper, in compliance.
To get the whole story, IT decision makers working with third party service providers to protect eCommerce businesses need to scratch deeper than the surface of the AOC, because this is where the most common loopholes exist. Some hosters and SaaS providers appear compliant per the AOC, but only cover the easier controls and avoid more technical, expensive, and challenging controls to administer, like anti-virus, two factor remote authentication, system hardening, patch management, and log management. For you, this translates to a sieve of compliance, rather than the well-fortified, well-functioning safeguard PCI DSS compliance is intended to provide. Thus, you need to have lengthy and detailed discussions about the scope of compliance to reveal any compliance shortcomings and simply avoid misunderstandings down the line. Plainly ask your vendors to provide a copy of their PCI responsibility matrix (or a similar document) and enter into a service provider agreement (SPA) that thoroughly lays out your responsibilities compared to theirs.
Your Next Steps
Once the work is done to unearth what your hosters and SaaS providers cover – and what they don’t – you’ll likely realize that at least a small portion of the responsibility for eCommerce security resides on your shoulders, and that’s ok. If you are well versed on what you are responsible for and what your vendor should be managing, you can ensure that both of you are properly keeping your business not only at compliance, but beyond it.
Your compliance posture should be an intentional and well-crafted by-product of your overarching security program, you have a right and obligation to dig as deeply as you can to determine the full reach of what your hosters and SaaS providers handle. Understanding that meeting current AOC standards does not mean your service provider is compliant at all levels across their infrastructure is a step in the right direction that should be supported by aggressively requesting visibility into what’s being delivered by third party providers and delineating your particular responsibilities versus your service providers’ responsibilities.
Beyond that, when you consider you have a vested interest in protecting privileged customer data, you may choose to get further involved. The PCI Standards Council is currently revising PCI standards that will be announced in Q4 of this year. Consider contacting the council to suggest that standards should go deeper than a ‘yes’ or ‘no’ checkbox on compliance. In addition to data centers, operating centers, networks and all other layers of the hosting infrastructure should diligently meet requirements in order to protect you and your customers. eCommerce businesses of all sizes have the next six months to influence the outcome of these standards and to have their voices heard.