PRINCETON, N.J. (8/11/14)--The Payment Card Industry (PCI) Data Security Standards Council has issued guidance to help financial institutions and retailers minimize the risk associated with third-party contracts and payment breaches.
Among the areas covered in the guidance are third-party due diligence, service provider requirements and compliance and written agreement policies and procedures.
About 65% of data breaches involve a third party, PCI Council Chief Technology Officer Troy Leach told Bank Info Security (Aug. 7).
"The use of a third-party service providers (TPSP) does not relieve the entity of ultimate responsibility for its own PCI compliance, or exempt the entity from accountability and obligation for ensuring that its cardholder data and card holder data environment are secure," the paper said. "Clear policies and procedures should therefore be established between the entity and its TPSPs for all applicable security requirements, and proper measures should be developed to manage and report on the requirements."
Because about 45% of card breaches involve retailers, Leach said the council decided to offer additional guidance on PCI obligations related to third-party contracts and services.
The guidance addresses best practices rather than new requirements, Leach said.
To listen to a Bank Info Security interview with Leach, use the link.