Service Providers with Access to Cardholder Data

No organization can do everything themselves. Back-up tape storage facilities, web-hosting companies, security service providers – most organizations have some type of relationship with a third-party or vendor. That’s why PCI Requirement 12.8 focuses on vendor management and asks organizations to maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.

PCI Requirement 12.8.1 specifically asks that you maintain a list of service providers including a description of the service provided. This will help to identify where potential risk extends to outside of your organization.

To verify compliance with PCI Requirement 12.8 and 12.8.1, an assessor will observe and review policies and procedures, as well as your list of service providers with access to cardholder data.

It’s unlikely that any organization within this industry can do everything by themselves. We find that most organizations have service providers that help them to manage some aspect of their environment or perform some type of activity on behalf of them.

Wherever you have service providers within your environment, PCI Requirement 12.8.1 requires that you have a program established in order to maintain, or at least to manage, the ongoing compliance of these organizations that would interact with cardholder data on your behalf. In order to maintain this vendor management program of your service providers, you need to maintain a list of all of those organizations that you might have that would be considered service providers—those individuals or organizations that would interact with cardholder data on your behalf. Your assessor is going to be asking for this list.

Screening Candidates

PCI Requirement 12.7 impacts your human resources department and hiring process. We’ve focused so much on external risks, but PCI Requirement 12.7 asks organizations to screen potential personnel prior to hire to minimize the risk of attacks from internal sources. Background checks could include previous employment history, criminal record, credit history, and reference checks.

Background checks are a common aspect of hiring processes, but it’s a requirement of the PCI DSS because personnel will be handling cardholder data. You want to be sure that whoever is handling cardholder data isn’t going to do so in a malicious or careless way. What if you hired someone who had a criminal record, and they ended up using PANs in an unauthorized way? Screening potential personnel is a way to prevent situations like this from occurring and reducing risk to your cardholder data.

In PCI Requirement 12.7, the assessor is going to want to spend a little bit of time with your HR individuals. We’re required from the PCI DSS perspective to perform some type of background check on the individuals that you would be hiring. This is required for all individuals; it’s really only required for those individuals that might have access to more than one piece of cardholder data at a time. Your assessor is going to look for evidence that the background checks have taken place. We’re not really so much concerned about what the merits of the background check are – we just want to verify that the background check has taken place.

Education for Personnel

As part of your security awareness program, PCI Requirement 12.6.1 asks that you educate personnel upon hire and at least annually. The PCI DSS recognizes that if your security awareness program does not include periodic refreshers or training, key security policies and procedures may be forgotten or circumvented, which could result in exposed or at-risk critical resources and cardholder data.

This education could be different for every employee or department, depending on their role and level of access to cardholder data. To verify compliance with PCI Requirement 12.6.1, an assessor will review your security awareness program and will also likely interview a sample of your personnel to see if they understand their responsibilities and cardholder data security policy and procedures.

PCI Requirement 12.6.1 requires that we educate personnel upon hire and at least annually. The annual clause is there because you’re going to be amending, updating, or reviewing your policies at least annually, so to meet that requirement of making sure that your staff understands what those policies are, they need to be going through that policy and annual security awareness training program. Your assessor is going to be looking for evidence of that.

Developing a Security Awareness Program

PCI Requirement 12.6 requires that your organization implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. Without compliance with this requirement, how would your program even work properly? If personnel are not educated and aware of their security responsibilities, security safeguards and processes that you’ve worked hard to develop and implement may become ineffective through intentional or unintentional actions.

An assessor wants to see that your personnel can operate in your environment securely. To verify compliance with PCI Requirement 12.6, they will want to review your security awareness program and what type of training you provide. An assessor will also likely interview a sample of your personnel to see if they understand their responsibilities and cardholder data security policy and procedures.

PCI Requirement 12.6 requires that you implement a security awareness training program. There are many things that we look for in this program. We look for the fact that you are training your staff about how to carry out the actions within your environment securely; we’re not just necessarily looking for training them on the PCI DSS, though. Really what we’re looking for is if they can operate your environment securely. So, your security awareness training program is called out in PCI Requirement 12.6, and your assessors are going to be looking and asking for a copy of that information or at least to observe that information to see what you’re actually training for.

Someone to Monitor and Control All Access to Data

PCI Requirement 12.5.5 states, “Monitor and control all access to data.” Really, this is the whole point of PCI compliance, isn’t it? Without someone formally responsible for monitoring and giving access to cardholder data, that data does not have the protection it needs.

Throughout the PCI DSS, it talks about key management, data custodians, and giving access based on a business’ need to know; these topics all factor into PCI Requirement 12.5.5. This role might not be the data owner, but if someone who ensures that the access given is appropriate, that technical safeguards are in place, and that if suspicious activity arises, it’s monitored and analyzed. Without someone assigned to this role, gaps in processes will open access into critical resources or cardholder data.

We get to PCI Requirement 12.5.5, and we need to have somebody that’s formally responsible for monitoring the access to cardholder data. What this comes down to is the concept of the data security owner and the data security custodian. In this case, somebody needs to be responsible for managing who’s had access to the data and making sure that that access is appropriate.