Request Demo

Effective Third-Party Risk Management Under PCI DSS 4.0

Prevalent's COO & CSO Brad Hibbert shares key insights for third-party risk compliance for the payment card industry.
August 06, 2024
Logo Security Boulevard

Editors Note: This article, authored by Prevalent's COO & CSO Brad Hibbert, was originally published on www.securityboulevard.com.

The Payment Card Industry Data Security Standard (PCI DSS) aims to improve credit, debit and cash card transaction security and protect cardholders from breaches of their personal information.

Since its establishment in 2004 and the formation of the Council in 2006 by Visa, Mastercard, Discover, JCB and American Express, the standard has been regularly revised, and businesses are again adjusting their security controls to comply. This time, it’s with version 4.0, which, among other provisions, requires more strict multi-factor authentication when accessing the cardholder data environments, updates password requirements, and more clearly defines roles and responsibilities needed for each requirement.

Additionally, managing third-party risk has become a top priority for businesses under the new guidelines. Since 61% of companies have reported a third-party data breach in the last 12 months, it’s something companies should already be focusing on.

Here are some key impacts for businesses that aim to manage third-party risk in a way that is compliant with PCI DSS 4.0:

1. More Thorough Due Diligence: PCI DSS 4.0 advises enhanced due diligence processes when engaging third parties. Organizations are now expected to evaluate the security measures and compliance status of their vendors more rigorously. The diligence process can include:

  • Vendor Assessment and Selection
  • Security Evaluation
  • Compliance Status
  • Background Checks
  • Risk Rating and Classification
  • Initial Audits

2. Ongoing Monitoring: The new guidelines stress the importance of continued monitoring of third-party vendors. Regular assessments and reviews are advised to ensure vendors remain in compliance for the duration of the contract and can include:

  • Regular assessments, including annual reviews and security questionnaires
  • Performance metrics and reporting, including security incident reports and compliance reports
  • Automated Monitoring Tools, which can include security information and event management (SIEM) and vulnerability scanning

3. Stricter Contracts: Incorporating PCI DSS compliance clauses into contracts with third parties is advised under the guidelines. Contracts must clearly define the security responsibilities and obligations of the vendors.

  • Incorporating PCI DSS Clauses, including those that clearly outline:
  • Security Responsibilities: Defining the security responsibilities of both the organization and the vendor, including the specific PCI DSS requirements that the vendor must adhere to.
  • Compliance Verification: Stipulating the organization’s right to verify the vendor’s compliance through audits, assessments, and reviews.
  • Incident Management: Detailing the vendor’s obligations in the event of a security incident, including notification timelines, investigation cooperation, and remediation actions.
  • Liability and Indemnification: Including provisions for liability and indemnification to protect the organization in case of a security breach or non-compliance by the vendor.
  • Data Handling and Protection: Specifying how cardholder data should be handled, stored, and protected by the vendor. This includes encryption, access controls, and data retention policies.
  • Termination Clauses: Outlining the conditions under which the contract can be terminated due to non-compliance or security breaches. This includes provisions for the return or destruction of cardholder data upon termination.

4. Incident Response: Vendors must have well-defined incident response procedures under PCI DSS 4.0 and must coordinate effectively with the contracting organization in case of any data breaches or security incidents.

5. Secure Data Handling: Organizations are advised to thoroughly understand where and how cardholder data is handled by third parties. The guidelines cover both data flow and data storage.

6. Assessing Risk: The updated guidelines call for third-party risk assessment to become an integral part of all comprehensive risk assessments.

7. Evidence Documentation: Organizations should thoroughly document all TPRM activities. This includes records of due diligence, monitoring activities, contractual agreements, and risk assessments related to third-party vendors.

8. Awareness and Training: The revised standards highlight the importance of ensuring that third-party vendors are trained on PCI DSS requirements. This includes vendors’ staff.

What the updated guidance boils down to is that organizations that have handled third-party risk reactively in the past need to learn to be proactive to thrive in the future.

So what else can companies do to comply with PCI DSS 4.0?

More Actionable Steps

There are several best practices to remember when creating a system that will relieve the burden of assessing TPSP security. These will save time and effort and shore up vulnerabilities in their security practices. These include:

  • Utilize pre-built templates for third-party risk assessments tailored to PCI DSS and other relevant standards.
  • Implement workflow and task management to ensure efficient and consistent assessments and timely risk triage.
  • Centralize assessment results and correlate them with real-time cyber and data breach monitoring data to validate the effectiveness of security controls.
  • Provide built-in remediation recommendations based on assessment outcomes to ensure timely resolution of risks.
  • Continuously track and analyze external threats, including monitoring the internet and dark web for potential cyber threats and vulnerabilities related to TPSPs.

To Build or to Partner?

Some organizations have the resources in-house to upgrade their security practices to the point of compliance with PCI DSS v4.0. But for others, it’s a Herculean effort that will require finding a security and risk-management partner.

The good news is that capable partners exist today. A partner capable of delivering robust TPSP security will provide a central platform to automate all third-party service providers’ onboarding, inventory, and management. They will build comprehensive third-party profiles with continuously updated cyber, business, financial, compliance and reputational insights.

The right partner can also centralize vendor contracts’ distribution, discussion, retention, and review to ensure key security requirements are included and enforced. They can also automate risk assessments and remediation across every stage of the third-party lifecycle while continuously tracking and analyzing external threats to TPSPs to ensure timely identification and mitigation of risks.

Using payment cards online will be safer in the future than it has been, and that will be largely thanks to organizations across the business landscape implementing the requirements of PCI DSS.

However, businesses that lack the resources to make the necessary changes must not fear the requirements. They can partner as required to manage risks to their organizations and the many third parties who help their business run.