2 min read

Non-Compliance Lesson No. 2: Outsource your payments/security and don't read the fine print

Picture of David Gamey David Gamey : Nov 1, 2021 10:07:00 PM

humour pci Non-compliance lessons

Non-Compliance Lesson No. 2: Outsource your payments/security and don't read the fine print

PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and painful.

Assume you can outsource your accountability for security and compliance.
Assume your service provider does everything for you and don't confirm your responsibilities.
Change service providers to save money.
Act surprised when your assessor asks you for your scans, pen-tests, code reviews, patching records, etc.
Exercise your right to audit clause (if you have one) and include your service providers inside your annual assessment at your cost.
Due diligence and preparation are just too boring.

Learn More

Seriously, if you want your assessment to be smooth and boring you may find these articles useful.

Third-Party Security Assurance and Shared Responsibilities https://www.pcisecuritystandards.org/documents/ThirdPartySecurityAssuranceMarch2016FINAL.pdf
Connected-to Service Providers https://www.pcisecuritystandards.org/documents/PCI-SSC-Connected-to-Service-Providers-Guidance.pdf
Reporting Requirements https://www.pcisecuritystandards.org/documents/PCI-DSS-v321-ROC-Reporting-Template.pdf
All Known Published PCI FAQs indexed in one place https://controlgap.com/index-pci-frequently-asked-questions/
FAQ#1312 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/If-an-entity-uses-a-service-provider-that-is-not-PCI-DSS-compliant-how-does-this-impact-the-entity-s-compliance
FAQ#1065 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Should-service-providers-demonstrate-PCI-DSS-compliance-as-part-of-their-client-s-assessment-or-in-their-own-separate-assessment
FAQ#1369 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Does-PCI-P2PE-allow-for-partial-assessments-of-third-parties-with-services-that-will-be-used-in-one-or-more-P2PE-solutions

If you'd like more entertaining reads, try these:

Non-Compliance Lesson No. 1: Wait until your assessment to validate scope https://controlgap.com/blog/Non-Compliance-Lesson-No-1
The ENTITY (a scary PCI monster) https://controlgap.com/blog/the-entity-a-scary-pci-monster

If You Need Help

Compliance can seem as dry as toast. Normally, it only gets exciting when things go wrong like when you find problems during an annual assessment, facing a looming deadline, with senior management breathing down your neck expecting a pass. Last minute discovery of problems gets extremely stressful. Failure becomes an option. Remediation is not guaranteed and can often be risky, sub-optimal, and expensive.

PCI DSS has 12 high-level requirements and over 250 sub-requirements each of which is an opportunity for failure. The kinds of challenges we describe are often avoidable and manageable. After all, PCI is an open book exam and there should be no excuse for not being prepared. If you are struggling with business-as-usual compliance, or have challenges, we can help.