New PCI Guidance for Third-Party Risks Council Offers Best Practices to Prevent Payments Breaches
New PCI Guidance for Third-Party Risks
Troy Leach

Card data security risks posed by third parties have gotten renewed attention in recent months because of a string of U.S. retailer breaches that have compromised millions of credit and debit cards.

Now the Payment Card Industry Data Security Standards Council has come out with new guidance to help merchants and banking institutions mitigate the ongoing risks posed by third parties that process and, in some cases, inadvertently store payments data.

One goal of the guidance is to help ensure banks and merchants are adequately addressing payments risks in their contracts with third parties and performing ongoing due diligence to ensure sufficient levels of card security are maintained by their business partners, says PCI Council Chief Technology Officer Troy Leach.

But Leach explains during this interview with Information Security Media Group that the guidance is about best practices rather than new requirements.

Developed by a PCI Special Interest Group comprising merchants, banking institutions and third-party service providers, the new guidance provides recommendations for meeting specific requirements already included in version 3.0 of the PCI-DSS, he says.

"We recognize that businesses are rapidly adopting a third-party model," Leach says, citing one recent study that claimed 65 percent of data breaches involve a third party.

And because about 45 percent of card breaches involve retailers, Leach says the council determined it needed to offer some additional guidance about PCI obligations related to third-party contracts and services.

The Target breach, which was ultimately traced to the network compromise of a third party, may have been a catalyst for the guidance. But Leach says it's not just merchants who should be concerned about third-party risks. Banking institutions, too, are facing heightened scrutiny from regulators, which are calling for more attention to be paid to emerging third-party risks (see OCC's Curry: Third-Party Risks Growing).

"Many of the recommendations you will see here from the council highlight the same types of requirements you are starting to see at the federal level, regarding what service-level requirements may be needed to ensure security with third parties," Leach says.

Risks posed by third parties will be one of the subjects for discussion during the council's upcoming Community Meeting Sept. 9-11 in Orlando, Fla.

During this interview, Leach discusses why:

  • The council views security as being a shared responsibility among merchants, processors, banking institutions and service providers;
  • Penetration testing will play an increasing role in payment card security;
  • Devaluing card data will help ensure the entire payments chain, including third parties, is secure.

In his role as CTO and lead security standards architect for the PCI Council, Leach has developed and implemented a comprehensive quality assurance program. Before joining the council, Leach led the incident response program at American Express, where he reviewed more than 300 cases of account data compromises. Over the past 18 years, he has held positions in systems administration, network engineering, IT management, security assessment and forensic analytics.




Around the Network