PCI DSS: Pros and Cons of Outsourcing

Latest update:
9 Aug

In this blog, we address one of the big questions facing organisations which accept payment cards and are looking to comply with the PCI DSS. Should we outsource the storing, processing and transmitting of cardholder data (CHD)? Let’s look at the benefits and disadvantages of outsourcing.

Pros of outsourcing

Reduction of scope and in-scope processes

Any storing, processing or transmitting of CHD on in-house systems, immediately elevates those systems, and any component that protects them, to ‘high-risk assets’ status. As a result, these high-risk components should be adequately segmented from lower-risk components. Segmentation can be complex to set up and manage and may affect the functioning of certain business processes, dependent on the connections required.

If, on the other hand, you engage a third-party to store, process or transmit CHD, the outsourced partner can supply any transaction information that is required for normal business processes, as well as shouldering the burden of handling CHD. Another benefit is removing the encryption key management function from your business. PCI compliant key management can be both complex and expensive.

Lowering the cost of highly specialised staff

For organisations which operate on a large or global scale and which choose to keep the cardholder data environment (CDE) in-house, there will almost inevitably be a requirement to employ specialist IT security staff to handle the ongoing compliance requirements of the PCI DSS. By outsourcing the compliance processes, the need for these specialised staff members, who often command high salaries, will be reduced.

Transfer of breach costs

Should your worst scenario occur and your organisation suffers a breach of CHD, the costs can be devastating, e.g. PCI SSC, ICO and specific industry regulator fines, potential class-action lawsuits, not to mention reputational damage. By carefully drafting contracts and SLAs, the burden and majority of the consequences of a breach can be shifted to the third-party (if it is responsible for the breach).

Cons of outsourcing

Loss of control

By outsourcing the management of CHD, you will inevitably lose a degree of control. Sharing this data with partners, customers and other third-parties can become problematic. It’s important to consider the future needs of your business to ensure that data doesn’t become inaccessible.

Lack of oversight

As with any third-party relationship, there is an element of trust involved. Industry research constantly reminds us that the biggest threats to our organisation is the ‘insider threat’. With any outsource arrangement, there is a lack of oversight or control over  hiring policies and practices, background checks and the overall security culture.

Reliance upon third-party stability

When outsourcing there is also a natural dependence on the ongoing viability of your service provider, e.g. financial and operating stability. As part of your due diligence when selecting a partner, you need to be checking financial reports, reliance on certain clients/ SPOFs, business continuity arrangements etc.

In a future blog we will look at ways of mitigating some of the above risks if your organisation decides to outsource the management of your CHD.

Thumbnail of the Blog Illustration
Information Security
PCI DSS Remediation and Implementation

PCI remediation is an essential activity for any organisation wishing to fully comply with the applicable 12 technical and operational control requirements of the PCI DSS. Whilst many PCI remediation

Read more
Thumbnail of the Blog Illustration
Information Security
PCI SSC Remote Assessment Guidelines and Procedures

The PCI SCC has recently released a new remote assessment guidelines and procedures. Here we address a number of key questions: What are the Main Contents? What Led to it Being Published? And others.

Read more
Thumbnail of the Blog Illustration
Information Security
PCI Policies, Procedures and Evidence – What is expected?

While it’s one of the areas that IT and security departments find challenging, documentation (and compliant evidence) is what makes for a happy and satisfied PCI Qualified Security Assessor (QSA)...

Read more
Moving from our existing Pen Testers after 10 years was a difficult decision but I am really glad we did. It's been a pleasure working with you. The Pen Testing was extremely thorough and as hoped you were open to a collaborative deeper delve, far beyond what we were required to do for PCI DSS, which has been very useful.
Payment Service Provider
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.