In this blog, we address one of the big questions facing organisations which accept payment cards and are looking to comply with the PCI DSS. Should we outsource the storing, processing and transmitting of cardholder data (CHD)? Let’s look at the benefits and disadvantages of outsourcing.
Pros of outsourcing
Reduction of scope and in-scope processes
Any storing, processing or transmitting of CHD on in-house systems, immediately elevates those systems, and any component that protects them, to ‘high-risk assets’ status. As a result, these high-risk components should be adequately segmented from lower-risk components. Segmentation can be complex to set up and manage and may affect the functioning of certain business processes, dependent on the connections required.
If, on the other hand, you engage a third-party to store, process or transmit CHD, the outsourced partner can supply any transaction information that is required for normal business processes, as well as shouldering the burden of handling CHD. Another benefit is removing the encryption key management function from your business. PCI compliant key management can be both complex and expensive.
Lowering the cost of highly specialised staff
For organisations which operate on a large or global scale and which choose to keep the cardholder data environment (CDE) in-house, there will almost inevitably be a requirement to employ specialist IT security staff to handle the ongoing compliance requirements of the PCI DSS. By outsourcing the compliance processes, the need for these specialised staff members, who often command high salaries, will be reduced.
Transfer of breach costs
Should your worst scenario occur and your organisation suffers a breach of CHD, the costs can be devastating, e.g. PCI SSC, ICO and specific industry regulator fines, potential class-action lawsuits, not to mention reputational damage. By carefully drafting contracts and SLAs, the burden and majority of the consequences of a breach can be shifted to the third-party (if it is responsible for the breach).
Cons of outsourcing
Loss of control
By outsourcing the management of CHD, you will inevitably lose a degree of control. Sharing this data with partners, customers and other third-parties can become problematic. It’s important to consider the future needs of your business to ensure that data doesn’t become inaccessible.
Lack of oversight
As with any third-party relationship, there is an element of trust involved. Industry research constantly reminds us that the biggest threats to our organisation is the ‘insider threat’. With any outsource arrangement, there is a lack of oversight or control over hiring policies and practices, background checks and the overall security culture.
Reliance upon third-party stability
When outsourcing there is also a natural dependence on the ongoing viability of your service provider, e.g. financial and operating stability. As part of your due diligence when selecting a partner, you need to be checking financial reports, reliance on certain clients/ SPOFs, business continuity arrangements etc.
In a future blog we will look at ways of mitigating some of the above risks if your organisation decides to outsource the management of your CHD.
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
URM can help you achieve ISO 27001 certification
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
URM’s blog explains the wording changes in Requirement of the PCI DSS v4.0, offering advice on how organisations can select and use the most appropriate NSCs.
In recent blogs, we have focused on how best to ensure you comply with the PCI Data Security Standard....
URM is sharing its experiences on how the changes to the PCI DSS v4 affect the assessment process and how organisations can best prepare for the differences.