PCI DSS: Pros and Cons of Outsourcing

Alastair Stewart
|
Senior Consultant at URM
|
PUBLISHED on
9 Aug
2022

In this blog, we address one of the big questions facing organisations which accept payment cards and are looking to comply with the PCI DSS. Should we outsource the storing, processing and transmitting of cardholder data (CHD)? Let’s look at the benefits and disadvantages of outsourcing.

Pros of outsourcing

Reduction of scope and in-scope processes

Any storing, processing or transmitting of CHD on in-house systems, immediately elevates those systems, and any component that protects them, to ‘high-risk assets’ status. As a result, these high-risk components should be adequately segmented from lower-risk components. Segmentation can be complex to set up and manage and may affect the functioning of certain business processes, dependent on the connections required.

If, on the other hand, you engage a third-party to store, process or transmit CHD, the outsourced partner can supply any transaction information that is required for normal business processes, as well as shouldering the burden of handling CHD. Another benefit is removing the encryption key management function from your business. PCI compliant key management can be both complex and expensive.

Lowering the cost of highly specialised staff

For organisations which operate on a large or global scale and which choose to keep the cardholder data environment (CDE) in-house, there will almost inevitably be a requirement to employ specialist IT security staff to handle the ongoing compliance requirements of the PCI DSS. By outsourcing the compliance processes, the need for these specialised staff members, who often command high salaries, will be reduced.

Transfer of breach costs

Should your worst scenario occur and your organisation suffers a breach of CHD, the costs can be devastating, e.g. PCI SSC, ICO and specific industry regulator fines, potential class-action lawsuits, not to mention reputational damage. By carefully drafting contracts and SLAs, the burden and majority of the consequences of a breach can be shifted to the third-party (if it is responsible for the breach).

Cons of outsourcing

Loss of control

By outsourcing the management of CHD, you will inevitably lose a degree of control. Sharing this data with partners, customers and other third-parties can become problematic. It’s important to consider the future needs of your business to ensure that data doesn’t become inaccessible.

Lack of oversight

As with any third-party relationship, there is an element of trust involved. Industry research constantly reminds us that the biggest threats to our organisation is the ‘insider threat’. With any outsource arrangement, there is a lack of oversight or control over  hiring policies and practices, background checks and the overall security culture.

Reliance upon third-party stability

When outsourcing there is also a natural dependence on the ongoing viability of your service provider, e.g. financial and operating stability. As part of your due diligence when selecting a partner, you need to be checking financial reports, reliance on certain clients/ SPOFs, business continuity arrangements etc.

In a future blog we will look at ways of mitigating some of the above risks if your organisation decides to outsource the management of your CHD.

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more

Are you looking for a PCI QSA?

As a long-established PCI QSA, URM is able to deliver a full PCI QSA-led audit and produce a report on compliance (RoC) as well as deliver a full QSA-led self-assessment questionnaire (SAQ)
Thumbnail of the Blog Illustration
Information Security
Published on
11/4/2024
PCI DSS v4.0: Network Security Controls

URM’s blog explains the wording changes in Requirement of the PCI DSS v4.0, offering advice on how organisations can select and use the most appropriate NSCs.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
9/8/2022
Benefits of PCI DSS Compliance

In recent blogs, we have focused on how best to ensure you comply with the PCI Data Security Standard....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
14/3/2023
Preparing For a PCI DSS v4.0 Assessment

URM is sharing its experiences on how the changes to the PCI DSS v4 affect the assessment process and how organisations can best prepare for the differences.

Read more
URM were super helpful and knowledgeable, talking and walking me through each one of the tests and providing some useful information on security and how to improve things in the future.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.