Solving the third-party risk management puzzle for PCI
One of the main PCI compliance challenges for businesses is how to accurately document and monitor the payment data and personal information they hold and share with third parties. The complexity of supply chains not only exposes this data to a much greater risk of loss, it also adds uncertainty over where the ultimate responsibility lies in protecting it.
The sheer volume of information flowing between partners and service providers makes it difficult to establish exactly what is being shared, who it’s being shared with, and how it’s being used. In fact, organisations often don’t know exactly what information they have shared with third-parties, and regularly overshare more data than is actually needed.
And because there are no agreed international standards for how third parties should be audited, a variety of different question sets may be used. So audit data – usually a collection spreadsheets – comes back in different formats from each supplier, to be processed manually by small teams. Then each third-party needs to audited individually to understand the risk it exposes the organisation to, and all third parties assessed collectively to identify which poses the most significant risk.
All this makes the assurance process extremely time- and labour-intensive, both for those assessing and being assessed. In many cases, it’s reduced to a tick-box exercise that’s inefficient and exposes organisations to risk. So how can third-party risk management processes for PCI compliance be simplified and made more effective, to mitigate the risks of data breaches, losses and penalties, and better protect payment data? I believe there are 6 keys steps to achieving this.
Classify information
All too often organisations don’t know what information needs to be protected, what data is covered by various laws and regulations or what Personal Identifiable Information is – let alone what data is covered by PCI DSS. So it’s critical to classify which data is covered by the PCI standards, all the locations it is stored in, and which third-parties have access to it. Data is usually classified into three broad categories: ‘Confidential,’ which qualifies for the highest degree of protection; ‘Internal,’ which is data not meant for public disclosure, but available to employees, such as company policies and standards, operational procedures and so on; and ‘Public,’ which is not governed by special protection measures.
Rating 3rd parties
Once data is classified, you can start to identify which partner organisations have access to which types of data, and where the greatest risks to your information assets are. You need to know what data of yours is held by partners and suppliers alike, and who they are sharing it with. It’s useful to start this process by asking partners what information they actually receive from you; as mentioned earlier, we’ve often seen organisations oversharing information, simply because staff are pressed for time, and may not always take the trouble to filter the data they send.
Ask the right questions
Having classified both your data and your 3rd parties, you’re ready to start assessing them. But it’s important to ask the right questions. PCI compliance audit questionnaires are wide-ranging but the sections which are relevant to each third party will depend on the role they perform for you (e.g. do they provide marketing services, or manufacture for you, or provide a business service). By asking only the questions which are relevant to the specific partner, you accelerate the process, get better quality results and ultimately save yourself time: making it easier to understand your risk posture.
Automation, automation, automation
In many organisations, compliance processes are run using manual, spreadsheet-based systems. These rapidly become unworkable with any significant number of 3rd parties; the process of assessment and identifying issues is simply too time-consuming, making it difficult to properly manage compliance activity and exposing the organisation to unknown levels of risk. As such it’s critical to automate the process, using an IT framework that gives a centralised structure and dashboard for efficient programme management; assessment templates based on common control standards (including PCI DSS); the ability to create multiple versions of assessments for different 3rd parties; automated tasks and workflow to track compliance activity; and analytics capabilities for external and internal reporting.
Break the annual cycle
Often, PCI compliance is treated as a one-off tick box exercise to be done annually. The reality, however, is that an audit simply means a business is compliant at the moment the assessment was completed. Policies and relationships change, so remaining compliant is a continual process. It’s the difference between passing your driving test, and being a good driver.
Course corrections
Having established your third-party risk management process and identified any potential or actual risks, don’t forget to take the necessary remedial actions with the appropriate partners. Depending on the scale of the risk, either don’t share data with them until the situation is resolved, or give the partner a deadline by which to correct the identified issues. And continue to follow up with partners, to ensure your assurance programme reduces your risks over time.
While third-party risk management will never be a simple task, these steps can help organisations make it a great deal easier to perform and manage, enabling better protection for themselves and their customers against security risks.