Outsourcing PCI is not a Silver Bullet

September 7, 2010

Outsourcing PCI is not a silver bullet

I’m always particularly interested in blogs and articles that seek to help and advise clients on how to achieve PCI compliance.  More specifically, I’m interested in articles that give advice on how to make achieving PCI compliance “easy”.  After reading several articles I’ve noticed two common suggestions: 1) minimize the scope of the assessment by segmenting the cardholder environment from the corporate network; and 2) outsource as many of the services as possible.  I’m noticing more and more of my clients outsource security tasks to 3rd party service providers (SP) in the hopes of being able to successfully avoid having to be responsible for certain PCI requirements.  Services such as firewall/router management, IDS, hosting facilities, software development, code review, & software testing are just a few services which clients have outsourced.  Some clients think they are being extra slick by outsourcing these services to service providers who have achieved PCI compliance.

In theory, outsourcing does allow an organization to bypass having to themselves adhere to certain PCI requirements but it does not necessarily completely absolve the organization from responsibility.  Just because an organization outsources services to a SP the organization is still on the hook for ensuring that the SP is maintaining and managing the devices or service according to the requirements outlined in the PCI-DSS. This may require the organization to dictate to the SP how “things should be done”.  This will also undoubtedly lead to the SP having to be included and visited as part of the organization’s PCI compliance assessment. As a QSA, I’ve seen including a SP’s environments in my client’s PCI assessment go horribly wrong.

“Well we were smart.  We made sure to go with a PCI compliant service provider.” This is better but the organization is still not out of the woods.  One of the most common mistakes I see my clients make is ASSUME that the services they purchased/using was 1) part of the SP’s Report on Compliance (ROC) scope & 2) that ALL of the PCI requirements that pertain to that particular service, are being performed.  As a QSA when I am performing a PCI assessment on my client and they’ve outsourced let’s say their firewall management to a “PCI compliant” SP, I need to do two things which coincidently are the same two things my client hopefully did before signing that P.O.  The first thing I, and any halfway decent QSA, needs to do is validate that the SP’s ROC scope includes that particular service my client is using.  I need to confirm that the firewall management service/solution/practices were covered in the SP’s PCI-DSS assessment.  After confirming the first part, I then need to perform a little QSA due diligence, or C-Y-A, and ensure that the ROC addressed the appropriate PCI requirements.  Again, I’ve seen how a client’s total faith in their SP’s ROC has led to false promises and broken dreams.

Outsourcing services is NOT a silver bullet in becoming PCI compliant. With it come different responsibilities and potential consequences if not done correctly.  Organizations need to establish a more robust vendor management process which includes a lot more than a written agreement declaring the service provider “responsible for securing cardholder data.”

3 Responses to “Outsourcing PCI is not a Silver Bullet”

  1. LonerVamp said

    I think outsourcing is also an organization’s way of being able to sue/blame someone else when something goes wrong with security. Much like management not truly knowing what their employees really are doing or not doing, people like to put on the see-no-evil blinders when outsourcing something. If something goes wrong, wag the finger, break the contract, take to court…

    Outsourcing the things that fall into PCI scope is scary to me. It means the org does not do or want to do the security best practices that PCI drags along with it. All the rest of their assets and information that aren’t specifically PCI-related are still just as at risk. Best case, the rest of their IT footprint is small anyway, so outsourcing their payment systems may make perfect sense.

    Of course, segmenting away your PCI-scoped systems/data can imply roughly the same thing, but at least in doing so the internal staff gets practical experience that can be carried over to the rougher networks.

  2. Thanks for the thoughts around service provider compliance. As you mention the key is strong contractual requirements that specifically mention compliance to PCI-DSS. I would probably highlight applicable clauses in the contract such as web appsec secure coding, testing and application of secure configuration standards that apply to specific services and infrastructure operated by the service provider.

  3. […] regulations, but is now stated absolutely in page 16 and again under requirement 12.8.  A nice post available here goes into greater […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: