Credit card council releases cyber risk mitigation guidance

The payment card industry’s regulatory organization has issued guidance to help merchants and others reduce credit card security risks.

Businesses are rapidly adopting a third-party operations model that can put payment data at risk, the Wakefield, Massachusetts-based PCI Security Standards Council L.L.C. said Thursday in a statement.

It said the guidance will help organizations and their business partners reduce this risk by better understanding their respective roles in securing card data.

It said the guidance developed by a PCI special interest group of 160 organizations including merchants, banks and third-party service providers provides recommendations for meeting the PCI data security standard requirement to ensure payment data and systems entrusted to third parties are maintained in a “secure and compliant manner.”

Most retailers are complying with this standard, says an expert.

PCI said the guidance includes recommendations on how to:

• Conduct due diligence and risk assessment when engaging third-party service providers to help organizations understand the services provided and how the PCI data security standard requirements will be met by those services.

• Implement a consistent process for engaging third parties that includes setting expectations, establishing a communications plan, and mapping third-party services and responsibilities to applicable PCI data security standard requirements.

• Develop appropriate agreements, policies and procedures with third-party service providers that includes considerations for the most common issues that arise in this type of relationship.

• Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program.

View the "Third-Party Security Assurance Information Supplement."