PCI Council: Merchants Should Scrutinize Vendors’ Data Security
Aug. 18, 2014
The Payment Card Industry Security Standards Council (PCI SSC) has issued new guidance to help merchants ensure that third-party providers have implemented sufficient security measures to protect shoppers’ payment card data.
Developed by a PCI special interest group comprised of more than 160 merchants, banks and third-party service providers, the guidance recommends that merchants conduct due diligence and risk assessments when considering partnering with third-party providers; consistently engage with third-party partners to set data security expectations; develop formal agreements and policies covering security; and develop a robust monitoring program for the length of the partnership.
Those steps, PCI said, can help merchants reduce security vulnerabilities that can arise from third-party partners, such as Internet and cloud services providers, online storage companies and call centers. According to a 2013 study by the Ponemon Institute, the No. 1 mistake merchants make when entrusting sensitive consumer information to third-party vendors is not applying the same level of rigor to ensuring the security of vendors’ networks as to their own networks. Last week, Supervalu Inc. said hackers broke into its computer network and may have exposed cardholder information of shoppers who made purchases between June 22 and July 17 at 180 of its stores, which operate under the Cub Foods, Farm Fresh, Hornbacher’s, Shop ‘n Save and Shoppers Food & Pharmacy brands.
See related stories:
