Outsourcing PCI DSS IT operations myth

Janos Zold

Today I'd like to talk about a really interesting conversation I had with one of my clients about outsourcing IT operational tasks mandated by PCI DSS. To be more specific the conversation went like this:

The client: "We want to outsource our IT security and IT operational tasks (patching, servers and firewall management, etc.) because maintaining PCI drives focus away from our strategic projects from our staff..."

Me: "Outsourcing is a common approach, time is money after all... Have you considered working with your existing service provider, could they take these responsibilities on?"

The client: "Well, we thought about this, they have been doing server and network administration remotely, PCI is very important to us. They don't have PCI, and they don't intend to become PCI compliant due to costs..."

If you are a small- or medium-sized business, at the beginning of your PCI DSS 'journey' with a challenge how to maintain your PCI compliance read on...

PCI DSS requires a LOT OF WORK

First, I'd like to talk about what led to this conversation. You are in the following situation, perhaps not so unique: you have decided to invest the time, energy (and of course, money!) in a product and have achieved PCI compliance. There are other strategically important projects now that need your IT teams' attention and focus. However, now they are quite busy with operationally maintaining PCI. Make no mistake, the high level requirements look deceivingly simple, but in fact it is a lot of work to maintain (I'll cover them in a separate blog post if you are interested, please let me know in the comments below). Depending on the scope of PCI, the architecture and complexity of your estate, patching and log reviews (to mention a few...) you have to do on a daily/weekly/monthly basis, you could end up with a lot of operational overhead, and this can drive attention away from strategic projects even more...

You make the decision to outsource those responsibilities...

Start with the scope

Before you even start looking for a service provider, you have to define exactly what's in scope for outsourcing. In this case the activities involved the management and configuration of firewalls, servers, log reviews, patching, monitoring and the review of audit logs. Any third parties providing these services are defined as: "...involved in the protection of the cardholder data environment (CDE)" according to the PCI Security Standards Council.

With a clearly defined scope you can move on to find a service provider...and I've got some good news for you: as long as a third party service provider is not involved in the storage, processing or transferring of cardholder data they don't have to have PCI DSS compliance. This means, you could potentially work with your tried and tested service provider (...'better the devil you know')

The buck stops here...

There is an old saying: 'you can outsource the work, but you cannot outsource risk' and due diligence is key. You have to perform a risk assessment as part of your due diligence to understand your risks and the level of exposure. The service provider will also have to prove that the service they provide meets the intent of PCI. Obviously, if the third party is going to be involved in CHD processing, storage or transfer, they have to have PCI compliance. If they don't, they have to have a project and a plan in place to obtain PCI with timelines that is acceptable for you and certainly for your auditors.

The devil is in the details contract

So, you have found a third party service provider, you've done your due diligence, agreed on commercials and have a tight contract in place - all looks good. Well, not so fast! You now have to consider that the scope of your PCI audit has increased, because it now has to include your service provider. This may increase the cost of your next PCI audit, and may also introduce new challenges and delays in the process. Remember, just because the third party service provider does not have PCI, they still have to comply with PCI assessment processes and procedures. They have to work with your auditors and other authorized representatives to prove that the services they provide meet PCI DSS requirements. Best to include this provision in your contract with your service provider.