Preventing the unauthorized access to and fraudulent use of credit and debit cards has been a high priority of the payment card industry for years.  As the threat environment evolves, so too do the applicable data security processes.  The Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard that applies to all entities that are involved in payment card processing, including merchants, processors, financial institutions and their third-party service providers.  The PCI Standard is mandated by the card brands (Visa, MasterCard, Discover, American Express and JCB) and run by the Payment Card Industry Security Standards Council.  It was initially introduced in December 2004.  The latest version of PCI-DSS, Version 3.0, was released in November 2013, and most businesses must comply with it by January 1, 2015.  

One focus of version 3.0 of PCI-DSS is to clarify and strengthen the security relationship between merchants and their third-party service providers that store, process and transmit payment card data.  It is intended to enhance security processes between businesses and their third-party service providers with respect to handling payment card data.  For instance, version 3.0 forbids a third-party service provider from using the same password to access more than one merchant’s system, in order to prevent a hacker from gaining access to multiple systems by defeating a single password.

Version 3.0 also strengthened PCI DSS Requirement 12.8 which establishes requirements for maintaining and implementing policies and procedures for businesses to manage third-party service providers with whom payment card data is shared.  For example, new requirement PCI DSS 12.8.5 requires a merchant and its service provider to each articulate clearly which specific PCI DSS requirements are managed by the service provider, and which are managed by the entity.

In August, a PCI Special Interest Group (SIG), that included merchants, banks and third party service providers, published additional guidance to help businesses that engage third-party service providers.  Specifically, the new guidance (which can be found here) is intended to help businesses and their third-party service providers better understand their respective roles in meeting PCI DSS Requirement 12.8.

Clearly, version 3.0 attempts to reinforce the principle that data security is a significant shared responsibility among all companies in the payment card industry chain, from merchants to third-party service providers, to the payment card companies themselves.  All merchants, processors, and third-party service providers that handle cardholder data would be well advised to become familiar with, understand, and embrace their respective responsibilities for data security pursuant to version 3.0 of PCI-DSS.