PCI DSS: Pros and Cons of Outsourcing

In this blog, we delve into one of the prominent dilemmas confronting organizations that accept payment cards and seek to adhere to the Payment Card Industry Data Security Standard (PCI DSS) - PCI DSS compliance. The question at hand is whether to outsource the storage, processing, and transmission of cardholder data (CHD) in order to achieve PCI DSS compliance. We will explore the advantages and disadvantages of outsourcing in order to provide a comprehensive perspective on the matter.

Pros of outsourcing

REDUCTION OF SCOPE AND IN-SCOPE PROCESSES

When cardholder data (CHD) is stored, processed, or transmitted on in-house systems, it automatically raises the status of those systems and any associated components to "high-risk assets." Consequently, it is essential to adequately segregate these high-risk components from lower-risk ones. However, segmentation can be a complex endeavor, requiring careful setup and management, and it may impact certain business processes dependent on the connections required.

On the other hand, opting to engage a third-party to handle the storage, processing, or transmission of CHD offers several advantages. The outsourced partner can provide transaction information necessary for normal business processes while assuming the responsibility of managing CHD. Another benefit is the offloading of encryption key management from your organization. PCI-compliant key management can be both intricate and costly to implement and maintain.

LOWERING THE COST OF HIGHLY SPECIALISED STAFF

For organizations operating on a large or global scale that opt to maintain an in-house cardholder data environment (CDE), there is typically a need to employ specialized IT security personnel to manage the ongoing compliance requirements of the PCI DSS. However, by outsourcing the compliance processes, the demand for these specialized staff members, who often command high salaries, can be reduced. This allows organizations to potentially save on staffing costs associated with maintaining an internal team dedicated to PCI DSS compliance.

TRANSFER OF BREACH COSTS

In the unfortunate event of a cardholder data breach, the costs incurred by an organization can be severe, including fines from regulatory bodies such as the PCI SSC (Payment Card Industry Security Standards Council), ICO (Information Commissioner's Office), and industry-specific regulators. Additionally, there may be potential class-action lawsuits and significant reputational damage to contend with. However, by meticulously crafting contracts and service level agreements (SLAs), the burden and a majority of the consequences resulting from a breach can be shifted to the third-party (if they are deemed responsible for the breach). This can help alleviate some of the financial and legal repercussions that an organization may face in the aftermath of a security incident.

Cons of outsourcing

LOSS OF CONTROL

When opting to outsource the management of cardholder data (CHD), it is important to acknowledge that a certain degree of control will be relinquished. Sharing this data with partners, customers, and other third parties can introduce complexities and potential challenges. It is crucial to carefully consider the future needs of your business to prevent data from becoming inaccessible or encountering difficulties in accessing it. Proper planning and clear communication with the outsourced party are essential to ensure smooth data sharing and maintain the necessary level of control over CHD.

LACK OF OVERSIGHT

Like any third-party relationship, trust plays a significant role when outsourcing. Industry research consistently highlights the "insider threat" as one of the most significant risks to an organization. When engaging in an outsourcing arrangement, there is a potential lack of oversight or control over hiring policies, background checks, and the overall security culture of the third party. It is crucial to assess and establish trust in the security practices and measures implemented by the outsourced partner. Clear contractual agreements, regular audits, and ongoing monitoring can help mitigate the risk associated with the insider threat in the context of outsourcing.

RELIANCE UPON THIRD-PARTY STABILITY

When opting for outsourcing, there is an inherent reliance on the long-term viability and stability of the chosen service provider in terms of PCI DSS compliance. Factors such as financial stability, operational reliability, and dependencies on specific clients or single points of failure (SPOFs) should be thoroughly evaluated as part of the due diligence process when selecting a partner for PCI DSS audit.

Performing checks on financial reports, assessing reliance on certain clients or SPOFs, and reviewing business continuity arrangements are all important steps to ensure the resilience of the service provider in terms of PCI DSS compliance. These measures help mitigate potential risks associated with the viability and stability of the outsourced management of cardholder data (CHD) during the PCI DSS audit. In a future blog post, we will explore strategies and methods for mitigating the aforementioned risks when an organization decides to outsource the management of their CHD while maintaining PCI DSS compliance.