All contracts with third party vendors should contain liability limiting language in which the vendor accepts responsibility for compliance with the PCI DSS. An addendum should be added to current contracts not containing this language. This language should also be included in RFPs. An example of this verbiage provided by CampusGuard is as follows:
"PCI COMPLIANCE
Contractor represents and warrants that for the life of the contract and/or while
Contractor has possession of University customer cardholder data, the software and
services used for processing transactions shall be compliant with standards established
by the Payment Card Industry (PCI) Security Standards Council. In the case of a third-party application, the application will be listed as PA-DSS
compliant at the time of implementation by the University. Contractor acknowledges
and agrees that it is responsible for the security of all cardholder data. Contractor
agrees to indemnify and hold University, its officers, employees, and agents, harmless
for, from and against any and all claims, causes of action, suits, judgments, assessments,
costs (including reasonable attorneys' fees) and expenses arising out of or relating
to any loss of University customer credit card or identity information managed, retained
or maintained by Contractor, including but not limited to fraudulent or unapproved
use of such credit card or identity information. Contractor shall, upon written request,
furnish proof of compliance with the Payment Card Industry Data Security Standard
(PCI DSS) within 10 business days of the request. Regardless of written request, the
Contractor will provide the proper Attestation of Compliance (AOC), which can be found
on the PCI SSC website, once annually. Contractor agrees that, notwithstanding anything
to the contrary in the Agreement or the Addendum, the University may terminate the
Agreement immediately without penalty upon notice to the Contractor in the event Contractor
fails to maintain compliance with the PCI DSS or fails to maintain the confidentiality
of any cardholder data."
In addition to the contractual language, vendors must provide an attestation of compliance (AOC) annually. Currently, many of our vendors provide us with a "certificate of compliance" or a "certificate of a successful scan". Unfortunately, neither one of these documents qualifies as an AOC. The proper document can be found at the Payment Card Industry Security Standards Council (PCI SSC) web site.
The only exception to the AOC rule is that if the vendor can be found on the Visa Global Registry of Service Providers, then an AOC from that vendor is not necessary.
The two components mentioned above are part of Requirement 12 of the PCI DSS. They are 12.8.2 and 12.8.4 respectively. Requirement 12 also mentions three additional items associated with third party contracts:
- A list of Service Providers must be maintained. This is done campus wide at Revenue Accounting. However, a separate list should be maintained by each department that has more than one vendor that collects cardholder data on the department's behalf.
- A formal process must exist for engaging service providers. This should already be in place via campus RFP procedures. It is important to consult Revenue Accounting when a new RFP is being written.
- Documentation should be maintained that shows which party is responsible for what portion of the PCI DSS. Some contracts already show what the vendor is taking responsibility for. The BU department should document their own responsibilities in their credit card processing written procedures.