Third-party compliance issues can be a nightmare if you don’t do your due diligence (say that five times fast!). The truth is that there is still a lot of confusion when it comes to what third-party service providers are specifically required to be compliant with, but ensuring that compliance is your responsibility if you’re going to deal with them.
To keep your own business safe from costly compliance violations, you must check out and validate the third party service providers (TPSPs) you do business with. With regulations changing fairly often now, trusting a validation certificate from another third party company as gospel isn’t a great idea.
In this article we point out the need for extra measures in determining third party PCI compliance, and how Compliance Checkpoint accomplishes that goal..
Do Your Own Homework
A great rule for anything in life is to always do your own homework. Whether it’s in school or in business, you’ll always learn more and become better at what you do than you will if you take shortcuts and rely on the “wisdom” of others to guide you.
When it comes to ensuring third-party compliance – service provider or not – you (or your QSA, in the case of PCI compliance) should affirm independently that they are in compliance with any regulations that apply to your own business and how they will interact with your business’ data.
For service providers, you should be able to list each one your company does business with, confirm what services they provide, and make sure that each provider listed is compliant with the PCI DSS. These could include web hosting companies, payment & transaction companies and marketing companies, among others.
Some TPSPs will want to provide you with a certification from a third party as proof of their compliance, and while these are often valid, they still require a level of trust that your business shouldn’t accept. That’s why It’s important to set expectations up front with TPSPs and establish a clear channel of communications in order to gain transparency and understand the scope of their services.
The simplest way to ensure compliance and proper auditing is to add any third-party vendors into an already existing, scalable, and automated auditing system run by cloud-based software. This type of turnkey system reduces any necessary training time significantly and allows complete access to a transparent, end-to-end auditing process.