PCI DSS: Pros and Cons of Outsourcing

Pros of outsourcing

Reduction of scope and in-scope processes

Any storing, processing or transmitting of CHD on in-house systems, immediately elevates those systems, and any component that protects them, to ‘high-risk assets’ status. As a result, these high-risk components should be adequately segmented from lower-risk components. Segmentation can be complex to set up and manage and may affect the functioning of certain business processes, dependent on the connections required.

If, on the other hand, you engage a third-party to store, process or transmit CHD, the outsourced partner can supply any transaction information that is required for normal business processes, as well as shouldering the burden of handling CHD. Another benefit is removing the encryption key management function from your business. PCI compliant key management can be both complex and expensive.

Lowering the cost of highly specialised staff

For organisations which operate on a large or global scale and which choose to keep the cardholder data environment (CDE) in-house, there will almost inevitably be a requirement to employ specialist IT security staff to handle the ongoing compliance requirements of the PCI DSS. By outsourcing the compliance processes, the need for these specialised staff members, who often command high salaries, will be reduced.

Transfer of breach costs

Should your worst scenario occur and your organisation suffers a breach of CHD, the costs can be devastating, e.g. PCI SSC, ICO and specific industry regulator fines, potential class-action lawsuits, not to mention reputational damage. By carefully drafting contracts and SLAs, the burden and majority of the consequences of a breach can be shifted to the third-party (if it is responsible for the breach).

‍

Cons of outsourcing

Loss of control

By outsourcing the management of CHD, you will inevitably lose a degree of control. Sharing this data with partners, customers and other third-parties can become problematic. It’s important to consider the future needs of your business to ensure that data doesn’t become inaccessible.

Lack of oversight

As with any third-party relationship, there is an element of trust involved. Industry research constantly reminds us that the biggest threats to our organisation is the ‘insider threat’. With any outsource arrangement, there is a lack of oversight or control over  hiring policies and practices, background checks and the overall security culture.

Reliance upon third-party stability

When outsourcing there is also a natural dependence on the ongoing viability of your service provider, e.g. financial and operating stability. As part of your due diligence when selecting a partner, you need to be checking financial reports, reliance on certain clients/ SPOFs, business continuity arrangements etc.

In a future blog we will look at ways of mitigating some of the above risks if your organisation decides to outsource the management of your CHD.

‍