PCI DSS: Pros and Cons of Outsourcing

Alastair Stewart
|
Senior Consultant at URM
|
PUBLISHED on
9 Aug
2022

In this blog, we address one of the big questions facing organisations which accept payment cards and are looking to comply with the PCI DSS. Should we outsource the storing, processing and transmitting of cardholder data (CHD)? Let’s look at the benefits and disadvantages of outsourcing.

Pros of outsourcing

Reduction of scope and in-scope processes

Any storing, processing or transmitting of CHD on in-house systems, immediately elevates those systems, and any component that protects them, to ‘high-risk assets’ status. As a result, these high-risk components should be adequately segmented from lower-risk components. Segmentation can be complex to set up and manage and may affect the functioning of certain business processes, dependent on the connections required.

If, on the other hand, you engage a third-party to store, process or transmit CHD, the outsourced partner can supply any transaction information that is required for normal business processes, as well as shouldering the burden of handling CHD. Another benefit is removing the encryption key management function from your business. PCI compliant key management can be both complex and expensive.

Lowering the cost of highly specialised staff

For organisations which operate on a large or global scale and which choose to keep the cardholder data environment (CDE) in-house, there will almost inevitably be a requirement to employ specialist IT security staff to handle the ongoing compliance requirements of the PCI DSS. By outsourcing the compliance processes, the need for these specialised staff members, who often command high salaries, will be reduced.

Transfer of breach costs

Should your worst scenario occur and your organisation suffers a breach of CHD, the costs can be devastating, e.g. PCI SSC, ICO and specific industry regulator fines, potential class-action lawsuits, not to mention reputational damage. By carefully drafting contracts and SLAs, the burden and majority of the consequences of a breach can be shifted to the third-party (if it is responsible for the breach).

Cons of outsourcing

Loss of control

By outsourcing the management of CHD, you will inevitably lose a degree of control. Sharing this data with partners, customers and other third-parties can become problematic. It’s important to consider the future needs of your business to ensure that data doesn’t become inaccessible.

Lack of oversight

As with any third-party relationship, there is an element of trust involved. Industry research constantly reminds us that the biggest threats to our organisation is the ‘insider threat’. With any outsource arrangement, there is a lack of oversight or control over  hiring policies and practices, background checks and the overall security culture.

Reliance upon third-party stability

When outsourcing there is also a natural dependence on the ongoing viability of your service provider, e.g. financial and operating stability. As part of your due diligence when selecting a partner, you need to be checking financial reports, reliance on certain clients/ SPOFs, business continuity arrangements etc.

In a future blog we will look at ways of mitigating some of the above risks if your organisation decides to outsource the management of your CHD.

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more

Are you looking for a PCI QSA?

As a long-established PCI QSA, URM is able to deliver a full PCI QSA-led audit and produce a report on compliance (RoC) as well as deliver a full QSA-led self-assessment questionnaire (SAQ)
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
Can I Store Cardholder Data?

In this article, we aim to clarify what requirements the Payment Card Industry Data Security Standard (PCI DSS) places around....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
8/8/2022
Top 5 common pitfalls of PCI DSS compliance

As a Payment Card Industry Qualified Security Assessor (PCI QSA) company, we are often asked by organisations which process card payments....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
21/11/2023
How to Meet Key New PCI DSS 4.0 Requirements

Meeting the new payment page requirements in PCI DSS v4.0 may seem tricky. URM provides detailed guidance on implementation and effective payment page security.

Read more
We have been using Abriska to support us in carrying out the risk assessment that underpins our ISO27001 certification for some years now. It helps us to easily group and organise our assets, identify threats and vulnerabilities and determine justifiable risk scores. It centralises all of our risk assessment documentation and offers a range of useful extracts such as a statement of applicability and risk register that take much of the work out of the risk assessment process and allow us to focus on remediation.
Economic Consultancy
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.