Neustar International Security Council launched ... » LONDON, UK: Neustar, Inc. has announced the launch of the Neustar International Security Council (NI... RiskIQ Digital Threat Management Platform Recognis... » LONDON, UK: RiskIQ has been recognised in an Ovum Research “On the Radar” report for providing orga... ExtraHop introduces new professional services fo... » UK: Today at Interop ITX has announced new professional services for cloud migration, datacenter mig... MIKE SMITH BECOMES NEW ECA PRESIDENT » A highly respected electrical engineer and businessperson – Mike Smith of SES Engineering Services –... Patriot One obtains purchase agreement with rese... » TORONTO:  Patriot One Technologies Inc. has announced a reseller agreement with Information Technolo... TDSi and LITESTAR announce new partnership in Si... » Poole: TDSi has announced a new partnership with Singapore-based installation specialist LITESTAR Te... FSA 10TH BIRTHDAY TOPS THE BILL AT IFSEC SHOW » Fire and security business representatives are being urged to attend the Fire & Security Association... Intercede announces Secure Login for WordPres... » Lutterworth, England/Reston, VA: Recently, digital identity and credentials expert, Intercede announ... Senior Intelligence Official Ron Moultrie joi... » NEW YORK, NY: Balabit has announced today that the former Director of Operations at the National Sec... Luke Kleszcz joins security manufacturer as Fina... » Poole: Integrated has announced the growth of its Finance team with the appointment of its new Finan...

Our Guest Columnists

John Walker
Professor John Walker is the owner and MD of Secure-Bastion Ltd, a specialist Contracting/Consultancy in the arena of IT Security Research, Forensics, and Security Analytics. READ MORE >>

Yorgen Edholm is President and CEO of Accellion, a pioneer and leading provider of secure file transfer and collaboration solutions. READ MORE >>

Mr. Faitelson is responsible for leading the management, strategic direction and execution of the Varonis vision.


Mike Small


Mike Small has over 40 years experience in the IT industry. He is an honorary fellow analyst ....


Andy Cordial

Andy Cordial, managing director of secure storage systems specialist Origin Storage ...

Paul Steiner
Dr Paul Steiner joined Accellion in 2001 as Senior Vice President-Europe...


Steve Durbin is Global Vice President of the Information Security Forum (ISF). He has served as an ...

David Gibson

David Gibson has been in the IT industry for more than fifteen years, with a breadth of experience in data governance, network management, network security, ..


Jane Grafton

Jane Grafton has more than twenty years experience in domestic and international sales, marketing and business development.


Mr Dimitriadis

Christos K. Dimitriadis, CISA, CISM, is the chief information security officer of INTRALOT S.A, a multinational supplier of integrated gaming and transaction processing systems based in Greece, ...


Philip Lieberman

Philip Lieberman, the founder and president of Lieberman Software, has more than 30 years of experience in the software industry.


Jon Mills

Jon Mills is the managing director and general manager of SEPATON for Europe, Middle East and Africa (EMEA).


Dr Rustom Kanga

Dr Rustom Kanga is co-founder and CEO of iOmniscient, one of the pioneers in the field of Video Analysis.





Team effort: Working with third-party partners to achieve effective PCI-DSS compliance

Matthew Bryars, CEO of Aeriandi discusses the benefits and challenges of working with a third-party service provider to achieve regulatory compliance, and how to ensure any partnership is a successful one.


Every company in the UK that processes and stores customer payment information is ultimately responsible for its own compliance with regulations such as PCI-DSS (Payment Card Industry Data Security Standard). However, what many don’t realise is that they don’t have to go it alone. Outsourcing certain operational responsibilities to third-party experts can save significant time, money and resources, whilst also minimising the risk of a security data breach. But perhaps unsurprisingly, outsourcing comes with a number of unique challenges, meaning an effective due diligence programme must also be in place to ensure success. This article will discuss some of the main challenges and benefits of outsourcing PCI-DSS compliance and how to implement an effective due diligence programme to ensure success.


Picking the right partner

The number of third party compliance experts in the market is growing all the time, meaning businesses have a great choice available to them. But before any final decision is made, a comprehensive due diligence check must be carried out. This task can seem daunting at first, largely because there are so many important issues that need to be considered. However, it is extremely important to vet any potential third party partner thoroughly to ensure there are no skeletons in the closet before entering into an agreement with them. Areas that should be scrutinized closely include:

  • Financial stability
  • Previous breaches, litigations, sanctions
  • Existing information security programmes
  • Existing physical security procedures
  • Business continuity  – incident response
  • HR – pre-employment checks, training and awareness
  • Compliance – KYC, AML, anti-bribery, regulated entity
  • Insurance
  • Sub-contractors

When a partner is finally chosen, the due diligence programme should be documented and consistently implemented so that it can be audited and accounted for when the company comes to assess its own compliance validation.

Ensuring ongoing compliance

When working with a third party, businesses should be confident of that partner’s ongoing compliance. After all, there’s no point in outsourcing an issue if you then spend all your time worrying about the partner! Thankfully, many third party service providers have a direct relationship with the card payment brands (VISA, Mastercard etc) or their member banks (Barclays, Lloyds etc) and therefore inherit an obligation to demonstrate compliance with relevant controls to the services they provide. The same principle applies for service providers that are engaged by merchants or other entities.

Service providers are typically given the following two choices when it comes to validation of their ongoing compliance:

1. Annual assessment: Service providers can undergo an annual PCI-DSS assessment(s) and provide evidence to demonstrate their compliance to their customers

2. Facilitate on-demand assessment(s): Service providers must facilitate and participate in their customer’s PCI-DSS reviews upon request

Both are viable options, although providers that undergo annual assessments run a greater risk of slipping out of compliance between checks. On-demand assessments generally keep providers on their toes more and ensure ongoing compliance, making them the preferable option.

Clearly defining and documenting responsibilities

When entering into any form of partnership, it is essential that both the business and the third party provider are clear about what their responsibilities are. This can avoid complicated and costly disputes further down the line. The high-level detail should always be contained in the contractual agreement, while detail about individual controls should be specified within a Third-Party Shared Responsibilities Attestation Matrix.

To avoid any misunderstanding, the typical clauses that should be covered in the contractual agreement between the two parties must include (but are not limited to):

• Industry definitions

• Scope of service

• Compliance obligations

• Compliance validation


• Breach notification

• Termination

• Insurance

• Reporting changes

• Right to audit

PCI-DSS v3.0 introduced the need for a more detailed specification of responsibilities. Identifying and documenting these shared responsibilities can take considerably more time and effort than when the responsibility for compliance controls resides with only one party.

Leveraging service providers effectively for maximum ROI

Monitoring the compliance of third-party service providers does require additional effort, but it also provides the opportunity to reduce risk and the scope of compliance at the same time. Savings could also be made if the combined cost of outsourcing and monitoring is lower than doing it all in-house. This can be accomplished by migrating non-core activities, sensitive data or internally managed processing to a compliant service provider. This decision usually requires the company to re-engineer their processes but could result in long-term cost savings.

One recent example we have dealt with at Aeriandi was a merchant looking to securely store call recordings that contained sensitive card payment authentication data due to government regulatory mandates. The merchant’s existing supplier was charging extremely high costs, yet was providing a service that wasn’t PCI-DSS compliant. By migrating to Aeriandi, the merchant achieved compliance as desired, but also made significant budgetary savings in the process, almost as a by-product.

Third-party partners now have more responsibility to ensure compliance

In the past, in order to try and satisfy the 12 requirements of PCI DSS, merchants would have to ask their service provider to acknowledge their responsibility for the security of cardholder data in their contract. However, there was no incentive or obligation for the service provider to sign such an agreement, making it extremely difficult to enforce. The good news is this has changed. With the release of PCI DSS v3.0 at the end of 2013, service providers are now mandated to include an acknowledgment of this responsibility in their service agreements. This amendment allows merchants to meet this PCI-DSS requirement and provides far greater peace of mind at the same time.

So, is it worth it?

As discussed, to achieve a successful partnership with a third-party provider, businesses must invest time and effort. Reaping the full benefits requires thorough vetting, clear agreement of responsibilities and regular compliance assessments. In return, outsourcing certain aspects of compliance can save money and resources in the long run, and ensure ongoing compliance with PCI-DSS regulations. As with anything, the more you put into the relationship, the more benefits you will gain from it, and achieving peace of mind that your company is protected against serious data breaches is certainly a gain worth working for.

About Matthew Bryars , CEO and Co-Founder, Aeriandi Ltd

Responsible for: Delivery of technology as fit-for-purpose, on-time and on-budget

Background: Following a Masters degree in physics from University College London, Matthew co-founded Aeriandi in 2002 having seen the potential for highly secure, cloud-based business services at an early stage. Matthew quickly applied his problem solving skills to the business world and has been responsible for building the company from a start-up to a well renowned business - running services for some of the world’s largest banks and contact centres. Although the business has grown substantially, Matthew still takes a hands-on approach and remains actively involved in the development process, getting most fulfilment from delivery of high quality, relevant solutions based on the company’s hosted multi-channel platform.

Who can be our Guest Columnist?