PCI Service Provider Contracting

(NOTE:  cross-posted at  Branden Williams' Security Convergence Blog)As an attorney focusing on information security and privacy issues, I often get called in to assist companies to understand their legal liability risk around the PCI (self) regulatory system.  One of the key areas I get involved in is service provider relationships, and in particular section 12.8 of PCI and service provider contracts.  There are many aspects of 12.8 (and its subsections) that are potentially ambiguous and open to interpretation, but this particular article is not going to focus on those.  This post concerns the "written agreement" referenced in 12.8.2, which provides in full: 12.8.2.  Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.

We could debate whether a "written agreement" is the same of as a "contract" as referenced in version PCI v. 1.1 (under the law there is not much difference between a "contract" and an "agreement").  However, rather than concentrating on mere PCI technical compliance, this blog post will discuss the contract terms merchants should consider in their service provider agreements to actually manage their security riskOf course service provider agreements should address the PCI requirements, but for merchants concerned about truly mitigating their risk, much more is involved.  Coincidentally, I am in the middle of writing a book on payment card contracting that will be released through the American Bar Association, this post summarizes some of the ideas/concepts that will be in that book.  Pre-Contracting Activities In general, as most understand, organizations cannot "outsource" compliance with PCI.  That is to say, while merchants work with service providers that do some or all of the merchant's storing, processing or transmission of cardholder data, interested parties will still attempt to hold the merchant responsible for the service provider's non-compliance with PCI, and the impact of a service provider's payment card security breaches.  The service provider contract is one of the key places where this risk can and must be dealt with (the other mechanism for managing service provider risk is insurance, but that is another topic for another day).  The first step in the process is understanding what the merchant has legally obligated itself to.  This requires an analysis of the merchant's "upstream" contracts:  the various "merchant agreements" it has in place with payment processors and/or merchant banks.  If a merchant deals with more than one card brand there could be multiple contracts.  In essence, the goal here is to identify the merchant's upstream obligations and transfer those obligations down to any service providers utilized by the merchant.  For example, if the merchant agreement requires the merchant to indemnify the payment processor for fines and penalties imposed by card brands, the service provider agreement should require the service provider to do the same. One thing to note.  Most modern merchant agreements require merchants to adhere to the relevant payment card brands' operating regulations.  As such, merchants should understand those obligations (e.g. Visa's Account Data Compromise Recovery process) as well in order to transfer risk to their service providers. The second step is attempting to understand the risk posed by the particular service provider the merchant is dealing with.  What is the transaction volume the service provider is handling?  What controls does the service provider have in place or not have in place?  Has the service provider's security been independently assessed (e.g. by a QSA)?  What would happen to the merchant's business if the service provider went down (e.g. not all the risk is liability risk)?  If the service provider suffers a breach, does it have an incident response plan to mitigate harm and provide notice to the merchant?  In addition to general security requirements, depending on the nature of the transaction, this risk assessment may result in specific service provider contractual obligations. Security Contract Terms So what security-related terms should be in service provider contracts?  This answer to this question will vary depending on many factors (e.g. the type/purpose of the transaction, the data at issue, the laws that apply, the upstream contractual obligations of the merchant, etc.), but the following should be considered: (1)    Definitions.  The payment card world relies on particular definitions and terminology.  To avoid confusion, where warranted, some definitions should be incorporated into the contract (e.g. PAN, sensitive authentication information, etc.).  This can be achieved in part for some key terms by referencing the PCI standard and/or the PCI glossary. (2)   "Preventative" Contract Terms -- Compliance and Controls.  The overall purpose of these terms is to contractually obligate the service provider to certain controls and practices with the hope of preventing non-compliance and/or a security breach (or at least to decrease the risk of those events).  In these sections the service provider should be required to comply with the requirements of the PCI regulatory system.  This includes, but goes beyond, the PCI standard itself.  Other elements of the PCI regulatory system include card brand security programs, FAQs, Guidance papers and other documents issued by the PCI Council, and the card brand operating regulations themselves.  In addition, if there any specific controls or security measures that the merchant wants the service provider to implement and maintain, that should be indicated.  Merchants can also draft other standards into the contact, such as ISO 27001, if desired.  Last, regardless of the specifics, the service provider should have an obligation to maintain "reasonable security" to protect the sensitive data that is the subject of the agreement.  By broadening the duty to "reasonable security" the hope is to avoid cases where technical compliance with PCI was achieved, but the service provider's systems were not actually secure.  The reference to "reasonable" establishes an "objective" standard under the law that allows for scrutiny in a litigation context.  Note that all duties in this section should be made ongoing and continuous (none of this PCI compliance only matters on the day the contract is signed), and the service provider should be required to comply with changes to the PCI Standard. (3)   Monitoring and Reporting.  These contract terms should provide the merchant with the right to monitor and enforce compliance with the service provider agreement, the PCI standard, payment card company security programs, etc.  There are many ways this can be achieved, including imposing reporting requirements on the service provider, providing the merchant with security assessment rights or actually requiring a periodic third party audit.  With respect to PCI, the agreement should require the service provider to allow the merchant (or third parties selected by the merchant) to conduct quarterly network scans, as well as QSA assessments.  What are the consequences of non-compliance with the agreement or PCI?  Monitoring is good, but if non-compliance is found the merchant must also have enforcement rights.  Without enforcement mechanisms the service provider's promises may be hallow.  Contractual penalties may be put into the contract, indemnification rights (discussed below), termination rights and other remedies may be considered.  The key here is to have some leverage to get the service provider to actually comply instead of having to abandon the relationship and find a new service provider.  . (4)   Security Incident Response.  Service providers and outsourcers act as an extension of the merchant's operations.  However, if their incident response procedures are out of sync it could be problematic.  Merchants need to understand their service provider's internal incident response procedure and then build contractual obligations that allow the merchant's incident response procedure to seamlessly meld with the service provider's.  This section may require service provider to identify a response coordinator to act as a liaison and cooperate fully with the merchant.  In addition, it may require an investigation, remedial action, notice and reporting to the merchant and payment card network, collection of evidence, documenting incident response and access to service provider systems, logs and data.  One of the key considerations here is identifying the party responsible for complying with breach notice laws.  Arguably, based on the statutes themselves, the primary duty would rest with the merchant, and the merchant would have to pass it on contractually to the service provider (note the primary duty would still reside with the merchant, so if the service provider refused, the statutes still require the merchant to comply). (5)   Rights, Remedies & Indemnification.  These terms transfers risk of loss between the merchant and service provider and provide other rights for breach of the service agreement or in the event the service provider suffers a security breach.  These terms are amongst the most important in the agreement, and are also the most contentious to negotiate.  However, they are also the most important and truly establish the baseline for the merchant's liability in the event the service provider makes a mistake.  The following should be considered.  Indemnification rights should require the service provider to pay for/reimburse the merchant for claims, attorney fees, lawsuits, fines, penalties and other costs associated with the service provider's non-compliance with the agreement and other requirements of the PCI regulatory system, as well as security breaches (whether compliant or not).  If there is a limitation of liability clause, exceptions should be considered for security breaches, fines and penalties due to non-compliance and other issues.  The same holds true for any consequential damages limitation clause that finds its way into the contract.  Additionally, termination rights should be built into the contract based on service provider non-compliance or security breaches. (6)   Insurance Clause.  An insurance clause requiring the service provide to purchase insurance covering security breach notice law compliance, liability arising out of security breaches and other professional errors or omissions should be considered (especially when utilizing smaller vendors).  If possible, the merchant should be named as an additional insured on the policy so that it can tap directly into the policy proceeds.  This clause should specify required limits and should require the insurance to be primary.  In addition, the contract should note that insurance proceeds are not intended to limit the amount of the service provider's liability. To implement these terms, what I often do is create a security schedule or exhibit that contains all/most of the security-related obligations of the contract.  Oftentimes a merchant will be forced to work with the service provider's contract.  If the security terms are in a pre-established exhibit, that exhibit can be incorporated into the contract (with some careful drafting of course).  On a final note, please understand that while this post has focused on PCI, a framework similar to that described above could be used for other statutory or security requirements, including GLB, HIPAA, EU Data Protection Directive and others.  In fact, for organizations with multiple security standards or laws to comply with, a security exhibit or schedule can be an efficient way for addressing all of the requirements at one time and in one place. Conclusion At this point in time when reliance on service providers and outsourcers to handle payment card information is high, while the legal liability risk associated with payment card security breaches is significantly growing, the security terms in a service provider contract have increasing importance.  In fact, I counsel my clients to raise some of the terms they want (especially indemnification) at the RFP phase instead of waiting until later. The key here is to create competition between potential service providers not only on price and scope of services, but also acceptance of risk and contract terms (those willing to accept more risk being potentially better candidates than those not so willing).  Organizations that wait to request protective contract terms until after they have selected a vendor may find those terms watered down during negotiations, and may be stuck holding all the risk of a service provider mistake (and you know that for most service providers the default is contract terms that completely insulate them from risk - don't settle for that!).  As it currently stands the focus of risk mitigation with respect to security are technical controls and other security measures, and the importance of the contract as a risk mitigating tool is overlooked.  As litigation increases in this area, for risk-conscious organization, the protections (or lack of protections) in the service provider contracts are going to become very important.