PCI Compliance: retailers urged to check all service providers meet security requirements

Retailers are being urged to check that their service providers, who install, exchange or return defective devices to the manufacturer on the retailer’s behalf, have the necessary security agreements in place to ahead of an audit.

  • 10 years ago Posted in

It is common knowledge that a merchant/retailer has to be PCI compliant for the banks and card companies and that they need to be able to demonstrate this following new legislation over the last few years. However, many don’t realise that it is wise to ensure that their service providers have security agreements in place too, claim information security experts at Barron McCann.

According to the retail IT service specialists, any service provider that has access to a retailer’s devices, from maintenance and repairs to disposal, must ensure they have appropriate security procedures in place.

ISO 27001:2013 is the highest level of security management system that a company can have, although it is not common amongst the vast majority of suppliers.

Following work on government projects, Barron McCann is one such supplier that has opted to have the ISO 27001:2005 certification, soon to be upgraded to :2013.

Graham Thornton, Information Security Manager at Barron McCann explains their decision:

“Due to the nature of our work, this particular certification covers the provision of servicing, service replacement, technical support and decommissioning of IT equipment. This is in force throughout the entire company and provides our retail customers with the confidence that information security measures are in place. All our engineers have security procedures they need to comply with when they exchange devices as well as procedures to assess/monitor if it’s been tampered with. The fact that a supplier of services has the necessary information security accreditation in their own right goes a long way to satisfy any would be auditor that the retailer’s third party suppliers have the necessary credentials.”
 

Research shows ‘game needs to be changed,’ with security innovation years behind that of the...
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that...
Atos has launched Atos OneCloud Sovereign Shield, a set of solutions, methodologies, and...
New distribution agreement set to bolster Westcon-Comstor’s Zero Trust offering in more markets...
Research from Avast has found that employees in almost a third (31%) of Small and Medium...
This year, over half of MSPs or their end customers have been attacked by ransomware but only 53%...
Trend Micro has published new research revealing that 90% of IT decision makers claim their...
Cyber consultants call on businesses to act now, or risk budgets shrinking further in ‘real...