Payment Card Industry Council Says Companies are Responsible for Third Party Security and Compliance

On August 7th, the Payment Card Industry Security Standards Council, the payment card industry’s self-regulatory body, issued new guidance for companies, such as hotels, that share cardholder payment data with third party service providers.  The Council released the guidance, entitled the “Third-Party Security Assurance Information Supplement,” in response to its findings that the leading mistake organizations make when entrusting sensitive information to third-party vendors is not applying the same scrutiny to the information security practices of third-parties as they do their own practices.  Specifically, the guidance recommends that entities: (1) thoroughly vet third-party service providers before establishing relationships to ensure that entities understand how the providers adhere to applicable PCI DSS requirements; (2) implement a consistent program for engaging third-parties that includes setting expectations, establishing a communication plan and mapping third-party compliance obligations; (3) establish detailed written agreements that promote consistency and understanding with respect to third-parties’ compliance roles; and (4) implement an ongoing process for monitoring third-party relationships and compliance.


Increasingly, regulators are holding companies, including hoteliers, responsible for the information security practices of their vendors, finding that the companies have responsibility to vet, monitor and audit the compliance practices of vendors with whom they share sensitive information.   This is especially true in the event that a company experiences a data breach in which cardholder information is compromised.  Accordingly, it is more important than ever for hotels to properly train employees, ensure that an appropriate breach response plan has been put in place, and ensure that policies are in place to adequately protect customer information.   Hotels can help protect themselves from the risk of data breach by properly training their employees to comply with robust data-security practices and policies by utilizing Venza’s PCI training modules or other custom learning solutions.


The Venza Group has partnered with the law firm Arnall Golden Gregory (AGG) to create a series of interactive eLearning modules to address PCI compliance in the hotel industry. Management, employees and IT are taught about the requirements they must support as part of the Payment Card Industry Data Security Standards. The Venza Group also has partnered with AGG to create an interactive eLearning module to train hoteliers on general privacy and security awareness issues and on sexual harassment prevention.