My company is currently looking to integrate a third-party vendor into our billing and fulfillment process. The vendor will be assuming responsibility for processing orders in our merchant account and handling sensitive customer information (including cardholder data).
When interviewing potential third-party vendors, I want to ask them probing questions to gauge how effective their security is. Obviously I could ask them if they are pci-compliant and just leave it at that; but I've encountered several vendors that claimed to be pci-compliant, only to find out that their security was atrocious (see: plaintext cardholder data).
Instead, I would like some ideas for tough questions that only a real security-minded company could adequately answer. For instance: do you have a disaster recovery plan, or can we see the results from your last system vulnerability scan? Basically something where they can give me a tangible response that shows compliance.
What questions would you recommend for vetting the security practices of a third-party vendor who will be handling sensitive customer information?