1

My company is currently looking to integrate a third-party vendor into our billing and fulfillment process. The vendor will be assuming responsibility for processing orders in our merchant account and handling sensitive customer information (including cardholder data).

When interviewing potential third-party vendors, I want to ask them probing questions to gauge how effective their security is. Obviously I could ask them if they are pci-compliant and just leave it at that; but I've encountered several vendors that claimed to be pci-compliant, only to find out that their security was atrocious (see: plaintext cardholder data).

Instead, I would like some ideas for tough questions that only a real security-minded company could adequately answer. For instance: do you have a disaster recovery plan, or can we see the results from your last system vulnerability scan? Basically something where they can give me a tangible response that shows compliance.

What questions would you recommend for vetting the security practices of a third-party vendor who will be handling sensitive customer information?

Moses
  • 2,137
  • 2
  • 20
  • 23
  • Cross-check them with Microsoft SDL, there you got lot's of questions you can ask them. The last question not included in SDL should be "Do you publish info on how you manage the security" (like microsoft does), as well "how would you handle a data breach", as well "are you letting know customers about data breaches". – Andrew Smith Jun 28 '12 at 21:03

1 Answers1

1

First if they claim to be PCI Compliant ask for the latest version of a filled out questionnaire and their current quarters scan results. Based on the depth of how they filled out the questionnaire you should have some understanding of how competant they are.

Also press if they have external audits? Do they employ external companies to do manual pentests and more importantly social engineering?

If they are handling billing and processing they will be handling customer data. Ask them about how they encrypt it. What are their access control policies? Do they use two factor authentication?

Check if there is a training regimen for their order processing staff on security. Typically people doing billing and order processing are not technical or savvy on security. These are low/mid wage users with little care as to your companies data. If I called in and claimed to be customer X how hard would it be for me to get their information?

Also ask for al ist of their senior management. Who is their CTO, CSO etc? Research their backgrounds. See if they have a history in companies that are security oriented or if they hopped around a ton and seem to be fly by night mercenaries.

Ultimately see how willing and comfortable they are to share all this. SOme might hide behind a "We can't show you because it would violate security" excuses but if they are serious about handling your data you have a right to inspect their security on the surface.

A real good quickie is to see if they ask for an NDA or MNDA if they just hand over information chances are they won't be that diligent. If they ask for an NDA before handing all this over at least they have a documented legal process behind the scenes which is always a good first start.

CogitoErgoSum
  • 325
  • 1
  • 8