Whose Responsibility is it Anyway?

Yesterday, SC Magazine published an article about PCI DSS compliance responsibility (http://www.scmagazineuk.com/Whose-responsibility-for-compliance-is-it-anyway/article/146476/) which I found very amusing. Why? Well, how come when you give something that is dear to you, you don't consider whom you give it to?

From a user prospective, if you don't think twice before you give away your private information, you have no one to blame but yourself. As a merchant or a service provider, you need to make sure that information that was given to you by the end user stays secure throughout data lifecycle and if you share it, it has to be someone who can provide at least the same level of security as you do.

PCI DSS requirement 12.8 is there to enforce that. Right now, merchant and/or service provider is not required to use only PCI DSS certified service providers but it is their responsibility to maintain a register of all third parties that have access to cardholder data, to have a proper contract in place (which includes acknowledgement by the third party of their responsibility for securing cardholder data) and review the associated risk regularly.