Document information and change log

Document Information

Change log

Gender And Entity Neutrality

The masculine form is used solely for the sake of better readability. It always refers to persons of any gender identity (m/f/diverse). This document uses the abbreviation “Give” for all legal entities and subsidiaries.

Table of Contents

1. Introduction        5

1.1 Purpose        5

1.2 Scope        5

1.3 Compliance        5

1.4 Objectives        5

1.5 Responsibilities        6

2. Vendor Selection and Due Diligence        6

2.1 Vendor Selection Criteria        6

2.2 Vendor Risk Assessment        6

2.2.1. Security Controls        6

2.2.2 Data Protection and Privacy        6

2.2.3. Compliance and Legal Obligations        6

2.2.4. Business Continuity and Disaster Recovery        7

2.2.5. Financial Stability        7

2.2.6. Service Level Agreements (SLAs)        7

2.2.7. Reputation and References        7

2.2.8. Geographic Considerations        7

2.2.9. Scalability and Growth Potential        7

2.2.10. Contractual Terms and Conditions        8

2.3 Security Questionnaires and Assessments        8

2.4 Contractual Requirements        8

2.4.1. Expectations for Cardholder Data Protection, Incident Response, and Security Documentation        9

2.4.1.1. Cardholder Data Protection        9

2.4.1.2. Incident Response        9

2.4.1.3. Security Documentation        9

2.4.1.4. Security Awareness and Training        10

2.5 Documentation and Certifications        10

2.6 Vendor Performance Monitoring        10

2.6.1 Vendor Performance Metrics and Key Performance Indicators (KPIs)        10

2.6.1.1. Service Level Agreement (SLA) Compliance        10

2.6.1.2. Quality of Service        10

2.6.1.3. Timeliness and On-Time Delivery        11

2.6.1.4. Cost and Financial Performance        11

2.6.1.5. Vendor Responsiveness and Communication        11

2.6.1.6. Compliance and Risk Management        11

2.6.1.7. Innovation and Continuous Improvement        11

2.6.1.8. Relationship Management        11

2.6.1.9. Contractual and Legal Compliance        11

2.6.1.10. Vendor Stability and Business Continuity        11

3. Access Controls        12

3.1 Vendor Access Management        12

3.1.1 Processes to Manage and Control Vendor Access        12

3.1.1.1. Access Request and Approval:        12

3.1.1.2. User Provisioning and De-Provisioning:        12

3.1.1.3. Multi-Factor Authentication (MFA):        12

3.1.1.4. Access Monitoring and Auditing:        12

3.1.1.5. Security Awareness and Training:        13

3.1.1.6. Incident Response and Communication:        13

3.1.1.7. Ongoing Vendor Management:        13

3.2 Strong Authentication Mechanisms        13

3.3 Access Segregation        13

3.4 Access Control Reviews        14

3.5 Privileged Access Management        14

3.7 Incident Response and Access Termination        14

3.8 Monitoring and Auditing        14

1. Introduction

1.1 Purpose

The purpose of this policy is to establish guidelines and requirements for managing third-party vendors who have access to cardholder data or are involved in payment processing within our organization.

This policy ensures the protection of sensitive information, maintains compliance with the Payment Card Industry Data Security Standard (PCI DSS), and mitigates risks associated with third-party vendor relationships.

1.2 Scope

This policy applies to all third-party vendors engaged by our organization that handle, process, or store cardholder data, including payment processors, hosting providers, software vendors, and managed service providers.

This policy encompasses the entire vendor lifecycle, from selection and due diligence to monitoring, incident response, and termination.

1.3 Compliance

Compliance with this policy is mandatory for all employees, contractors, and stakeholders involved in vendor management processes.

This policy aligns with the requirements set forth by the PCI DSS, which mandates secure handling of cardholder data and the implementation of robust controls to protect against unauthorized access, disclosure, and misuse.

1.4 Objectives

• Establish a framework for selecting and engaging third-party vendors based on security and compliance criteria.
• Ensure that third-party vendors adhere to the same security standards and practices required by the organization.
• Monitor and assess the ongoing security posture and compliance of third-party vendors.
• Define the procedures for incident response, reporting, and collaboration with third-party vendors in the event of a security incident.
• Promote transparency, accountability, and effective risk management throughout the lifecycle of third-party vendor relationships.

1.5 Responsibilities

All individuals involved in the vendor management process, including management, procurement, security, and compliance teams, are responsible for implementing and adhering to this policy.

 It is their duty to understand, implement, and enforce the requirements outlined in this policy.

2. Vendor Selection and Due Diligence

2.1 Vendor Selection Criteria

Clearly defined criteria for selecting vendors based on their role, services, and compliance with security standards. See 2.2 Vendor Risk Assessment for criteria.

Consideration of vendor reputation, experience, financial stability, and ability to meet security and compliance requirements.

2.2 Vendor Risk Assessment

Conducting a comprehensive risk assessment for each potential vendor to assess the potential risks associated with their services and their impact on the organization's security posture.

Evaluation of the vendor's security controls, infrastructure, data handling practices, incident response capabilities, and business continuity/disaster recovery plans.

2.2.1. Security Controls

• Evaluate the vendor's security controls and practices, including access controls, authentication mechanisms, encryption methods, and intrusion detection systems.
• Assess the vendor's vulnerability management processes, patch management, and incident response capabilities.
• Identify any potential weaknesses or vulnerabilities in the vendor's security posture.

2.2.2 Data Protection and Privacy

• Review the vendor's data protection policies, procedures, and practices to ensure compliance with relevant regulations (e.g., GDPR, HIPAA).
• Assess the adequacy of data encryption, data storage practices, and data retention policies.
• Identify any risks related to data privacy, unauthorized access, or data leakage.

2.2.3. Compliance and Legal Obligations

• Evaluate the vendor's compliance with industry-specific regulations, standards, and legal obligations (e.g., PCI DSS, ISO 27001).
• Verify the vendor's certifications or audit reports conducted by reputable third parties.
• Identify any risks associated with non-compliance, including potential financial penalties or reputational damage.

2.2.4. Business Continuity and Disaster Recovery

• Assess the vendor's business continuity and disaster recovery plans, including backup procedures, recovery time objectives (RTOs), and recovery point objectives (RPOs).
• Evaluate the vendor's ability to maintain service availability and recover from disruptions or outages promptly.
• Identify any risks related to service interruptions, data loss, or prolonged downtime.

2.2.5. Financial Stability

• Evaluate the vendor's financial stability and viability, considering factors such as financial reports, credit ratings, and references from financial institutions.
• Assess any risks associated with the vendor's financial situation, such as the potential for bankruptcy or inability to meet contractual obligations.

2.2.6. Service Level Agreements (SLAs)

• Review the vendor's SLAs and assess their alignment with our organization's requirements and expectations.
• Evaluate the clarity and measurability of SLAs, including performance metrics, response times, and penalties for non-compliance.
• Identify any risks associated with SLA deviations or potential service disruptions.

2.2.7. Reputation and References

• Gather information on the vendor's reputation and track record through client references, industry assessments, and online reviews.
• Consider feedback from other organizations that have previously engaged with the vendor.
• Identify any risks related to the vendor's poor performance, unprofessional conduct, or negative reputation.

2.2.8. Geographic Considerations

• Assess any risks associated with the vendor's geographic location, including political stability, legal jurisdiction, and data sovereignty regulations.
• Consider the potential impact of geopolitical factors, natural disasters, or other regional risks on the vendor's operations.

2.2.9. Scalability and Growth Potential

•  Evaluate the vendor's scalability and ability to meet our organization's future needs and growth.
•  Consider the vendor's capacity to handle increased demand, technological advancements, and evolving business requirements.
•  Identify any risks associated with the vendor's limitations or inability to scale with our organization.

2.2.10. Contractual Terms and Conditions

• Review the vendor's contract terms and conditions thoroughly, including termination clauses, intellectual property rights, and confidentiality agreements.
• Assess the fairness and reasonableness of contractual obligations, liability limitations, and dispute resolution mechanisms.
• Identify any risks associated with unfavorable contract terms or potential conflicts of interest.

2.3 Security Questionnaires and Assessments

Use of standardized security questionnaires (see Vendor Security Questionnaire and Assessment Form) to collect relevant information from vendors about their security practices, policies, and controls.

Conducting assessments, such as on-site visits or audits, to validate the vendor's security claims and evaluate their compliance with security requirements.

2.4 Contractual Requirements

Inclusion of specific security and compliance clauses (see Contract / Service-Level Agreements (SLA) Security and Compliance Clauses document) in contracts or service-level agreements with vendors. Minimum standards and procedures related to bribery and corruption are included in contractual agreements. The Company will not engage any third party that has either been suspected of or engaged in bribery..

Clearly defined expectations for cardholder data protection, incident response, and necessary security documentation.

Periodic review and update of contractual agreements to ensure they remain current and enforceable.

2.4.1. Expectations for Cardholder Data Protection, Incident Response, and Security Documentation

2.4.1.1. Cardholder Data Protection

   a. The vendor shall implement and maintain appropriate security controls to protect cardholder data in accordance with the Payment Card Industry Data Security Standard (PCI DSS) requirements.

   b. The vendor shall ensure that cardholder data is stored securely, transmitted securely, and protected against unauthorized access, disclosure, or alteration.

   c. The vendor shall encrypted cardholder data in transit and at rest, using industry-accepted encryption methods and strong cryptographic algorithms.

   d. The vendor shall restrict access to cardholder data on a need-to-know basis, implementing access controls and segregation of duties to prevent unauthorized access.

   e. The vendor shall regularly assess and update its cardholder data protection measures to address evolving security threats and industry best practices.

2.4.1.2. Incident Response

   a. The vendor shall adhere to Give’s  incident response plan to detect, respond to, and recover from security incidents that may impact cardholder data.

   b. The vendor shall promptly report any security incidents or suspected breaches involving cardholder data to the organization.

   c. The incident response plan shall include clear procedures for incident identification, containment, investigation, and remediation.

   d. The vendor shall document and retain records of security incidents, including their nature, impact, and the actions taken for resolution.

   e. The vendor shall conduct post-incident reviews and implement improvements to prevent similar incidents in the future.

2.4.1.3. Security Documentation

   a. The vendor shall provide the organization with relevant security documentation, including but not limited to security policies, procedures, and standards.

   b. The vendor shall maintain up-to-date documentation of its security controls, systems configurations, and network diagrams.

   c. The vendor shall provide evidence of regular security assessments, audits, or penetration testing conducted by qualified third parties.

   d. The vendor shall share the results of any security audits or assessments, including any identified vulnerabilities or areas of improvement.

   e. The vendor shall provide the organization with necessary compliance reports, such as PCI DSS Reports on Compliance (RoC) or other relevant certifications or attestations.

2.4.1.4. Security Awareness and Training

   a. The vendor shall conduct regular security awareness and training programs for its employees to educate them about cardholder data protection, security best practices, and their roles and responsibilities.

   b. The vendor shall maintain records of employee training and ensure that training materials are updated regularly to address new security threats or requirements.

   c. The vendor shall ensure that employees understand the importance of cardholder data protection, confidentiality, and compliance with security policies.

2.5 Documentation and Certifications

Verification of the vendor's security policies, incident response plans, and certifications to ensure alignment with organizational requirements.

Review of relevant certifications, attestations, or audits conducted by reputable third parties, such as SOC 2, ISO 27001, or PCI DSS Reports on Compliance (RoC).

Review and validation of the vendor's compliance with applicable privacy regulations and data protection laws.

2.6 Vendor Performance Monitoring

Implementation of processes to monitor the ongoing performance of vendors, including regular reviews of service quality, adherence to contractual obligations, and incident response effectiveness.

Utilization of vendor performance metrics and key performance indicators (KPIs) to assess the vendor's service levels and ensure they meet organizational requirements.

2.6.1 Vendor Performance Metrics and Key Performance Indicators (KPIs)

2.6.1.1. Service Level Agreement (SLA) Compliance

 Percentage of SLA targets met or exceeded.

 Average response time to address service requests or incidents.

Number of SLA breaches or instances of non-compliance.

2.6.1.2. Quality of Service

Customer satisfaction ratings or surveys.

Number of customer complaints or escalations.

Average resolution time for customer issues.

2.6.1.3. Timeliness and On-Time Delivery

Percentage of orders or deliverables delivered on time.

Average lead time from order placement to delivery.

Number of late deliveries or missed deadlines.

2.6.1.4. Cost and Financial Performance

Cost savings achieved through vendor negotiations or efficiencies.

Price competitiveness compared to industry benchmarks.

Accuracy of vendor billing and invoicing.

2.6.1.5. Vendor Responsiveness and Communication

Average response time to inquiries or requests for information.

Availability and accessibility of vendor support or account management teams.

Frequency and quality of communication with the vendor.

2.6.1.6. Compliance and Risk Management

Vendor compliance with security and regulatory requirements.

Number of security incidents or breaches related to the vendor.

Vendor's risk management practices and mitigation efforts.

2.6.1.7. Innovation and Continuous Improvement

Number of vendor-proposed innovations or enhancements implemented.

Contribution of the vendor to process improvements or cost reduction initiatives.

Participation in joint innovation projects or collaborative efforts.

2.6.1.8. Relationship Management

Frequency and quality of vendor relationship meetings or reviews.

Vendor's level of engagement and alignment with the organization's strategic goals.

Trust and confidence in the vendor's ability to deliver value.

2.6.1.9. Contractual and Legal Compliance

Vendor compliance with contract terms and conditions.

Timely submission of required reports or documentation.

Adherence to legal and regulatory obligations relevant to the contract.

2.6.1.10. Vendor Stability and Business Continuity

 Vendor's financial stability and viability.

  Business continuity and disaster recovery planning and testing.

  Vendor's track record of successful long-term partnerships or contracts.

3. Access Controls

3.1 Vendor Access Management

Implementation of processes to manage and control vendor access to cardholder data and systems.

Establishing procedures for granting, modifying, and revoking vendor access privileges based on the principle of least privilege.

Regular review and validation of vendor access rights to ensure appropriateness and compliance.

3.1.1 Processes to Manage and Control Vendor Access

3.1.1.1. Access Request and Approval:

   a. Implement a formal process for vendors to request access to cardholder data and systems.

   b. Require vendors to submit access requests through a designated channel or system.

   c. Designate responsible individuals or teams to review and approve vendor access requests based on predefined criteria and the principle of least privilege.

   d. Ensure access approvals are documented, including the justification for access, duration, and any conditions or restrictions.

3.1.1.2. User Provisioning and De-Provisioning:

   a. Establish a process for provisioning vendor accounts with appropriate access privileges based on their approved access requests.

   b. Implement identity and access management (IAM) controls to ensure secure provisioning of vendor accounts and credentials.

   c. Periodically review and validate vendor access privileges to ensure they remain necessary and appropriate.

   d. Implement a process for timely de-provisioning of vendor accounts upon contract termination or change in vendor relationship.

3.1.1.3. Multi-Factor Authentication (MFA):

   a. Require vendors to use multi-factor authentication (MFA) when accessing cardholder data or critical systems.

   b. Implement MFA solutions that align with industry best practices and provide an additional layer of security beyond passwords.

3.1.1.4. Access Monitoring and Auditing:

   a. Implement robust logging and monitoring mechanisms to track and record vendor access activities.

   b. Regularly review vendor access logs and audit trails for any suspicious or unauthorized activities.

   c. Conduct periodic access reviews to validate the ongoing need for vendor access and detect any potential access anomalies.

3.1.1.5. Security Awareness and Training:

   a. Provide security awareness training to vendors, specifically addressing their responsibilities in protecting cardholder data.

   b. Educate vendors on the organization's security policies, incident response procedures, and data handling requirements.

   c. Regularly communicate security updates, policy changes, and any relevant security incidents to vendors.

3.1.1.6. Incident Response and Communication:

   a. Define incident response procedures and escalation paths that include vendors' roles and responsibilities in the event of a security incident.

   b. Establish clear communication channels to enable prompt reporting and collaboration between the organization and vendors during incident response.

   c. Include contractual obligations for vendors to notify the organization of any security incidents or breaches promptly.

3.1.1.7. Ongoing Vendor Management:

   a. Conduct regular vendor performance reviews and assessments, including their adherence to security controls and contractual obligations.

   b. Maintain open lines of communication with vendors to address any security concerns, changes in access requirements, or updates to security policies and procedures.

   c. Periodically validate vendor compliance with security requirements through audits, assessments, or self-assessment questionnaires.

3.2 Strong Authentication Mechanisms

Requiring vendors to use strong authentication methods, such as multi-factor authentication (MFA), for accessing cardholder data systems.

Enforcing the use of complex and unique passwords, expiration policies, and account lockout mechanisms.

3.3 Access Segregation

Implementing access segregation measures to prevent unauthorized access and limit the scope of vendor access.

Separating duties to ensure that vendors only have access to the specific resources necessary for their assigned tasks.

3.4 Access Control Reviews

Conducting periodic reviews of vendor access controls to validate that access privileges are aligned with business requirements and compliance standards.

Reviewing access logs and activity records to detect and investigate any suspicious or unauthorized access attempts.

3.5 Privileged Access Management

Implementing controls to manage and monitor privileged access granted to vendors.

Requiring vendors to follow specific procedures for requesting and using privileged access, such as using secure jump hosts or session recording.

3.7 Incident Response and Access Termination

Defining procedures for vendor access termination in the event of contract termination or change in vendor relationship.

Ensuring immediate removal of vendor access privileges upon termination, along with proper return or destruction of any cardholder data.

3.8 Monitoring and Auditing

Implementing monitoring and auditing mechanisms to track and record vendor access activities.

Regularly reviewing access logs, audit trails, and system logs to identify any suspicious or unauthorized access attempts.

The information contained herein is intended to provide a general overview of the Company’s policies and procedures relating to compliance with this Policy and does not constitute legal advice or a complete description of the laws and regulations relating to this Policy. The Company has made every effort to ensure the accuracy and completeness of this Policy.  This document is intended to provide guidance to employees of Company on how to comply with applicable laws and regulations related to this Policy. Employees should consult with the Legal or Compliance Department if they have any questions about the Policy or how to comply with it. Company reserves the right to modify or update this Policy at any time without notice. Employees are responsible for reviewing the Policy on a regular basis to ensure that they are aware of any changes. This Policy applies to all employees of Company, regardless of their position or location unless stated otherwise in the Policy. Employees are responsible for complying with the Policy and for reporting any suspected violations to their respective supervisor, the Legal Department, AMLCO or respective recipient of such violation as outlined in this Policy.