Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Grab-and-go Market Vendor for Employees

    This message was posted by a user wishing to remain anonymous
    Posted 05-18-2021 02:36 PM
    This message was posted by a user wishing to remain anonymous

    Hi,

    I am in the Vendor Management Department at a financial institution and there is a market area for employees at our HQ. The market has a point of sales system which employees use to make purchases. 

    The machine does not store data per se but obviously processes all credit card transactions. We do consider credit card account numbers to be GLBA NPPI but are wondering- should we be reviewing due diligence for this POS vending system?

    Has anyone else come across this kind of situation and what is recommended in this case?

    Thanks in advance for everyone's help!



  • 2.  RE: Grab-and-go Market Vendor for Employees

    Posted 05-18-2021 02:53 PM
    You could; but I would ask for a copy of the merchants PCI Self Assessment Questionnaire.  It will detail how the system works and how the data is protected.



    Original Message


  • 3.  RE: Grab-and-go Market Vendor for Employees

    This message was posted by a user wishing to remain anonymous
    Posted 05-18-2021 02:55 PM
    This message was posted by a user wishing to remain anonymous

    We had IT review our set-up just to make sure it was seperate from the network, etc. so it was not a point of vulnerability. Consumers are using their cards to purchase things in this scenario, and it is not the bank passing info to a vendor, in my opinion.
    Original Message


  • 4.  RE: Grab-and-go Market Vendor for Employees

    This message was posted by a user wishing to remain anonymous
    Posted 05-19-2021 09:02 AM
    This message was posted by a user wishing to remain anonymous

    We also had our Information Security team separate the connection from our networks. 

    The conduit through which the POS was connecting to the external network was compromised just before we implemented it and consumer credit card information was compromised (not our members, as we were not yet operational at that time, but for other companies using a similar set-up). 

    So in a case like this, I wonder if our members will care about the technicality that "they are purchasing directly from the vendor", when it's housed in our building. Seems like the responsibility to keep their information safe would still fall on us.

    I really appreciate your input. I'm curious what anyone thinks about where the responsibility lies.
    Original Message


  • 5.  RE: Grab-and-go Market Vendor for Employees

    This message was posted by a user wishing to remain anonymous
    Posted 05-19-2021 11:21 AM
    This message was posted by a user wishing to remain anonymous

    I can elaborate. Take a look at your contract. That is what defines the relationship. I have seen these structured where the vending company (not the machine manufacturer) is the counterparty and is responsible for its systems and the FI is responsible for its own systems. We do not allow them to use our network so there is no interaction between the two. The vending company is clearly defined within the  contract as the merchant in a point of sale transaction with the consumer and takes on all the responsibilities for card data security, etc. that goes along with that role. There could be indemnifications related to that, etc. depending upon the contract. There's an obvious reputation risk if you choose a sketchy vending company with bad vending machines to set up in your HQ, but it is not the same thing at all from a FI regulatory perspective as when the FI is passing customer data to a service provider.  This  is my view only from contracts that I have seen in my experience and YMMV.

    Original Message


  • 6.  RE: Grab-and-go Market Vendor for Employees

    This message was posted by a user wishing to remain anonymous
    Posted 05-20-2021 10:45 AM
    This message was posted by a user wishing to remain anonymous

    Thank you!
    Original Message