Thanks Tracey, this is very helpful. I will check out what you suggest, then go from there.
Oh, good grief. Another name change. Lucky us. LOL.
Take Care!
Cheryl
Original Message:
Sent: 4/24/2024 1:30:00 PM
From: Tracey Campbell
Subject: RE: Fiserv (gasp) VDD
Hi Cheryl!
We do not use the CCM module, however I just did a quick scan through the SOC report, and I think you are spot on that it covers those services too! On Pages 14 and 19 of the most recent 2023 SOC 2 Type 2 Card Services reports, it references credit card services. Take a quick peak there just to confirm, because I feel as though that covers it! You know what, if you see the January 2024 Bridge Letter as well, that lists out SOC reports they have. I bet that may be helpful as well to ensure the products/services you use are listed!
I wish it would give specifics on what actual products are covered, but I am guessing they just have too many to outline. I remember trying to work with them on a similar question awhile back, and it was tough to get a straight answer.
I also review the Fiserv Technology Services SOC 2 Type 2 report, and Fiserv Enterprise Technology SOC 1 Type 2 report, because they are critical to the operations. There is a more detailed description of their involvement on Page 20 of the SOC report of FTS (which is also Fiserv Enterprise Technology...the name looks like it is changing according to the January 2024 Bridge Letter). Haha, I think they enjoy changing names a little too much...just when you think you have it down! Network, logical and physical controls are in scope for FTS/Fiserv Enterprise Technology.
I hope this helps:)
Thanks so much!!
Tracey
Original Message:
Sent: 04-24-2024 11:42 AM
From: Cheryl Turner
Subject: Fiserv (gasp) VDD
Do you use the CCM Module at Fiserve, Tracey? They have a couple different SOC reports. I recently came across a Card Services SOC. I'm trying to figure out if that report covers CCM, and rather than answer my question, they keep sending me new DD Documents.
Do you know which SOC covers CCM by any chance?
Thanks so much!
Original Message:
Sent: 4/24/2024 9:04:00 AM
From: Tracey Campbell
Subject: RE: Fiserv (gasp) VDD
Good morning!
I'm hoping this will help! For a good portion of the due diligence and monitoring documentation we collect, I go through the Client360 portal that Fiserv has, and search mostly for 'Compliance' in the Publications section. Do you have access there? I know I have found SOC reports, and various other documents and reports. I cannot recall off-hand if the PCI DSS and Business Continuity/Disaster Recovery testing was in the Compliance section or a different area. For any items we don't find in the portal, we have reached out to a Client Service Partner, to gather more insights.
Are there specific documents/reviews that you are looking to collect for the vendor itself? Again, I hope this is helpful in the quest!
Thanks!!
Tracey L. Campbell
Original Message:
Sent: 04-23-2024 11:51 AM
From: Anonymous Member
Subject: Fiserv (gasp) VDD
This message was posted by a user wishing to remain anonymous
Good morning,
Does anyone have any recommended best practice/approach to vendor due diligence with the big F? We currently have Fiserv as a vendor and unsurprisingly, it is a critical component in our organization. We outsource to a third-party for a comprehensive risk assessment but the third-party we use has a product/service approach to their risk assessment and not a holistic risk assessment to the vendor itself.
What's been your recommended practice for this type of vendor where they are essentially a vendor that offers many different services to the organization? We would like a risk assessment of the vendor itself, and not just some of the critical products/services they offer. Or is that a waste of money/resource and we should only conduct a risk assessment based on products/services?