Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Key Injection Vendors

    Posted 07-15-2022 10:55 AM
    Good morning everyone!

    I hope all is well. I wanted to inquire if anyone has dealt with key injection vendors. If so, does anyone have a blank service agreement they would be willing to share? I am interested to learn how others complete their due diligence and what you require for review. 

    Thank you in advance!

  • 2.  RE: Key Injection Vendors

    Posted 07-19-2022 11:11 AM


    For the benefit of other members, I thought it would be helpful to define Key Injection. Key injection involves injecting encryption keys for payment processors that handle electronic transactions at POS terminals.

    ESOs, or encryption support organizations, are the only organizations qualified to perform key injection for businesses. ESO status requires strict security guidelines regarding payment data, hardware, and networks.  

    This type of technology service is relatively high-risk, so your due diligence efforts should reflect that. In addition to your standard technology due diligence, you should pay attention to PCI Certification and their SOC2 Type 2. Additional requirements may exist if federal or state government agencies or facilities use the POS terminals.

    While I don't have a sample agreement to share, I recommend that your contract include all certifications, cybersecurity and privacy requirements, standards of service or Service Level Agreements, and the right to audit.

    I hope my answer was helpful, but I would love to hear from other members who have experience with Key Injection services.