Due Diligence and Ongoing Monitoring

Our organization is not a bank.  This question is not about credit card processors. 

We have corporate credit cards issued to a limited number of individuals. One credit card is issued by Sunoco for corporate fleet fuel purchases. Do you include the issuer of a credit card in your vendor management program including the recurring oversight and monitoring tasks? In our system the issuer has a No Impact risk ranking.

------------------------------
Mark Ewert, CPCU, CIC
Director Vendor Management
Penn National Insurance
------------------------------

This message was posted by a user wishing to remain anonymous

Totally agree. Was never on our firm's list. (Personal opinion: If credit card issuer goes out of business, your firm likely has a max one week of inconvenience without corporate cards. Which gets bridged by folks using their own for emergent needs, travel etc. and getting reimbursed. Inconvenient for all concerned but not a risk to your company.)

Original Message:
Sent: 02-07-2024 11:40 AM
From: Mark Ewert
Subject: Credit Cards

Our organization is not a bank.  This question is not about credit card processors. 

We have corporate credit cards issued to a limited number of individuals. One credit card is issued by Sunoco for corporate fleet fuel purchases. Do you include the issuer of a credit card in your vendor management program including the recurring oversight and monitoring tasks? In our system the issuer has a No Impact risk ranking.

------------------------------
Mark Ewert, CPCU, CIC
Director Vendor Management
Penn National Insurance
------------------------------

I'm curious about other types of risk related to credit card issuers that would make you want them to be apart of the TPRM inventory for risk assessments. Thinking from assessing privacy or cyber security, assuming the credit card issuers are getting PII type data. How are others handling that?

Original Message:
Sent: 02-07-2024 11:40 AM
From: Mark Ewert
Subject: Credit Cards

Our organization is not a bank.  This question is not about credit card processors. 

We have corporate credit cards issued to a limited number of individuals. One credit card is issued by Sunoco for corporate fleet fuel purchases. Do you include the issuer of a credit card in your vendor management program including the recurring oversight and monitoring tasks? In our system the issuer has a No Impact risk ranking.

------------------------------
Mark Ewert, CPCU, CIC
Director Vendor Management
Penn National Insurance
------------------------------

This message was posted by a user wishing to remain anonymous

Suggest that you confirm that PII is being shared. Our company card is issued in the company's name; to my knowledge, my SSN wasn't surrendered to the issuer. It's the company's credit backing the cards - not mine. Doesn't appear on my credit report as a verification.

Because that's true, our company does not include the credit card issuer in our Third Party Risk Management Program.

I agree with the sentiment you're expressing: If PII is being shared, then the credit card issuer should be vetted according to your program requirements.

Hope that helps.

Original Message:
Sent: 02-15-2024 10:35 AM
From: Misty Healey
Subject: Credit Cards

I'm curious about other types of risk related to credit card issuers that would make you want them to be apart of the TPRM inventory for risk assessments. Thinking from assessing privacy or cyber security, assuming the credit card issuers are getting PII type data. How are others handling that?

Original Message:
Sent: 02-07-2024 11:40 AM
From: Mark Ewert
Subject: Credit Cards

Our organization is not a bank.  This question is not about credit card processors. 

We have corporate credit cards issued to a limited number of individuals. One credit card is issued by Sunoco for corporate fleet fuel purchases. Do you include the issuer of a credit card in your vendor management program including the recurring oversight and monitoring tasks? In our system the issuer has a No Impact risk ranking.

------------------------------
Mark Ewert, CPCU, CIC
Director Vendor Management
Penn National Insurance
------------------------------