Due Diligence and Ongoing Monitoring

Good morning,

Does anyone have any recommended best practice/approach to vendor due diligence with the big F? We currently have Fiserv as a vendor and unsurprisingly, it is a critical component in our organization. We outsource to a third-party for a comprehensive risk assessment but the third-party we use has a product/service approach to their risk assessment and not a holistic risk assessment to the vendor itself.

What's been your recommended practice for this type of vendor where they are essentially a vendor that offers many different services to the organization? We would like a risk assessment of the vendor itself, and not just some of the critical products/services they offer. Or is that a waste of money/resource and we should only conduct a risk assessment based on products/services?

Good morning,

Does anyone have any recommended best practice/approach to vendor due diligence with the big F? We currently have Fiserv as a vendor and unsurprisingly, it is a critical component in our organization. We outsource to a third-party for a comprehensive risk assessment but the third-party we use has a product/service approach to their risk assessment and not a holistic risk assessment to the vendor itself.

What's been your recommended practice for this type of vendor where they are essentially a vendor that offers many different services to the organization? We would like a risk assessment of the vendor itself, and not just some of the critical products/services they offer. Or is that a waste of money/resource and we should only conduct a risk assessment based on products/services?

Good morning,

Does anyone have any recommended best practice/approach to vendor due diligence with the big F? We currently have Fiserv as a vendor and unsurprisingly, it is a critical component in our organization. We outsource to a third-party for a comprehensive risk assessment but the third-party we use has a product/service approach to their risk assessment and not a holistic risk assessment to the vendor itself.

What's been your recommended practice for this type of vendor where they are essentially a vendor that offers many different services to the organization? We would like a risk assessment of the vendor itself, and not just some of the critical products/services they offer. Or is that a waste of money/resource and we should only conduct a risk assessment based on products/services?

Good morning!

I'm hoping this will help!  For a good portion of the due diligence and monitoring documentation we collect, I go through the Client360 portal that Fiserv has, and search mostly for 'Compliance' in the Publications section.  Do you have access there?  I know I have found SOC reports, and various other documents and reports.  I cannot recall off-hand if the PCI DSS and Business Continuity/Disaster Recovery testing was in the Compliance section or a different area.  For any items we don't find in the portal, we have reached out to a Client Service Partner, to gather more insights. 

Are there specific documents/reviews that you are looking to collect for the vendor itself?  Again, I hope this is helpful in the quest!

Thanks!!

Tracey L. Campbell

Good morning,

Does anyone have any recommended best practice/approach to vendor due diligence with the big F? We currently have Fiserv as a vendor and unsurprisingly, it is a critical component in our organization. We outsource to a third-party for a comprehensive risk assessment but the third-party we use has a product/service approach to their risk assessment and not a holistic risk assessment to the vendor itself.

What's been your recommended practice for this type of vendor where they are essentially a vendor that offers many different services to the organization? We would like a risk assessment of the vendor itself, and not just some of the critical products/services they offer. Or is that a waste of money/resource and we should only conduct a risk assessment based on products/services?

Good morning!

I'm hoping this will help!  For a good portion of the due diligence and monitoring documentation we collect, I go through the Client360 portal that Fiserv has, and search mostly for 'Compliance' in the Publications section.  Do you have access there?  I know I have found SOC reports, and various other documents and reports.  I cannot recall off-hand if the PCI DSS and Business Continuity/Disaster Recovery testing was in the Compliance section or a different area.  For any items we don't find in the portal, we have reached out to a Client Service Partner, to gather more insights. 

Are there specific documents/reviews that you are looking to collect for the vendor itself?  Again, I hope this is helpful in the quest!

Thanks!!

Tracey L. Campbell

Good morning,

Does anyone have any recommended best practice/approach to vendor due diligence with the big F? We currently have Fiserv as a vendor and unsurprisingly, it is a critical component in our organization. We outsource to a third-party for a comprehensive risk assessment but the third-party we use has a product/service approach to their risk assessment and not a holistic risk assessment to the vendor itself.

What's been your recommended practice for this type of vendor where they are essentially a vendor that offers many different services to the organization? We would like a risk assessment of the vendor itself, and not just some of the critical products/services they offer. Or is that a waste of money/resource and we should only conduct a risk assessment based on products/services?

Hi Cheryl!

We do not use the CCM module, however I just did a quick scan through the SOC report, and I think you are spot on that it covers those services too!  On Pages 14 and 19 of the most recent 2023 SOC 2 Type 2 Card Services reports, it references credit card services.  Take a quick peak there just to confirm, because I feel as though that covers it!  You know what, if you see the January 2024 Bridge Letter as well, that lists out SOC reports they have.  I bet that may be helpful as well to ensure the products/services you use are listed!

I wish it would give specifics on what actual products are covered, but I am guessing they just have too many to outline.  I remember trying to work with them on a similar question awhile back, and it was tough to get a straight answer.  

I also review the Fiserv Technology Services SOC 2 Type 2 report, and Fiserv Enterprise Technology SOC 1 Type 2 report, because they are critical to the operations.  There is a more detailed description of their involvement on Page 20 of the SOC report of FTS (which is also Fiserv Enterprise Technology...the name looks like it is changing according to the January 2024 Bridge Letter).  Haha, I think they enjoy changing names a little too much...just when you think you have it down!  Network, logical and physical controls are in scope for FTS/Fiserv Enterprise Technology.

I hope this helps:)

Thanks so much!!

Tracey

Good morning!

I'm hoping this will help!  For a good portion of the due diligence and monitoring documentation we collect, I go through the Client360 portal that Fiserv has, and search mostly for 'Compliance' in the Publications section.  Do you have access there?  I know I have found SOC reports, and various other documents and reports.  I cannot recall off-hand if the PCI DSS and Business Continuity/Disaster Recovery testing was in the Compliance section or a different area.  For any items we don't find in the portal, we have reached out to a Client Service Partner, to gather more insights. 

Are there specific documents/reviews that you are looking to collect for the vendor itself?  Again, I hope this is helpful in the quest!

Thanks!!

Tracey L. Campbell

Good morning,

Does anyone have any recommended best practice/approach to vendor due diligence with the big F? We currently have Fiserv as a vendor and unsurprisingly, it is a critical component in our organization. We outsource to a third-party for a comprehensive risk assessment but the third-party we use has a product/service approach to their risk assessment and not a holistic risk assessment to the vendor itself.

What's been your recommended practice for this type of vendor where they are essentially a vendor that offers many different services to the organization? We would like a risk assessment of the vendor itself, and not just some of the critical products/services they offer. Or is that a waste of money/resource and we should only conduct a risk assessment based on products/services?

Hi Cheryl!

We do not use the CCM module, however I just did a quick scan through the SOC report, and I think you are spot on that it covers those services too!  On Pages 14 and 19 of the most recent 2023 SOC 2 Type 2 Card Services reports, it references credit card services.  Take a quick peak there just to confirm, because I feel as though that covers it!  You know what, if you see the January 2024 Bridge Letter as well, that lists out SOC reports they have.  I bet that may be helpful as well to ensure the products/services you use are listed!

I wish it would give specifics on what actual products are covered, but I am guessing they just have too many to outline.  I remember trying to work with them on a similar question awhile back, and it was tough to get a straight answer.  

I also review the Fiserv Technology Services SOC 2 Type 2 report, and Fiserv Enterprise Technology SOC 1 Type 2 report, because they are critical to the operations.  There is a more detailed description of their involvement on Page 20 of the SOC report of FTS (which is also Fiserv Enterprise Technology...the name looks like it is changing according to the January 2024 Bridge Letter).  Haha, I think they enjoy changing names a little too much...just when you think you have it down!  Network, logical and physical controls are in scope for FTS/Fiserv Enterprise Technology.

I hope this helps:)

Thanks so much!!

Tracey

Good morning!

I'm hoping this will help!  For a good portion of the due diligence and monitoring documentation we collect, I go through the Client360 portal that Fiserv has, and search mostly for 'Compliance' in the Publications section.  Do you have access there?  I know I have found SOC reports, and various other documents and reports.  I cannot recall off-hand if the PCI DSS and Business Continuity/Disaster Recovery testing was in the Compliance section or a different area.  For any items we don't find in the portal, we have reached out to a Client Service Partner, to gather more insights. 

Are there specific documents/reviews that you are looking to collect for the vendor itself?  Again, I hope this is helpful in the quest!

Thanks!!

Tracey L. Campbell

Good morning,

Does anyone have any recommended best practice/approach to vendor due diligence with the big F? We currently have Fiserv as a vendor and unsurprisingly, it is a critical component in our organization. We outsource to a third-party for a comprehensive risk assessment but the third-party we use has a product/service approach to their risk assessment and not a holistic risk assessment to the vendor itself.

What's been your recommended practice for this type of vendor where they are essentially a vendor that offers many different services to the organization? We would like a risk assessment of the vendor itself, and not just some of the critical products/services they offer. Or is that a waste of money/resource and we should only conduct a risk assessment based on products/services?

Original Message:
Sent: 4/24/2024 9:04:00 AM
From: Tracey Campbell
Subject: RE: Fiserv (gasp) VDD

Good morning!

I'm hoping this will help!  For a good portion of the due diligence and monitoring documentation we collect, I go through the Client360 portal that Fiserv has, and search mostly for 'Compliance' in the Publications section.  Do you have access there?  I know I have found SOC reports, and various other documents and reports.  I cannot recall off-hand if the PCI DSS and Business Continuity/Disaster Recovery testing was in the Compliance section or a different area.  For any items we don't find in the portal, we have reached out to a Client Service Partner, to gather more insights. 

Are there specific documents/reviews that you are looking to collect for the vendor itself?  Again, I hope this is helpful in the quest!

Thanks!!

Tracey L. Campbell

Original Message:
Sent: 04-23-2024 11:51 AM
From: Anonymous Member
Subject: Fiserv (gasp) VDD

This message was posted by a user wishing to remain anonymous

Good morning,

Does anyone have any recommended best practice/approach to vendor due diligence with the big F? We currently have Fiserv as a vendor and unsurprisingly, it is a critical component in our organization. We outsource to a third-party for a comprehensive risk assessment but the third-party we use has a product/service approach to their risk assessment and not a holistic risk assessment to the vendor itself.

What's been your recommended practice for this type of vendor where they are essentially a vendor that offers many different services to the organization? We would like a risk assessment of the vendor itself, and not just some of the critical products/services they offer. Or is that a waste of money/resource and we should only conduct a risk assessment based on products/services?