If you haven’t learned about the new American Express data breach, you can read about it here.
https://www.mass.gov/doc/assigned-data-breach-number-2024-377-american-express-travel-related-services-company-inc/download
It seems there was a third-party data breach involving AMEX numbers, but the letter is thin on details. What we know is that relying on third parties not only transfers some risk away from you but also can still carry the reputational damage that AMEX is experiencing now. When selecting a third-party service provider it's critical to perform your own due diligence by vetting candidates. You can use detailed written agreements with them that promote a mutual understanding between each other’s cardholder protection controls and safe handling procedures. In fact, the Security Council has provided a useful information supplement titled “Third-Party Security Assurance and Shared Responsibilities”. In it, you can learn how to engage when shopping around for a new payment service provider for example, and scope the services that will be provided. It's important to be mindful of the reputation of the company you are thinking about engaging, insurance coverage, chained third parties, previous breaches, business continuity, and financial stability. Essentially, you are required to perform a risk assessment and document the results.
Each risk assessment should begin with a non-disclosure agreement and then you can begin.