Security Experts:

PCI DSS 3.0 Puts Spotlight on Third-Party Security

Sometimes, securing your own network isn't enough to guard against a data breach; your ecosystem of third-party providers can introduce a new set of risks to data as well.

The latest version of the Payment Card Industry Data Security Standard (PCI DSS 3.0) seeks to help address that issue. On Jan. 1, 2015, PCI DSS 3.0 will become mandatory save for a few provisions that will be treated as best practices before becoming full requirements in July, and businesses will now be required to pay closer attention to the security practices of their partners – a reality security experts say may make a difference.

Troy Leach, CTO of the PCI Security Standards Council, called third-party security a "weak point" for organizations that sometimes make the mistake of entrusting sensitive data to third-party vendors without verifying they have the proper security posture.

"Updates introduced with PCI DSS 3.0 and recent released Special Interest Group guidance aim to help organizations adequately address payments risks in their contracts with third parties and perform ongoing due diligence to ensure sufficient levels of card security are maintained by their business partners," he told SecurityWeek. "The guidance lays out information on monitoring the relationships with third-party service providers (TPSP). Once the agreements have been established, the ongoing monitoring and maintenance of the TPSP relationship is critical. Understanding the relationship and scope of services, maintaining documentation/evidence to verify the services of the TPSP are secure, and ongoing monitoring of the TPSP compliance status are key to ensuring the TPSP maintains their compliance for the services provided."

So far this year a number of high-profile attacks were traced to breaches at a third-party vendor, including the attacks on Lowe's and Dairy Queen. The new rules, said Trustwave's Jonathan Spruill, mandate that providers clearly articulate what PCI DSS controls they will address and what will be left to the business.

"There is a significant blind spot between third-party providers and businesses – although it’s not intentional," said Spruill, senior security consultant at Trustwave. "Each party assumes the other is doing its part in securing their information yet that assumption is oftentimes incorrect. For example, when retailers contract out their point-of-sale systems and maintenance, many assume the third-party provider is using a complex password. However, as noted in our 2014 Trustwave Global Security Report, weak passwords opened the door for the initial intrusion in 31 percent of compromises we investigated in 2013. Using strong passwords is a basic best security practice that is overlooked by many third-party service providers and other businesses."

The issue of remote access of third-party vendors is a thorny one for security. For example, earlier this year reports surfaced of attackers taking advantage of tools such as LogMeIn and Remote Desktop to compromise systems. In PCI DSS 3.0 however, there is a new requirement for service providers with remote access to use unique authentication credentials for each customer. This requirement will go into effect in July.

"Using unique passwords definitely helps decrease risk," said Spruill. "We also recommend businesses use two-factor authentication to add an extra layer of security in case a criminal compromises a third party provider’s password. As an overall best security practice though, businesses should limit who has access to their most critical data to only those who need it. For example, if a third party service provider needs to remotely repair an issue on a retailer’s POS system, the provider should only be able to access that system, not the business’s entire infrastructure."

The bottom line, said Sophos Security Advisor John Shier, is that third-party vendors should be held to the same or a higher standard than the company holds itself to.

"I don't know that many smaller retailers understand that they need to," said Shier. "My guess is that they would pick a reputable vendor and trust that the vendor has done everything they need to in order to be compliant. Three hundred sixty degrees of responsibility means that you also need to audit those third-party vendors to ensure that they do comply. With limited resources, this can pose a problem for many small businesses."

view counter
Singapore ICS Cyber Security Conference