Security Experts:

Connect with us

Hi, what are you looking for?



PCI DSS 3.0 Puts Spotlight on Third-Party Security

Sometimes, securing your own network isn’t enough to guard against a data breach; your ecosystem of third-party providers can introduce a new set of risks to data as well.

Sometimes, securing your own network isn’t enough to guard against a data breach; your ecosystem of third-party providers can introduce a new set of risks to data as well.

The latest version of the Payment Card Industry Data Security Standard (PCI DSS 3.0) seeks to help address that issue. On Jan. 1, 2015, PCI DSS 3.0 will become mandatory save for a few provisions that will be treated as best practices before becoming full requirements in July, and businesses will now be required to pay closer attention to the security practices of their partners – a reality security experts say may make a difference.

Troy Leach, CTO of the PCI Security Standards Council, called third-party security a “weak point” for organizations that sometimes make the mistake of entrusting sensitive data to third-party vendors without verifying they have the proper security posture.

“Updates introduced with PCI DSS 3.0 and recent released Special Interest Group guidance aim to help organizations adequately address payments risks in their contracts with third parties and perform ongoing due diligence to ensure sufficient levels of card security are maintained by their business partners,” he told SecurityWeek. “The guidance lays out information on monitoring the relationships with third-party service providers (TPSP). Once the agreements have been established, the ongoing monitoring and maintenance of the TPSP relationship is critical. Understanding the relationship and scope of services, maintaining documentation/evidence to verify the services of the TPSP are secure, and ongoing monitoring of the TPSP compliance status are key to ensuring the TPSP maintains their compliance for the services provided.”

So far this year a number of high-profile attacks were traced to breaches at a third-party vendor, including the attacks on Lowe’s and Dairy Queen. The new rules, said Trustwave’s Jonathan Spruill, mandate that providers clearly articulate what PCI DSS controls they will address and what will be left to the business.

“There is a significant blind spot between third-party providers and businesses – although it’s not intentional,” said Spruill, senior security consultant at Trustwave. “Each party assumes the other is doing its part in securing their information yet that assumption is oftentimes incorrect. For example, when retailers contract out their point-of-sale systems and maintenance, many assume the third-party provider is using a complex password. However, as noted in our 2014 Trustwave Global Security Report, weak passwords opened the door for the initial intrusion in 31 percent of compromises we investigated in 2013. Using strong passwords is a basic best security practice that is overlooked by many third-party service providers and other businesses.”

The issue of remote access of third-party vendors is a thorny one for security. For example, earlier this year reports surfaced of attackers taking advantage of tools such as LogMeIn and Remote Desktop to compromise systems. In PCI DSS 3.0 however, there is a new requirement for service providers with remote access to use unique authentication credentials for each customer. This requirement will go into effect in July.

“Using unique passwords definitely helps decrease risk,” said Spruill. “We also recommend businesses use two-factor authentication to add an extra layer of security in case a criminal compromises a third party provider’s password. As an overall best security practice though, businesses should limit who has access to their most critical data to only those who need it. For example, if a third party service provider needs to remotely repair an issue on a retailer’s POS system, the provider should only be able to access that system, not the business’s entire infrastructure.”

The bottom line, said Sophos Security Advisor John Shier, is that third-party vendors should be held to the same or a higher standard than the company holds itself to.

“I don’t know that many smaller retailers understand that they need to,” said Shier. “My guess is that they would pick a reputable vendor and trust that the vendor has done everything they need to in order to be compliant. Three hundred sixty degrees of responsibility means that you also need to audit those third-party vendors to ensure that they do comply. With limited resources, this can pose a problem for many small businesses.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to...