On November 1, 2016, the latest version of the Payment Card Industry Data Security Standard (PCI DSS 3.2) took effect. The PCI DSS 3.2 has a number of notable changes, particularly for third party service providers.
During the past few years, we have seen a barrage of data breaches where the attackers broke in through a third party service provider. According to a Ponemon Institute study, nearly half of risk professionals say their organization experienced a data breach caused by one of their vendors. Seventy three percent see the number of cyber security incidents involving vendors increasing and 65 percent say it is difficult to manage cyber security incidents involving vendors. Although the pure financial impact can often be mitigated through contracts or insurance, the reputational impacts are a lot more difficult to mitigate.
Some companies partner with thousands of vendors. With already limited headcount and resources, understanding what each of those vendor’s users are doing on the network is a daunting task. The fact that the PCI DSS 3.2 puts more responsibility on vendors to ensure their users are adopting secure cyber practices will tremendously help ease the burden.
One PCI DSS 3.2 requirement that stands out is that executive management for service providers is required to “establish responsibility” for the protection of cardholder data and a PCI DSS compliance program. The requirement is intended to “ensure executive-level visibility into the PCI DSS compliance program.”
Due to an increased understanding of the impact of poorly managed cyber risk, in addition to regulations like the PCI 3.2 and upcoming New York State Department of Financial Services requirements that assign accountability to executives and board members, we are seeing more executives and board members actively participating in the cyber risk management process. The shift benefits the entire cyber security industry because when company leaders understand their cyber risk posture, they make more effective risk reduction decisions.
Employees throughout the company also act with cyber security in mind because they know the top level is paying attention. By requiring top level executives of third party service providers to get more involved in protecting cardholder data, vendors should see the same results as their enterprise clients. Their executives will be in-the-know regarding if their company is elevating a client’s risk of a breach, and can take action to reduce that risk before it’s too late.
Another related requirement is that service providers are required to perform reviews at least quarterly, to confirm employees are following security policies and operational procedures. The requirement puts the onus on the providers themselves (vs. solely on the enterprise) to make sure best security practices are being followed. While “at least quarterly” isn’t a firm “must be performed quarterly,” it at least recommends more frequent reviews vs. once a year.
The PCI DSS 3.2 should greatly help companies reduce third party vendor risk, and is starting to shift from just a check-the-compliance-box activity to a more continuous compliance model.
A new requirement in that vein is requirement 6.4.6, which states, “Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.” This means that PCI DSS compliance is no longer just a once a quarter or annual exercise, but one that requires attention any time there is a significant change.
While I believe there is a long way to go in this regard, the requirement puts compliance on the radar every day, not just four times a year. As the industry shifts to this continuous compliance model, you will see increased focus on measuring effectiveness rather than just compliance. It also means that the quarterly, manual spreadsheet shuffle needs to be automated in way that can be monitored on a regular basis.
This continuous compliance model also needs to extend to reducing vendor risk. Companies need to monitor the level of access vendor users receive to their most valued applications and systems, and how that access is being used. Minimizing vendor access to valued assets so that only users who need access get it, and monitoring activity to identify anomalous behavior are two critical steps to minimizing exposure to third party risk.
The PCI DSS 3.2 has recognized and called out the need for enterprises to ensure their vendors step up their game, and to reconfirm a secure posture whenever significant changes are made. Once cyber risk management becomes part of a company’s every day practices, just like other critical organizational functions, demonstrating compliance with the PCI DSS 3.2 and similar regulations will become a non-event.