In today’s evolving digital world, a supply chain attack, in particular, is not a new threat. In fact, 80% of the retail data breach is due to supply chain attacks. Today, a growing number of hackers are adopting sophisticated tools and techniques to attack a company’s Supply Chain Management and wreak havoc in business operations. These attacks can be devastating and may at times have an irreversible impact on the business. In the online retail business, the supply chain is an essential part of business operations. Most businesses today rely on third-party services that often span a large and diverse network across national and international boundaries. So, having in place a robust cybersecurity measure across this large span of the network is challenging. Especially when cyberattacks are evolving to be sophisticated and highly advanced. This provides attackers an open door to many loopholes and weak points for exploitation.
By Narendra Sahoo, Founder, and Director, VISTA InfoSec
Although organizations are heavily investing in cybersecurity measures, little is done to curb the root cause of the attack which involves evaluating and monitoring the security of Third-Party Service Providers. Yes, organizations are taking measures to minimize the damage caused by supply chain attacks, but the only way to deal with it is by preventing such attacks and incidents of breach is by building a strong defense. Explaining this in detail, let us understand the risk of a supply chain attack with outsourcing of credit card payment processing and ways to mitigate and manage the risks associated with third parties having access to Cardholder Data (CHD) with compliance to PCI DSS. But before that let us first understand the nuances of a supply chain attack.
What is a Supply Chain Attack?
A supply chain attack, which is also popularly known as a third-party attack, happens when a hacker/attacker infiltrates an organization through a third-party service provider’s systems or networks, and gains unauthorized access to business-critical and sensitive systems and data. This technique of hacking changes the entire dynamics of the attack surface for a business, making cybersecurity measures more complex and challenging. With this, the risks concerning the supply chain attack are higher, especially with the types and sophistication of attacks, and increased oversight from regulators.
However, with an immense number of advanced tools and techniques at their disposal, hackers have become more creative in their attacks and are constantly evolving their techniques to infiltrate into their target’s systems and network. To that, the supply chain has made it easier for hackers to compromise larger business groups and organizations. With detection of supply chain attacks being inherently difficult due to the easy backdoor to software applications that masks the malicious nature of the software, the threats simply go undetected with the traditional security measures.
How does compliance to PCI DSS prevent a Supply Chain Attack?
It is common in the online payment industry for businesses to avail of third-party services for processing credit card payments given the cost and operational efficiencies it offers. Moreover, the convenience that it offers business in terms of cutting the scope of PCI DSS Compliance made the option more viable for them. However, most of these service providers are excluded or not subject to the appropriate levels of due diligence. This opened doors to a high level of risk exposure for organizations availing their services. PCI Council recognized the growing level of risk exposure and so, in its PCI DSS 3.2 iteration highlighted the significance of mitigating and management of the third-party risk. The PCI DSS requirement calls for measures ensuring compliance throughout the data supply chain. Addressing this, the PCI Council outlined a list of requirements that third-party service providers are required to follow to ensure PCI DSS Compliance. The following list of requirements outlined in the PCI DSS 3.2 highlights the emphasis placed by the Council to ensure continuous management and maintenance of security measures for the third-party services availed by organizations who process sensitive cardholder data (CHD).
PCI DSS Requirements
|Requirement 10.8||Service providers are required to have in place systems and processes for timely detection and reporting of failures in critical security control systems.
Having a formal process in place is essential to detect issues and alert when there is critical security controls failure. If not, the issue could go undetected for extended periods of time providing an opportunity for attackers to exploit the weak areas and compromise systems and gain access to the sensitive cardholder data environment.
|Requirement 12.4||Ensure security policy and procedures clearly define information security responsibilities for all personnel.
Organizations must develop a third-party vendor policy and procedure that clearly outlines the responsibilities of service providers. It should also include the necessary measures to be taken to protect the cardholder data and for ensuring compliance with PCI DSS. After all, anyone having access to sensitive cardholder data must be accountable for its security and be aware of their responsibility. Without clearly defining the roles and responsibilities there can be miscommunication and security lapse in systems, leading to the unsecured implementation of security measures.
|Requirement 12.8||Maintain and implement policies and procedures to manage Service Providers with whom the cardholder data is shared, and that could affect the security of the cardholder data environment.
Basically, this requirement of PCI DSS focuses on vendor management for which organizations are required to maintain and implement appropriate policies and procedures for the third-party service providers.
|Requirement 12.8.2||Maintain a written agreement that includes an acknowledgment that the service providers are responsible for the security of cardholder data.
This is to define and maintain a clear relationship with the service providers who have access to the sensitive cardholder environment or cardholder data. Having the responsibilities clearly defined will ensure accountability. Besides, ensuring third-party compliance is crucial as they impact the security of the cardholder data environment.
|Requirement 12.8.3||Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
This simply means organizations must thoroughly conduct appropriate due diligence including a risk analysis before establishing any kind of formal relationship with the service provider. The due diligence processes must include reporting practices, breach-notification, and incident response procedures. It should even include details like the PCI DSS responsibilities assigned, measures taken to ensure compliance, and evidence of compliance.
|Requirement 12.8.4||Maintain a program to monitor service providers’ PCI DSS compliance status.
Organizations are required to develop and maintain a program to ensure service providers are PCI DSS Compliant and this must be verified at least annually. The service providers the organizations deal with should provide services in a way that is compliant with PCI DSS Standards. This provides an assurance that necessary steps are taken to secure the cardholder data of customers.
|Requirement 12.8.5||Maintain information about which PCI DSS requirements are managed by each service provider, and the ones managed by the organization.
This information is critical for vendor management and is based on the agreement with the specific vendor you deal with depending on their service offerings. This will define responsibilities and give clarity on the PCI DSS requirements for which they have agreed to meet.
|Requirement 12.9||Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
This requirement works in conjunction with PCI DSS Requirement 12.8 which intends to ensure a level of understanding between the service providers and the customers about their PCI compliance responsibilities. This should be established in a contractual language to have written evidence of the service providers agreeing to provide services in a way that is PCI DSS compliant.
|Requirement 12.11||Service providers must perform and review quarterly to confirm personnel is following security policies and operational procedures.
Service providers are required to confirm that they are following the procedures and policies defined as agreed upon for ensuring PCI DSS Compliance. For this, they are required to perform reviews quarterly which should include details of log review, firewall rules set, configuration standards to new systems, response to security alerts, and change management process in place. This is to ensure the policies and procedures are being followed diligently.
PCI DSS mandates the inclusion of service providers in the scope who provide payment-related services or provide services that can impact the security of the organization under consideration. Many times, it is enticing for organizations to take the easy way out and exclude service providers under the guise of “not relevant”. However, we strongly advise organizations to be safe than to be sorry by not taking shortcuts.
Given that 80% of all data breaches today involve a supply chain attack with stolen credentials and unauthorized access through third-party service providers, there is an increased need for organizations to focus on third-party vendor risk management. Availing third-party services from vendors who may have access to information systems, networks, and cardholder data will need to have a certain level of security established to protect the sensitive cardholder data environment. Organizations need to build a sense of trust and ensure that these third-party vendors/service providers take security seriously and accordingly implement necessary measures to prevent attacks and incidents of a breach. That said, performing cybersecurity assessments and validations is a great way to build trust and ensure compliance to industry best security standards across the supply chain. While there are several cybersecurity best practices that businesses can follow to combat the supply chain attack, PCI DSS Compliance is one-way organizations can enhance their Data Security Standard and prevent such attacks. PCI DSS Standards are industry best practices and requirements that involve a robust security practice and rigorous evaluation process that enhances the due diligence expected in the risk assessment of organizations and their third-party service providers.
About the Author
Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the U.S., Singapore and India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, and Compliance services. VISTA InfoSec specializes in Information Security audit, consulting, and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance and Audit, PCI PIN, SOC2 Compliance and Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.