Payment Card Industry (PCI) Security Standard Council releases Data Security Standard to explain requirements and security assessment procedures. The latest version (v 3.2) was released on April 2016 and starting February 2018 it became effective as requirements. But what PCI says about third-party cyber risk management?
What is PCI Data Security Standards?
PCI is an internationally-recognized institution that determines the standards for payment card industry (including merchants of all sizes, financial institutions, point-of-sale vendors, and hardware and software developers) to make cardholders safer.
Any breach on payment systems affect the entire payment ecosystem and consequences usually results in huge financial losses. Financial institutions that experience data breach lose credibility and reliability. The main document for PCI is PCI Data Security Standards (PCI DSS) which provides an actionable framework to secure and make robust payment card data processes (prevention, detection and response to cyber incidents).
What is third-party cyber risk?
A recent survey conducted by Ponemon Institute reveals that 56% of companies have experienced a 3rd-party breach in 2017, which is an increase of 7% compared to previous year. Data breaches caused by third parties cost millions of dollars to large companies.
Third-parties include broad range of companies a company directly worked with such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, sub-contractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies. Any external software or hardware that you use for your business also poses a cyber risk. For more info on third-party cyber risk, check out our 2018 third-party cyber risk report here.
What PCI DSS says about third parties?
PCI DSS states that a service provider or a merchant may use a third-party for data storage, processing, or transmitting cardholder data or management of hardware/software components (routers, firewalls, databases, etc.). However, PCI DSS immediately acknowledges that if a third-party is used, then there may be an impact on cardholder data ecosystem security. Therefore, they offer two options to third-party services to validate compliance. Third parties can either
- Undergo an annual PCI DSS assessments on their own and provide evidence of compliance or
- Undergo assessments upon request of their customers and participate their customer’s PCI DSS reviews.
What requirements may be related to third parties?
- PCI DSS Requirements on firewall and router configurations (1.1, 1.2, 1.3, and 1.4) are directly related to third party hardware/software service providers that handle these tasks.
- PCI DSS also recommends to always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network (2.1) including (but not limited to) operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, etc.
- PCI DSS mentions shared hosting providers (2.6) by forcing them to meet specific requirements detailed in an Appendix (A1), a section whose sole purpose is to explain Shared Hosting Provider Requirements.
- Section 3 is all about how to store cardholder data and if a third-party is used for data storage, these requirements have to be met. The motto of PCI is “if you don’t need it, don’t store it).
- Requirements of using anti-virus programs is given in Section 5 and these requirements also apply to third parties.
- PCI DSS defines requirements (6.3) for external software applications (including web-based applications).
- In Section 7 and 8, access control is defined to give requirements on who should access what. This section is directly related to third party data access. Third-party access is explicitly mentioned (as in 8.3.2).
- The risk from third-party personnel (such as personnel for repair services) is elaborated (9.9.3)
Steps to prevent liabilities from third-party service providers
- Establish agreements with third parties. Agreements should be written clearly and should have references to PCI DSS.
- Check PCI DSS requirements and determine which one of those should be met by the third party.
- Monitor compliance of the third-party
- Prior to work with a third party, complete a risk assessment
How to use Black Kite to monitor third-party PCI-compliance
PCI DSS recommends using risk ranking (6.1) and risk assessment (12.2) for organizations. Thus, Black Kite Cyber Risk Scorecard, with its benchmarking reports, provides risk scoring and ranking for companies and their third parties. Besides, it also check compliance to well-known cyber security frameworks including PCI DSS.
Even prior to work with a third party, its PCI-compliance can easily be checked with Black Kite Cyber Risk Scorecard. Act now and learn your company and related third parties here. Wouldn’t it be great to learn your cyber risk score in 60 seconds? It is possible with Black Kite Rapid Cyber Risk Scorecard. For more information, please visit https://www.blackkite.wpengine.com/rapid-cyber-risk-scorecard/