28th August 2021, Kathmandu
Today, a growing number of hackers are adopting sophisticated implements and techniques to assail a company’s Supply Chain Management and wreak havoc in business operations.
In today’s evolving digital world, a supply chain attack, in particular, is not an incipient threat. In fact, 80% of the retail data breach is due to supply chain attacks.
Today, a growing number of hackers are adopting sophisticated implements and techniques to assail a company’s Supply Chain Management and wreak havoc in business operations. These assailants can be devastating and may at times have an irreversible impact on the business.
In the online retail business, the supply chain is an essential part of business operations. Most businesses today rely on third-party accommodations that often span an astronomically immense and diverse network across national and international boundaries. So, having in place a robust cybersecurity measure across this sizably voluminous span of the network is arduous.
Especially when cyberattacks are evolving to be sophisticated and highly advanced. This provides assailers an open door to many loopholes and impuissant points for exploitation.
By Narendra Sahoo, Progenitor, and Director, VISTA InfoSec
Albeit organizations are heavily investing in cybersecurity measures, little is done to curb the root cause of the assailment which involves evaluating and monitoring the security of Third-Party Accommodation Providers.
Affirmative, organizations are taking measures to minimize the damage caused by supply chain attacks, but the only way to deal with it is by obviating such attacks and incidents of the breach is by building a vigorous bulwark.
Expounding this in detail, let us understand the jeopardy of a supply chain attack with outsourcing of credit card payment processing and ways to mitigate and manage the perils associated with third parties having access to Cardholder Data (CHD) with compliance to PCI DSS. But afore that let us first understand the nuances of a supply chain attack.
What is a Supply Chain Attack?
A supply chain attack, which is additionally popularly kenned as a third-party attack, transpires when a hacker/assailant infiltrates an organization through a third-party accommodation provider’s systems or networks and gains unauthorized access to business-critical and sensitive systems and data.
This technique of hacking transmutes the entire dynamics of the assailment surface for a business, making cybersecurity measures more involute and arduous. With this, the perils concerning the supply chain attack are higher, especially with the types and sophistication of attacks, and incremented oversight from regulators.
However, with an immense number of advanced implements and techniques at their disposal, hackers have become more ingenious in their assailants and are perpetually evolving their techniques to infiltrate into their target’s systems and network.
To that, the supply chain has made it more facile for hackers to compromise more immensely colossal business groups and organizations.
With detection of supply chain attacks being inherently arduous due to the facile backdoor to software applications that mask the malevolent nature of the software, the threats simply go undetected with the traditional security measures.
How does compliance to PCI DSS avert a Supply Chain Attack?
It is prevalent in the online payment industry for businesses to avail of third-party accommodations for processing credit card payments given the cost and operational efficiencies it offers.
Moreover, the accommodation that it offers business in terms of cutting the scope of PCI DSS Compliance made the option more viable for them.
However, most of these accommodation providers are omitted or not subject to the congruous levels of due diligence. This opened doors to a high caliber of jeopardy exposure for organizations availing their accommodations.
PCI Council apperceived the growing level of jeopardy exposure and so, in its PCI DSS 3.2 iteration highlighted the consequentiality of mitigating and management of the third-party peril.
The PCI DSS requisite calls for measures ascertaining compliance throughout the data supply chain. Addressing this, the PCI Council outlined a list of requisites that third-party accommodation providers are required to follow to ascertain PCI DSS Compliance.
The following list of requisites outlined in the PCI DSS 3.2 highlights the accentuation placed by the Council to ascertain perpetual management and maintenance of security measures for the third-party accommodations availed by organizations who process sensitive cardholder data (CHD).
PCI DSS Requirements |
Description |
Requirement 10.8 |
Accommodation providers are required to have in place systems and processes for timely detection and reporting of failures in critical security control systems. Having a formal process in place is essential to detect issues and alert when there is critical security controls failure. If not, the issue could go undetected for elongated periods of time providing an opportunity for assailers to exploit the impuissant areas and compromise systems, and gain access to the sensitive cardholder data environment. |
Requirement 12.4 |
Ascertain security policy and procedures pellucidly define information security responsibilities for all personnel.
Organizations must develop a third-party vendor policy and procedure that limpidly outlines the responsibilities of accommodation providers. It should withal include the obligatory measures to be taken to bulwark the cardholder data and for ascertaining compliance with PCI DSS. After all, anyone having access to sensitive cardholder data must be accountable for its security and be cognizant of its responsibility. Without pellucidly defining the roles and responsibilities there can be miscommunication and security lapse in systems, leading to the unsecured implementation of security measures. |
Requirement 12.8 |
Maintain and implement policies and procedures to manage Accommodation Providers with whom the cardholder data is shared, and that could affect the security of the cardholder data environment. Fundamentally, this requisite of PCI DSS fixates on vendor management for which organizations are required to maintain and implement congruous policies and procedures for the third-party accommodation providers. |
Requirement 12.8.2 |
Maintain an inscribed accedence that includes an acknowledgment that the accommodation providers are responsible for the security of cardholder data. This is to define and maintain a clear relationship with the accommodation providers who have access to the sensitive cardholder environment or cardholder data. Having the responsibilities limpidly defined will ascertain accountability. Besides, ascertaining third-party compliance is crucial as they impact the security of the cardholder data environment. |
Requirement 12.8.3 |
Ascertain there is an established process for engaging accommodation providers including congruous due diligence prior to engagement. This simply denotes organizations must exhaustively conduct congruous due diligence including a jeopardy analysis before establishing any kind of formal relationship with the accommodation provider. The due diligence processes must include reporting practices, breach-notification, and incident replication procedures. It should even include details like the PCI DSS responsibilities assigned, measures taken to ascertain compliance and evidence of compliance. |
Requirement 12.8.4 |
Maintain a program to monitor service providers’ PCI DSS compliance status. Organizations are required to develop and maintain a program to ensure service providers are PCI DSS Compliant and this must be verified at least annually. The service providers the organizations deal with should provide services in a way that is compliant with PCI DSS Standards. This provides an assurance that necessary steps are taken to secure the cardholder data of customers. |
Requirement 12.8.5 |
Maintain information about which PCI DSS requisites are managed by each accommodation provider, and the ones managed by the organization. This information is critical for vendor management and is predicated on the accedence with the concrete vendor you deal with depending on their accommodation offerings. This will define responsibilities and give pellucidity on the PCI DSS requisites for which they have acceded to meet. |
Requirement 12.9 |
Accommodation providers acknowledge in inscribing to customers that they are responsible for the security of cardholder data the accommodation provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. This requisite works in conjunction with PCI DSS Requisite 12.8 which intends to ascertain a caliber of understanding between the accommodation providers and the customers about their PCI compliance responsibilities. This should be established in a contractual language to have inscribed evidence of the accommodation providers concurring to provide accommodations in a way that is PCI DSS compliant. |
Requirement 12.11 |
Accommodation providers must perform and review quarterly to corroborate personnel is following security policies and operational procedures. Accommodation providers are required to substantiate that they are following the procedures and policies defined as acceded upon for ascertaining PCI DSS Compliance. For this, they are required to perform reviews quarterly which should include details of log review, firewall rules set, configuration standards to incipient systems, replication to security alerts, and transmute management process in place. This is to ascertain the policies and procedures are being followed diligently. |
PCI DSS mandates the inclusion of accommodation providers in the scope who provide payment-cognate accommodations or provide accommodations that can impact the security of the organization under consideration.
Many times, it is enticing for organizations to take the facile way out and omit accommodation providers under the guise of “not relevant”. However, we vigorously exhort organizations to be safe than to be contrite by not taking shortcuts.
Conclusion
Given that 80% of all data breaches today involve a supply chain attack with glommed credentials and unauthorized access through third-party accommodation providers, there is an incremented desideratum for organizations to fixate on third-party vendor risk management.
Availing third-party accommodations from vendors who may have access to information systems, networks, and cardholder data will require having a certain level of security established to forfend the sensitive cardholder data environment.
Organizations need to build a sense of trust and ascertain that these third-party vendors/accommodation providers take security earnestly and accordingly implement indispensable measures to obviate attacks and incidents of a breach.
That verbally expressed, performing cybersecurity assessments and validations is a great way to build trust and ascertain compliance to industry best security standards across the supply chain. While there are several cybersecurity best practices that businesses can follow to combat the supply chain attack, PCI DSS Compliance is one way organizations can enhance their Data Security Standard and avert such attacks.
PCI DSS Standards are industry best practices and requisites that involve a robust security practice and rigorous evaluation process that enhances the due diligence expected in the peril assessment of organizations and their third-party accommodation providers.