PCI DSS 3.0, responsibility and protecting against third party access

Compliance with PCI DSS 3.0 is primarily about enforcing everyday security best practices, but Stuart Facey notes that secure third party access is a key part of that approach.

PCI DSS 3.0, responsibility and protecting against third party access
PCI DSS 3.0, responsibility and protecting against third party access

PCI DSS 3.0 was updated and enforced in January 2015. For any organisation handling payment card information, it's important to think about how to set up and maintain security measures to remain in compliance. However, one of the bigger changes in the set of regulations is around how retailers and other companies work with outsourcers and other third parties that have access to their networks.

It's not hard to see why this change has come into being – the attacks on companies such as Target came through remote access loopholes, linked to third party vendors that were allowed on to the retailers' networks. The change in PCI DSS 3.0 makes the whole situation around responsibility more clear.

While all the companies involved in retail IT have to shoulder their burdens around security, the overall responsibility is firmly placed with the retailers rather than the service providers. While this should be an obvious point, the complexity of enterprise IT and increasing role for outsourcing across retail companies means that it had to be made. Banks will fine a retailer in the event of a data breach, even if the outsourcer is responsible for the IT infrastructure that is involved. This makes it increasingly important that retailers are aware of all network activity that affects them, as well as securing all remote access to their systems.

Data breaches occur when any organisation is lax around control of third party access. The Online Trust Alliance reports that around 40 percent of data breaches where data was lost were due to external intrusions, while the 2013 Trustwave Global Security Report stated that up to 63 percent of data breaches can be linked to third parties. For retailers, protecting against attacks that can come through trusted partners is essential to remain in-line with PCI DSS.

Now, remote access is itself a necessary technology for many of these large enterprises. Without it, it becomes nearly impossible to work across distributed business IT environments and it's also challenging to provide the support that customers may need. There are plenty of options out there for remote access to networks, but the security and management of those tools is not as mature. Too often, access is made easy – great at the point when it is needed, but a challenge to keep tabs on over time.

Here are some steps to take that can help ensure everyone in the process is secure and compliant:

1) Assign all users – internal and external - unique identification credentials before allowing any remote access. For enterprise remote support tools, this can involve checking that no “group accounts” are in use. This approach ensures that IT can keep a close eye on what each user is doing on the network, what they are accessing remotely and whether they are following the correct regulations.

2) Passwords should be updated at least every 90 days, according to PCI DSS. Applying standard password best practice here can help remove some of the risk, such as disallowing dictionary words and supporting additional characters beyond straightforward numbers and letters.

At the same time, implementing two-factor authentication for remote access can cut down on the risk that credentials can be stolen or guessed. Even if a breach at the third party or outsourcer does occur and their details are stolen, they can't be used to access the retailer's network.

3) Point of Sale Security is important within PCI DSS – as a POS terminal will take data, it's often a target for hackers. However, supporting POS terminals with remote access is a valid use case, it's important to restrict access as much as possible. If a retailer is using a third party for support, then POS devices can come under their remit too.

Steps to take here can include changing default ports for remote access over to others, as well as logging all remote access activity and scanning for abnormal behaviour. It can also help to be responsible for the remote access technology used during a session, rather than letting the third party use their own choice of tools that may be out of date or rely on holes in firewalls for access.

4) Audit and monitoring is a crucial part of remaining compliant. Even if the retailer hands over all responsibility for day-to-day running of IT networks to a third party, there should still be a regular overview of what is taking place carried out by the retailer's own staff. This includes checking that all activities are being carried out in an authorised manner and that all activity can be tracked back to the individual that's responsible.

One important thing to stress here: this approach to compliance should help the retailer keep a close eye on what is taking place within its contract with the third party (or parties) they are working with. This should give the retail IT team peace of mind!

PCI DSS is a critical piece of compliance regulation for retailers. However, the changes that have been implemented are aimed at making it less about “big bang” initial compliance and more about enforcing everyday security best practices. This includes ensuring that retailers remain responsible for their security, even when they don't own the assets used or carry out those day-to-day tasks.

Contributed by Stuart Facey, VP International at Bomgar