PCI 3.2 and Third-Party Breach Risk

August 24, 2016 • Published Categories Best Practices Tags ,

The time to understand third-party breach risk is now.

Back in May, we took an in-depth look at the PCI 3.2 SAQs. We noted that the PCI Security Standards Council (SSC) is responding to the recent data breaches involving third-party service providers by significantly enhancing the SAQ D-Service Provider.

Third Party Agents (TPAs), as Visa refers to them, come in many flavors these days.

For the purposes of this discussion let’s talk about just 2 broad categories:

  • Third parties who are involved in the processing, transmitting and/or storing of cardholder data.
  • Third parties who play a more ancillary role and do not get directly involved in these activities.

What are TPAs’ PCI roles and responsibilities?

In the current environment, it is really important that all third party service providers understand their roles and responsibilities, as well as how to ensure they have a strong security posture.

Those third parties who are not directly involved in the transaction flow still need to understand if their role could impact the security of cardholder data in some way. We see many integrated software vendors (ISVs) who are not aware that they may very well be in scope for PCI.

Those third parties who are directly involved in the transaction flow should be consulting with a PCI Qualified Security Assessor (QSA) to get an on-site assessment, resulting in a Report on Compliance (RoC). The card brands expect to see this QSA-led validation so they can properly register the third party as a “Merchant Servicer.”

One of the resources I like to recommend for third party service providers and their merchant clients to work with is the PCI Council’s Third Party Security Assurance Guidelines document. Check out the Appendix A for a nice guideline to review the roles and responsibilities breakdown.

Noteworthy changes in PCI 3.2 SAQ D-Service Provider.

The PCI 3.2 SAQ D-Service Provider has introduced 15 new controls relating to third party service providers.

A couple of the biggest changes I wanted to highlight:

  • Now, in addition to needing to use unique credentials per clients (when utilizing remote access), the third party service provider needs to employ multi-factor authentication when accessing the cardholder data environment. This extra layer of security is important to defending against remote access intrusions.
  • As of February 2018, third party service providers will be required to perform penetration testing twice a year instead of once annually. This is a key one in my opinion. I do not recommend waiting until the final requirement date to put a regular testing process in place.

Prepare for the road ahead.

As the threats evolve the changes are likely to keep coming. This is why planning for a daily focus on security is becoming of critical importance, as opposed to a once-a-year process.

For more detail on what you can do now to prepare for the road ahead and reduce third-party breach risk, check out PCI SAQ 3.2 Debrief: Service Provider Edition.

Leave a Comment