Supply chain risk is worrying regulators everywhere. That’s why it’s a critical part of both the new EU Digital Operational Resilience Act (DORA) and NIS 2. It’s also a growing concern for the Payment Card Industry Secure Standards Council (PCI SSC), the body behind the industry’s Data Security Standard (PCI DSS).
As supply chains increase in size and complexity, large financial services firms, retailers and others must ensure they don’t jeopardize PCI DSS 4.0 compliance. Depending on the supplier, complying organizations may need to ensure cardholder data is secured even when it leaves the organization.
There’s a very good reason why regulators are getting serious about third-party security risks. The number of supply chain breaches continue to grow annually. According to one estimate, just 4% of publicly reported data breaches in the US last year were recorded as supply chain incidents. But these accounted for 15% of total victims: a figure in excess of 203 million. Given that financial services was the most frequently compromised sector last year, this has stark implications for PCI DSS 4.0 compliance.
Historically, partners, suppliers, contractors and other third parties often had access to sensitive corporate networks and data, but failed to meet the same high standards of security as their clients. This is no longer tenable.
For the purposes of PCI DSS 4.0, a third-party service provider (TPSP) is any organization that takes care of outsourced payment operations, or manages systems (including servers, routers, firewalls and databases) which transmit, store or protect cardholder data.
The main part of the standard that is applicable here is Requirement 12.8, which demands that: Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
Five sub-requirements set out what specifically is required, namely: due diligence, ongoing monitoring and contractual agreements. They are as follows:
12.8.1: Maintain a list of service providers, including a description of the service provided.
12.8.2: Maintain a written agreement including an acknowledgment that the service provider is responsible for the security of cardholder data that they store, process or transmit on behalf of the customer. Or that they could impact the security of the customer cardholder data environment (CDE).
12.8.3: Ensure there’s an established process for engaging service providers, including proper due diligence, before working with them.
12.8.4: Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by your organization.
Zero Trust is an increasingly popular approach to mitigating risk across internal and third-party CDEs. That’s because it was created very much for distributed environments featuring multiple service providers and networks. It enforces a mantra of “never trust, always verify” so that every request to access cardholder data must be authorized, whether from inside or outside the organization.
Thanks to rigorous multi-factor authentication checks along least privilege lines, as well as continuous network monitoring, endpoint security, network segmentation and encryption, Zero Trust aligns well with the requirements of PCI DSS.
By taking a data-centric security approach, organizations can put themselves and their suppliers on a path to Zero Trust and PCI DSS 4.0 compliance. It enables them to focus on what matters most, the cardholder data, so that even if the worst-case scenario materializes and a supplier is breached, the threat will be contained.
With comforte’s Data Security Platform, organizations get the option of applying tokenization, which offers additional benefits of preserving data utility without compromising on security. This could enable organizations to use it in third-party applications like cloud-powered analytics platforms—in order to drive business growth, without incurring the wrath of PCI DSS regulators.
With comforte, organizations looking to comply with PCI DSS are able to: