Third-party vendors will receive a lot more security scrutiny under new Payment Card Industry security requirements taking hold next year, if merchants are vigilant in following the new compliance guidelines.
The timing couldn't be better for closer evaluation of the roles of third-party providers and the extra steps they will have to take to remotely access their systems at a merchant location.
Home Depot's recent data breach represented another high-profile retailer suffering a compromise through a third-party vendor password to gain access through the perimeter of a payments network. Target suffered a similar attack during the 2013 holiday season, which seemingly triggered what has been ongoing criminal strikes against retailers in the pursuit of payment and personal data.
When PCI 3.0 begins Jan. 1, 2015, third-party providers will have to clearly describe in contract form what data security controls they will address and which ones the merchant must monitor. In addition, those who remotely connect to a merchant system must have a unique password for each merchant they do business with, while also providing two-factor authentication.
"If hackers break into one system when targeting service providers, they generally feel they can do repeat attacks on others with the same password," said Greg Rosenberg, security engineer at Chicago-based Trustwave. "Now the provider also has to have another authentication form, such as biometrics or a unique token."
The extra scrutiny on third-party providers illustrates that the payments and retail industry is coming to grips with something criminals have known for some time that service providers outside of the typical payments infrastructure are easier targets.
Companies that provide environmental controls, heating and air-conditioning or security cameras for a retailer generally have remote access to their systems through passwords.
"Even if they are not tagged as a service provider like a web host or a payment gateway, they represent much risk," Rosenberg said.
Trustwave has found that a leak through service providers causes a high percentage of the breaches the company investigates, Rosenberg added.
"If you have a network of 10 computers and only use one as a virtual POS terminal, those other nine may not have anything to do with the payment system," Rosenberg said. "If you don't segment that system at all, those other computers are pulled into PCI scope."
The added guidance on third-party provider security will not automatically equate to safer systems, said Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
"We are certainly going to see some trailing incidents as a result of this," Conroy said. "PCI is a set of guidelines, but there is nobody who is going to be auditing to the very letter of every single one of these requirements to make sure merchants are doing all of this stuff."
Rosenberg agrees that criminals will determine soft spots in the process fairly quickly.
"Because there is no direct contractual relationship in many of these scenarios between the service providers, the acquirers or the card brands, there is kind of a blind spot, and the bad guys know this," Rosenberg said.
Because these companies provide services for so many merchants and do it in a consistent fashion [with identical passwords], those companies "are really becoming quite an appealing target," Rosenberg added.
"It's an efficient way to grab more records, and varied records," he said.
The security industry will be better served as it continues to move away from passwords, but in the meantime, Rosenberg said, the longer a password is, the better.
"Our lab has determined that passwords, even those considered strong, are largely inadequate," Rosenberg said. "We are moving toward 20-character passwords, or pass-phrases."
Security vendors have also warned merchants that the new PCI 3.0 guidance provides a roadmap to hackers who will study the procedures to determine where some gaps may still exist or which ones merchants might not be as vigilant in following.
Part of the task for merchants will be to impress upon third-party providers that security is a must, one in which their relationship is at stake if they don't protect their systems, Conroy said.
"The onus will absolutely be on the merchants' shoulders," Conroy added.