In 2013, Target was the victim of a highly publicized data breach. Over the course of 19 days, 40 million debit and credit card accounts were exposed to the hackers. What you might not have heard is that the cyberattack didn’t occur from some black-hat hacker wearing a hoodie in a dark basement. It was Target’s HVAC vendor, a supplier they trusted.
Your vendors are a greater security risk than you probably realize. According to one survey, 69 percent of businesses say they definitely or possibly suffered a security breach resulting from vendor access within the last year. And the number of breaches attributed to vendors has increased by 22 percent since 2015. At the same time, about two-thirds of companies don’t even know how many vendors are accessing their systems.
Handpicked related content: Will Your Cyber Liability Insurance Really Cover You?
Is your supply chain secure? How do you know? PCI requirement 12.8 mandates certain security-related activities, but validating supply chain security goes beyond checking a box for compliance. Let’s take an honest look at what you need to be doing with your vendors.
PCI Compliance Isn’t Security
There’s a myth out there that is putting companies at greater risk of a security breach: “Such-and-such a company is PCI compliant, and that means we don’t need to dig any further.” There could be nothing farther from the truth. I’ve seen organizations say, “Hey are you compliant with anything?” “Yes, PCI.” “Great, give me your compliance confirmation document (called an AOC).” And they think they’ve done their due diligence. If I tell someone I’m PCI compliant, what does that really mean?
I’ve seen vendors claim they’re PCI compliant simply because they outsource aspects of their credit card data responsibilities. I’ve also seen large international suppliers provide certification AOCs indicating they were PCI compliant, but the AOCs only included a service offering that had nothing to do with the service they were providing to the client. When it comes to the security of your sensitive data, you can’t just look for the signature on the last page of the vendor’s AOC.
Here’s the scarier thing: if you have a legal agreement with a supplier, and yet the supplier screws up, you’re the one holding the bag. No one knows who Target’s HVAC vendor was, but the whole world knows that it was Target whose data was breached. You can take your supplier to task and sue their pants off, but you’re still the one who gets the black eye in the marketplace.
What Do You Need to Do?
The PCI compliance standard requires you to look at suppliers involved in any of your sensitive operations. You need to identify who they are, what they’re doing, and what their roles and responsibilities are. Depending on who the vendor is and what they’re doing for you, certain sub-elements of their responsibilities are going to come into play. It even comes down to the janitor, because the janitor has physical access to the facility. If the janitor is cleaning the server room, theoretically they could be plugging things into the server or gaining physical access to sensitive data in your organization.
You should have a program for validating supply chain security. Usually, that involves making sure everyone on your supply chain list is doing their own security/compliance reviews, and that they’re certified against an appropriate standard. Ideally, that confirmation should come from a qualified third party.
If they aren’t certified, you’ll need to go into a greater level of depth with them. Ask questions about their security, then evaluate the level of risk they present to your company. In some cases, the risk will be too high and you’ll decide not to use that vendor anymore, because they don’t have their act together. Other times, you might make the call that their role is minor enough to be an acceptable risk and continue using them.
Best Practices for Vendor Security
What should you do to make sure you’ve got the security you need from your supply chain? First, know who all your suppliers are. Develop an exhaustive list and include the following information:
- Contact information
- Services they provide
- Security and compliance certifications
- Third-party audit results (including services audited)
- Map of services against your in-scope compliance standard for developing a responsibility matrix that clarifies who is responsible for what
Also ensure you have their contractual language and agreements, as well as their third-party audit reports. If they don’t do a third-party audit, you’ll need to dig in a bit more and ask key questions. Be sure you clearly understand the supplier’s true state of their security and compliance.
Then, as an organization ask: Is it worth the risk that this supplier isn’t going to drop the ball? Are we better off finding another supplier?
More organizations are putting together their own spreadsheets with questionnaires for vendors. TCT Portal has a built-in ability for you to reach out to a shortlist of vendors and request their security and compliance certification paperwork. If you have your own security survey for vendors as a spreadsheet, TCT Portal lets you automate the communication back and forth. You can use the TCT Portal to host your vendor management platform and automate the data collection process, saving you time and increasing accountability.
If you’re a service provider, TCT Portal can help manage your compliance and automate the matrix of responsibilities by certification type. Put a profile of your responsibilities into the TCT Portal, then push it over to a client that uses the Portal. It’s a great way to streamline the provision of your security and compliance matrix to your customers more easily and more efficiently.
Make Supply Chain Security a Priority
Supply chain security isn’t something you can take for granted. PCI compliance doesn’t mean a vendor is safe, and you can’t afford to be hands-off with it. This month, develop a plan to review your approach to supply chain security. Set a goal to have your practices in order by the next quarter. Once you’ve really looked into things, you’re sure to have peace of mind.