PCI DSS 3.2 Urges Stronger Access Security for Third Parties As Breaches Continue
Compliance does not equal security, many have said - meaning, these standards are usually not strong enough to actually keep hackers out, and they often aren’t updated fast enough to truly protect against the newest threats.
But regulators are stepping up their game in efforts to address the most common attack vectors in the retail and e-commerce industry - social engineering.
The typical attack path that leads hackers to customer data looks like this:
- A third-party vendor (typically a point-of-sale software provider) of a retailer or franchiser is targeted by attackers
- A retailer may outsource the management of their POS systems to these providers
- These providers log into administration applications in order to manage systems remotely
- Hackers either brute-force or social engineer the credentials of the third party to access and steal customer data
An effective, easy and cheap way to social engineer passwords is via a phishing email designed to fool third-party employees into handing over keys to the kingdom to hackers.
Recently, over 1,000 locations of the fast-food franchise Wendy’s was targeted in this very same attack, according to KrebsonSecurity.com. Attackers pilfered customer data over a period of six months of persistent access.
But while they’re the most recently reported, they’re certainly not the first. Post-breach, major retailers are feeling the pinch in the form of lawsuits from consumers and banks, loss of customer loyalty and brand reputation, compliance fees and more.
In response to the ongoing threat, the PCI Security Standards Council (SSC) has updated security requirements for retailers in the latest version of the Payment Card Industry Data Security Standards (PCI DSS), 3.2.
The access control standard 8.3 has been modified to reflect the need for broader protection - mandating the use of multi-factor authentication for all system administrators logging into the cardholder data environment (CDE). That applies to third-party vendors, internal, local and remote administrators alike. Similarly, the PCI SSC added a warning about out-of-date payment application software:
As security threats are constantly evolving, applications that are no longer supported by the vendor (e.g., identified by the vendor as “end of life”) may not offer the same level of security as supported versions.
Attackers will target known vulnerabilities in outdated software in order to install malware on employees’ devices, stealing passwords and other data to access applications housing credit card data.
That makes upgrading and patching regularly an important step in a strategic security process. Quickly close security gaps using Duo’s Trusted Access solution, which provides visibility into devices that authenticate into your environment, then allows you to block any devices until they’re updated. In doing so, you can ensure the trust and health of the devices accessing your applications.
Duo also provides two-factor authentication (also known as multi-factor authentication) to protect every user in your organization, and to ensure the trust and identity of your users before they log into your applications; keeping criminals out.
The new, stricter access security controls required by PCI DSS version 3.2 will officially go into effect February 1, 2018 - while all assessments will need to be measured by 3.2 by this October. Reevaluate your security controls and identify where you might need to update them to protect against the latest threats: stolen credentials and outdated applications.
Learn more about PCI DSS 3.2 in A Guide to Stronger Security in PCI DSS 3.2. Or, download A Modern Guide to Retail Data Risks: Avoiding Catastrophic Data Breaches in the Retail Industry.
- New risks to the retail industry presented by cloud, mobile and Bring Your Own Device (BYOD)
- Business and compliance drivers for strengthening authentication security
- How outdated security solutions can no longer effectively protect retailers and consumers alike
- How implementing a modern two-factor authentication solution can work to protect the new IT model
Download our free guide today for a detailed overview of the retail industry's current state of security, and recommendations on safeguarding customer financial information.