April 2017

PCI DSS and Third-Party Risk

An article by Angela K. Hipsher-Williams, CISA, QSA; Sean F. McAloon, CISA, QSA; and Jonathan J. Sharpe, CISA, QSA

Audit / Tax / Advisory / Risk / Performance Smart decisions. Lasting value.™ PCI DSS and Third-Party

Data standards for cardholder data are undergoing significant changes, with an emphasis on improving the security practices of third-party providers.

The PCI Security Standards Council (SSC) Focus on Third-Party has responded to recent data breaches involving third-party service providers by Service Providers enhancing both its Data Security Standard For (PCI) purposes, (DSS) and the associated “Self-Assessment a “third-party service provider” is defined Questionnaire D and Attestation of as any vendor that stores, processes, or Compliance for Service Providers.” This transmits cardholder data (CHD) on behalf response is not particularly surprising, of a client , as well as any given that 97 percent of breaches involving vendor that could affect the security of the stolen credentials resulted from legitimate cardholder data environment (CDE). The access by third-party service providers that latter is often overlooked. aggregate significant amounts of and information on behalf of their While many already have customers.1 vendor management programs in place, they might also share CHD with several PCI DSS version 3.2 was released in April types of providers that are not necessarily 2016, and the previous standard (version included in those programs, such as: 3.1) was retired at the end of October 2016. As of Nov. 1, 2016, all assessments • Infrastructure management companies must be performed according to the new • Managed services companies standard. Most of the major changes in • Web hosting providers version 3.2 apply to service providers only, • Backup tape storage facilities as companies that handle data • Transaction processors increase their scrutiny over providers due to • Payment gateways providers’ involvement in recent breaches. • Fraud services However, organizations also must take some critical steps to manage third-party risk and comply with the latest version.

2 April 2017 Organizations of all kinds have increased Many of the merchant breaches have their use of third-party vendors. A targeted multiple points of weakness, Crowe survey found that 65 percent of including: respondents across industries make significant or extensive use of third-party • Vendor-owned or -managed systems vendors. Ninety-one percent indicated • Vendor remote access to the CDE that vendors are significant to • Information provided to third parties their business model, and 76 percent said • Information entered into third-party that business services are significant to provider their model.2

As use of these vendors has ramped up, PCI DSS Version 3.2 so, too, has the incidence of breaches Compliance originating with third parties rather than the breached entity itself. Of course, the The new version of PCI DSS reflects the breached entities suffered reputational heightened scrutiny of third-party service damages and/or financial losses despite providers following the wave of breaches. their lack of culpability. It imposes several new responsibilities on providers. (Note that the new standard Recent breaches at Home Depot, Target, also includes changes that apply to all and Lowe’s were all widely covered in the organizations, not just service providers.) media when they occurred. Additional noteworthy examples include: Following are a few important requirements of PCI DSS version 3.2 that organizations • Banner Health (June 2016): Third-party should adhere to. The list is not owned and managed point-of-sale comprehensive and the items included are (POS) systems connected on Banner’s applicable mainly to service providers. network were compromised, exposing 3.7 million cards. Requirement 3.5.1: Maintain documented • Wendy’s (May 2016): Third-party service description of cryptographic provider POS remote access credentials architecture. were compromised at 1,025 locations. Providers must understand all algorithms, • Jimmy John’s (September 2015): Third- protocols, and cryptographic keys party service provider POS remote protecting CHD. They also must keep access credentials were compromised at inventory of all key management devices, 216 locations. including host security modules and secure cryptographic devices. These practices

crowe.com 3 PCI DSS and Third-Party Risk Management

might already be inherently occurring at a Requirement 12.11: Perform reviews at provider, but the explicit requirement for least quarterly to confirm personnel such activities pushes providers to verify are following security policies and that they are considering all relevant pieces. operational procedures. These reviews must take place quarterly Requirement 10.8: Detect and instead of annually. Reviews must validate report failures of critical security that existing policies and procedures are control systems. being followed with daily logs, firewall This requirement represents an attempt rules, configuration standards, security to reduce the period of time between alert response, and change management. discovering and reporting a breach. The idea is to confirm that the employees Providers must have formalized procedures carrying out the different security-related for detection and documentation of the tasks understand the related requirements failure and documentation of the restoration and how they are to be satisfied. of failed security functions. Although PCI DSS 3.2 is not yet in full Requirement 11.3.4.1: Perform effect, all assessments dated on or penetration testing on segmentation after Nov. 1, 2016, must be performed controls at least every six months. according to the new standards. The new PCI DSS version 3.2 increases the requirements will be best practices until frequency for required penetration testing Jan. 31, 2018, after which they will become from annually to semiannually. Additional mandates. The deadline for layer testing is still required after any changes to security (TLS) 1.2 migration has been segmentation controls. extended to June 30, 2018, from June 30, 2016, but all new implementations Requirement 12.4.1: Establish going forward must be enabled with at responsibilities for the protection least TLS 1.1. of cardholder data and a PCI DSS compliance program. Protecting CHD and establishing Develop a compliance programs both were implicitly called for by version 3.1, but the new Comprehensive Vendor version explicitly requires providers to Management Program assign responsibility for the compliance program as a whole, as opposed to only for Requirement 12.8 of PCI DSS version 3.2 individual pieces. requires all organizations to maintain and implement policies and procedures to manage service providers with whom CHD

4 April 2017 is shared, or that could affect the security confirming that management and control of cardholder data. In other words, when activities are performed and any issues sharing CHD with service providers through or incidents are addressed in a timely different means, an organization must . Ongoing management further have a comprehensive program to ensure includes communications and stakeholder that those providers will protect the data. management. Organizations also should The program should incorporate several know the compliance status of their components. service providers and obtain providers’ attestations of compliance. Three Pillars of Effective Some organizations might find it useful to Vendor Management go beyond the annual review requirement Effective vendor management programs are and monitor more frequently or with built on three pillars: due diligence, ongoing additional procedures. For example, management, and periodic evaluation. an organization might also evaluate a provider’s business strategy (including 1. Due diligence. Organizations must any acquisitions or divestitures), establish a process, including proper coverage, or ability to respond and recover due diligence, for engaging service from certain service disruptions. providers prior to engagement. They 3. Periodic evaluation. The PCI DSS should assess the risks presented requires organizations to specify which due to a new, renewing, or expanded PCI DSS requirements are managed relationship, bearing in mind the services by each service provider and which are to be provided, and determine current and managed by the organization. They must planned controls to manage the risks. To periodically re-evaluate the risk of the do so, an organization should perform an relationship based on a risk assessment, inherent risk assessment, followed by a as well as when incidents or performance ranking of the risks. This will allow a risk- issues arise (for example, a breach or based approval or rejection of contracts service disruption or the expiration or by senior management. In addition, the termination of a contract). In some cases, contractual assignment of PCI DSS organizations might have to adjust or responsibility between the entities should implement controls and modify ongoing be reviewed to confirm that the applicable management. requirements are met, and compliance should be validated. 2. Ongoing management. Organizations are required to maintain a program to monitor service providers’ PCI DSS compliance status at least annually. They also should manage the day-to-day relationship and performance of the provider by

crowe.com 5 PCI DSS and Third-Party Risk Management

Know Your Third Party The management principles encompass standards, procedures, and technology. Organizations also should adopt a “know Standards are the meat of the program (and your third party” framework, based on therefore are rarely changed), highlighting governance and management principles, the need for a holistic program. Procedures to support the process of third-party risk are the working processes that are followed management. for vendors; they provide the detail on the actual execution of the plan outlined in the The governance principles suggest standards. Both standards and procedures organizations take the following steps: should be included in documentation 1. Identify. The organization should know governing the program and its expectations. who it does business with and how its On the technology side, organizations must providers can affect the PCI environment. establish systems that support efficient and Common gaps include the lack of a effective execution of their third-party risk consistent onboarding process for new management programs. vendors, failure to identify all vendors with whom data is shared, and assumptions Action Items that money spent on a particular vendor is an indication of that vendor’s risk. In In response to the new PCI DSS reality, risk is affected much more by requirements, individuals charged with how a vendor shares information with PCI compliance and vendor management other vendors. will need to:

2. Assess. The organization must understand • Include PCI-related vendors in the overall the risks of the identified relationships. vendor management program and verify 3. Manage. The organization must take that appropriate attention is paid to all action to address the third-party risks by vendors that are storing, processing, developing an approach based on the or transmitting CHD on behalf of the risks of each vendor. Addressing risks organization should take place on an ongoing basis • Develop a classification system for after onboarding has occurred. vendors that can affect the security 4. Control. The organization should of the CDE manage and control the third-party • Assign qualified individuals to review, risk management program and interpret, and determine reliance in assign responsibilities to appropriate cases in which the program is receiving stakeholders. attestations • Present PCI-related vendors to the audit committee with information explaining any associated risks

6 April 2017 Act Now Although the new requirements are not yet in effect formally, organizations need to take prompt action to position themselves and their third-party service providers for compliance when the time comes. They must understand the numerous changes associated with PCI DSS version 3.2 and begin to build a comprehensive third-party risk management program that will meet the intent and rigor of the requirements and effectively manage their risk.

crowe.com 7 Learn More Angie Hipsher-Williams Principal +1 317 208 2430 [email protected]

Sean McAloon +1 214 777 5228 [email protected]

Jonathan Sharpe +1 317 208 2433 [email protected]

1 Verizon 2016 Data Breach Investigations Report, p. 33, http://www.verizonenterprise.com/verizon-insights-lab/ dbir/2016/

2 Rick Warren, “Closing the Gaps in Third-Party Risk Management: Defining a Larger Role for Internal Audit,” sponsored by the Institute of Internal Auditors Research Foundation and Crowe, 2013, p. 10, http://cdn.cfo. com/content/uploads/2013/12/Crow_IAA_Study.pdf

crowe.com

Text created in and current as of April 2017; Cover and artwork updated in May 2018.

The information in this document is not – and is not intended to be – audit, tax, accounting, advisory, risk, performance, consulting, business, financial, investment, legal, or other professional advice. Some firm services may not be available to attest clients. The information is general in nature, based on existing authorities, and is subject to change. The information is not a substitute for professional advice or services, and you should consult a qualified professional adviser before taking any action based on the information. Crowe is not responsible for any loss incurred by any person who relies on the information discussed in this document. Visit www.crowe.com/disclosure for more information about Crowe LLP, its subsidiaries, and Crowe Global. © 2018 Crowe LLP. RISK-17012-005A