Payment security risks channel partners inherit from client environments
By Chris Brown
PCI DSS, or “payment card industry data security standard,” is the blueprint for credit card security, largely because the regulations cover the entire payment environment and not just the service that directly processes card payments. The upside of PCI DSS is better security. The downside is that many channel partners are inadvertently exposed to compliance issues inherited via their clients.
This article will break down why “we don’t process cards” doesn’t eliminate payment risk for the channel, the main risks involved and the cost of ignoring them, as well as a playbook on how to mitigate these risks as a small or medium-sized business.
PCI compliance requirements cover the entire cardholder data environment (CDE). This includes channels that access cardholder data, affect connectivity or influence the systems that handle the data. That means, “indirect data exposure counts.” In other words, the use of card data isn’t limited to live payments. Any logs, back-ups, databases or monitoring tools that store or touch the data in some way can accidentally expose sensitive information.
At the same time, “access brings accountability.” A common misconception with PCI shared responsibility is that if a channel partner doesn’t actively use or access cardholder data, it is exempt from compliance. Whether the data is used or not is, in fact, irrelevant. Access control measures are a crucial part of PCI, and access alone can create PCI scope – be that through managing cloud infrastructure, firewalls, networks or even providing remote support.
What’s more, networks can become pathways. It’s common for channel partners to manage network design and segmentation for merchants that process credit cards. Even though these systems might not be payment-related, they can be used by cyber attackers as pathways into the CDE.
Ultimately, partners can be as badly affected as merchants. A breach or compliance investigation will extend far beyond the merchant of record. A channel partner’s client may be the one dealing with the most pressing part of a security incident, but the blow-back can quickly become the partner’s legal and financial problem as well.
Ways Risk Is Inherited in Client Environments
PCI compliance is shared because the risks are shared. One of the best ways for third-party advisors to reduce their exposure is by reviewing client environments for PCI weak points they might inherit, the most common of which include:
Poor access hygiene: Issues with admin credentials, weak passwords, etc., can expose sensitive systems that might be connected to cardholder data.
Network caps: Network segmentation can be used to reduce PCI scope, but, done poorly, it can have the contrary impact. Gaps in networks and segmentation are often inherited from client environments and can quickly open pathways to security and regulatory risks.
Inherited infrastructure: It doesn’t matter if application and hardware vulnerabilities predate a channel’s integration with the client environment. That inherited infrastructure comes with risks and responsibilities that the channel must contend with to comply with PCI DSS.
Cloud confusion: Cloud security is another area governed by a shared responsibility model and often overlaps with PCI compliance. If these responsibilities aren’t clear, it can result in insufficiently protected data and compliance risks as a result.
Documentation and visibility problems: A vital part of shared responsibility is visibility. The problem is that clients do not always have up-to-date inventories to reference. This can leave outside advisors exposed to risks that they don’t even know about, which in turn causes complications if an audit is ever called for.
Shared Responsibility and Third-Party Dependencies
PCI responsibility begins with the merchant. It’s their responsibility to define the scope, validate compliance and choose third-party providers that fit regulatory demands. The next layer is the payment processors and platforms. They’re required to provide PCI-validated payment applications and services. Finally, we get to the channel partners.
Every way in which a merchant or payment provider depends on channel partners expands the PCI scope. This dependency is where risk is inherited. Similarly, any way in which a third-party’s system impacts cardholder data, be it via networks, SaaS integrations, etc., is required to be secured according to PCI guidelines.
The Cost of Getting It Wrong
PCI DSS financial penalties can cost businesses up to $1.2 million per year. Poor compliance can also cause ruptured client relationships and lower perceived trustworthiness.
Worse than compliance failure alone is if the failure is caught because of a security incident. Investigations and reviews are often lengthy and require significant staff and legal resources. If the incident led to a data breach, there’s the expense of data recovery, liability claims and all the reputational losses that come with that as well.
In short, inherited PCI DSS risk is something worth taking seriously. The cost of not doing so is simply too high.
A Practical Playbook for Partners
Inherited risk isn’t what costs channel partners as much as unmanaged risk does. The best way to mitigate PCI problems is to tackle the issue as soon as a new client environment is engaged. Here’s how to do that, no matter the size of your business:
- Before any access is granted or systems integrated, clarify the landscape of the client environment, its networks and the systems connected to it.
- Clean up an access weakness and remove access wherever it isn’t necessary. This is one of the most efficient and cost-effective ways to limit inherited risk.
- Document how your channel will interact with the client environment to see where their PCI scope will become yours.
- Validate everything. Don’t assume that segmentation exists as it should or that sensitive data is stored appropriately.
- Build risk management into the client relationship. This includes having regular maintenance checks and updating on any system changes.
- Define how “shared responsibility” will operate in practical, clear terms. The more detailed, the better.
The key is proactiveness. Prioritizing visibility, strong access hygiene and validation processes forces PCI risks out of hiding early and allows channel partners to address any inherited weakness long before they escalate.
Chris Brown is a senior cybersecurity and product marketing leader at VikingCloud.
