On July 19, Visa posted an important and timely security alert regarding“Chatbots”. In a nutshell, Visa says that due to the rise in online and mobile commerce, AI and chatbots (both text and voice) have become increasingly important to payment system companies to handle increasing call volumes. With that said, Visa goes on to say that they have become aware of attackers targeting these online chat service providers and distributing malware to intercept payment card data.
This security alert highlights for me the importance that our clients, friends, and partners need to place on the guidelines provided by Visa, MasterCard, and other security frameworks such as PCI DSS. Knowing about these guidelines is the first step, but implementing them becomes critical to minimize the potential of security risks to organizations and most importantly, their customers.
The alert comes hot on the heels of numerous reports of customer data breaches through third party service providers hosting services. An example breach of this nature was reported back in March 2018 for 7.ai whose customers included Delta, Best Buy, Sears, and many more. The 7.ai breach had costly implications not only for themselves but for their customers. In addition, these implications would have been much more severe if GDPR had been in full force - what would the impact be today?
So what do I do?
While you may be aware that outsourcing services does not alleviate responsibility for
Visa is aware of attacks where threat actors compromised online chat service providers and were able to distribute malware to merchant clients designed to intercept payment card data during checkout. - Visa
protecting your customers data, it is important to point out that the best information security programs - including those from some of the largest companies in the world - cannot identify every risk a third party brings to the table. Learning from past breaches, staying on top of best practices, and integrating layers of security when it comes to vendor management are the recommended course of action.
Although recommendations outlined by Visa (like the ones in the security alert) are typically baked into compliance frameworks such as PCI, merchants and service providers should implement controls above and beyond to manage third-party service providers. It is best to err on the side of caution when determining the impact of security on your company as it relates to any third-party. Validating your service provider's security controls annually and ensuring contractual obligations are documented is not enough, you need to implement management programs and attempt to identify, document, address, and ultimately manage that risk responsibility.
It is also important to go above and beyond when documenting vendor responsibility – your responsibilities, theirs, and shared should just be a starting point. Complex integrations of third-party services demand a detailed analysis of impact and documented responsibilities. It should go without saying that well documented responsibilities are of little value unless integrated into security agreements and contracts.
Consider this example
Consider this example: our website has a third-party hosted application that manages website analytics and is integrated via a link to a third-party. If the third party implements a change, is the change considered significant? Do you know the impact? Is there a requirement to perform additional off-cycle pen testing? Worse, would you even know that a change affecting your website had occurred?
Unfortunately, the answer is probably not. Even companies with solid, seasoned security programs, typically vigilant with third-party vendor and supply chain management, are still getting hit. Many of the largest breaches on record come back to a third-party vendor. When outsourcing there are many things that can go wrong, first and foremost even a vendor that is demonstrating compliance with a framework such as PCI DSS can still be breached. In some cases, vendors slip through the cracks, the service being performed for the company wasn’t risk ranked properly, the impact to security wasn’t documented adequately, or even worse, someone felt the impact was so minimal they weren't even being managed as a service provider that could impact the environment.
Security is all about layers and this day and age requires extra vigilance when it comes to risk and impact of third parties. An unmanaged approach will ultimately lead to PR nightmares and sleepless nights. More must be done beyond meeting the intent of service provider compliance frameworks such as PCI, NIST, ISO. These guidelines should only be baselines - when it comes to protecting your customer’s data sets, start with the question: Does the service provided by the third party enhance our business sufficiently to justify the risk? Many times, well-meaning business minded folks look for the latest and greatest products to “test” for potential benefits without input from security personnel. When it comes to third-party management, it is clear that business, security, purchasing, legal, and compliance personnel must work together to ensure that any third-party vendors are managed as securely as possible.
Online's Third-party Risk Management Service
Online’s Third-party Risk Management service not only uses certified security experts, but also leverages our in-house legal counsel to ensure both you and your service providers are compliant with necessary regulations and contractual security and privacy requirements. In addition, we use our considerable experience in Cloud services to ensure no matter where your information is being held, it is protected from potential threats. You can learn more about our Third-party Risk Management service by clicking here.
To learn more about Online’s Risk, Security and Privacy practice, click here.