Concerned about the PCI DSS 4.0.1 lookback period starting in March of 2025? LEARN MORE

Emphasis on third-party vendor management and security in PCI DSS 3.0

  • Team Omega
  • June 30, 2014

NetworkSecuritySmallEverybody is now aware of the vulnerability in Target’s network that caused the massive data breach and loss of personal information of about 70 million customers. The Web server that controlled the heating, ventilation and air conditioning systems was totally insecure.

Several large retailers and businesses use third-party vendors just as in the case of Target for remote access into a company’s network for maintaining and managing internal systems. However, many of these vendors setup systems from their end to suit their convenience and do not have a systematic way of following policies, maintaining passwords or having secure remote control with proper 2-factor authentications. Sometimes the vendors use outdated systems that may not be supported for patching and updating per best practices.

A few simple steps can help improve the security of both vendor and customer.

1. Establish certain strict standards for remote access. Examples being constant updates of technologies, intrusion detection systems, blacklisting, monitoring, alerting and maintaining logs.

2. Setup firewalls, Web filters, workstation management tools and blocking of unauthorized technologies.

3. Build secure networks, allow vendors to access only specific areas of the network. Segment accessible areas from the ones that should never be touched or have access into by outside entities.

4. Have vendors sign and vouch for the security of their applications and compliance with the retailer’s security policies. Let vendors do the security awareness training along with an organization’s employees. Mandating audits and enforcing penalties can be another way of ensuring that vendors comply with regulations and principles of PCI DSS.

Following these best practices can avoid a breach in the first place. This is an expense that is wisely spent by businesses rather than after the fact. The hassles and aftermath of a breach can be quite stressful, time consuming and expensive for any business to deal with.