In late 2015 the FTC concluded its lawsuit with Wyndham settling the litigation pertaining to whether their data security policies led to data breaches. The settlement shows that the FTC analysis of whether data protection efforts are reasonable will be dependent on a number of factors including an organization’s size and complexity. The settlement specifies that audits should be performed to:
“(1) Understand what data the company collects and industry standards for the protection of such data, and
(2) ensure that the commitments made in the company’s policies are actually being implemented.” For retailers, particularly those involved with franchisees or distributing through independent retailers like major oil companies, restaurants, and hotels, the Wyndham decision implies that compliance strategies based on separate business entities may not be sufficient to offer protection from breach liability. One result of the settlement is that retailers became focused on extending PCI compliance support to their Level 4 merchants. The settlement is significant when choosing: “managed network services” and “managed security services” i.e. Third Party Service Providers (TPSP) for network security and PCI compliance services.
Both managed network service providers (MNSP) and managed security service provides (MSSP) are considered “Third Party Service Providers (TPSP) under the PCI DSS. The Wyndham Settlement suggests that the retailer is liable if the tools provided to their affiliated independent retailers do not meet PCI DSS requirements. Changes in PCI DSS have expanded the requirements to include their TPSP’s.
One example of these changes is Security Information and Event Management (SIEM). Previously, PCI DSS applied “to entities that store, process or transmit cardholder data”. If a SIEM provider didn’t store, process or transmit cardholder data, as most do not, they had no requirements under PCI DSS. Many retailers continue to understand PCI DSS scope in this way. However, the requirement has changed. The current scope of PCI DSS says: “all system components included in or “connected to the card holder data” are subject to the PCI DSS. The scope goes on to specify any other components or device “connected to the CDE” is subject to PCI DSS. Further, the PCI DSS is clear that the requirements apply to organizations that store or process “sensitive authentication data” or “management of their CDE”. PCI DSS Scoping further includes system components, an explicit example of which is, “Systems that provide security services… or impact the security of the CDE.” A SIEM monitors and picks up logs within the CDE sending them out to the TPSP’s security operations center. The result of the TPSP not being PCI DSS compliant might be interpreted under the Wyndham standard as not adhering to the “industry standards for the protection of such data”.
The impact of a TPSP not having a ROC (Report on Compliance) on the retailer can be significant. For a retailer with hundreds or even thousands of locations, a TPSP without an Attestation of Compliance (AOC) would generate more requests from auditors as they evaluate the independent retailers. With an AOC, the TPSP is able to pass on the AOC, smoothing the PCI compliance effort and assuring the proper level of security and data compliance. The PCI DSS offers a detailed process for performing due diligence on the TPSP. The quickest answer is to request the TPSP validation documentation. For most situations, the AOC is sufficient. If the TPSP is unable to produce an AOC, then the retailer must conclude they are not PCI DSS complaint. For retailers evaluating the TPSP, the right choice is to select a vendor with an AOC.
For help with your data security needs, call Omega at 636-557-7777, or email firstname.lastname@example.org.