Target and Home Depot were both breached due to compromises at third parties. Target were breached through a HVAC supply, Home Depot have not released much detail regarding their supplier issue. When trusted third parties have access to your corporate network, you need to implement due diligence checks and ensure their security is at least as strong as yours. The PCI DSS includes requirements for supplier relationships that are part of or can affect the transmission, storage and processing of card details. These requirements include:
- Using PCI DSS-compliant suppliers.
- Two-factor authentication for remote access.
- Unique usernames and passwords.
- Access is only enabled when it is necessary.
- Actions are tracked by audit trails.
In the case of Target’s HVAC supplier, they didn’t need to be PCI DSS-compliant but the principles behind the PCI DSS are good security principles to apply across your organisation. Target didn’t have proper segmentation between the CDE and other systems, which allowed the compromised account to access card data.
As part of due diligence checks, you should be ensuring that your suppliers meet the basic security controls as well as meeting your security profile
Ensuring your suppliers are ISO27001-compliant is a step in the right direction, as well as seeing if they have regular penetration tests. You may decide as part of due diligence to run your own security programme of audits including penetration testing on your suppliers. IT Governance has experience working with retailers and helping them conduct IT health checks and penetration testing on their suppliers on a regular basis.