“…so here’s the thing. If you can’t spot the sucker in your first half hour at the table, you ARE the sucker.”
Let’s say that your company, from an information assurance perspective, really has its act together.
Even your education and awareness campaigns are paying off, you’ve got security testing gates in the SDLC, new software isn’t built without InfoSec knowledge and involvement. You’ve got all the widgets and gizmos with the toys required to collect and process the logs they create. You’ve even got that WhiteHat / WAF thing rocking while the dev team cleans up vulns at the code level. COOL, good on ya!
Now, there is this other thing happening where you’ve involved a third party to help you reach out to a new customer segment- let’s say South America. You’ve partnered with a company that does this really slick language translation. All that got added was a link in the corner of the navbar that says ‘se habla espanol’.
The business development team is excited! This is SWEET, right??!! Everything you’ve done is now magically translated! This service just funnels your site through their systems, translates it, then forwards everything to the browser of your visitor.
As prudent security professionals, we take a stride back, and look at this. We do business through this platform. Like, this website is our online store, and stuff. So this is a good thing, right? Our shopping experience is now accessible to a bunch more people right? They can shop and spend money with us, in the language of their heart… and stuff. Hmmmmmmm…. <chin scratching begins…>
So that service- how does it handle that whole payment thing? You know, the part with the SSL stuff and the sensitive credit card stuff. And stuff. Uh-Oh.
Well, we have legal stuff with ‘em, so we’re probably okay, right? Why does the InfoSec team always get left to deliver the reality check? They tag all the data, and only translate what is necessary. ‘So, if they terminate SSL, they see that credit card stuff, right?’
Ronald Reagan was a sharp guy, “trust, but verify.” PCI Requirement 12.8 states that your service providers must adhere to the PCI DSS requirements. It calls them SERVICE PROVIDERS. It gets even better. That service is storing, processing, or transmitting cardholder data on behalf of your organization. THEY ARE A PAYMENT GATEWAY.
Payment Gateways are always classified as a Level One Service Provider. Level one service providers have the highest level of accountability to PCI- they have the most stringent requirements and audits. If a QSA has not performed a thorough annual onsite audit of this organization, BUYER BEWARE! Doing business with an organization that handles CHD (Cardholder Data) without acknowledging their level of accountability is only asking for trouble.
Please be careful who you share your sensitive data with! Business partners and service providers can open you up to immense liability. “Trust, but verify”
Then again, one of my favorite philosophers once said, “There are two people I trust. One of them is God. The other is not you.” (Doc Holiday)
Trey Ford - Security Spin Control 