Vendor Compliance Management: What Happened?
On April 4th, 7.ai, a customer support software company, announced a cyber incident “potentially affecting the online customer payment information of a small number of our client companies,” that occurred between September 26 and October 12, 2017. This cyber incident specifically occurred in 7.ai’s chat tool. Never heard of 7.ai? We hadn’t either, but their well-known clients gave this breach national attention. Sears, Delta Air Lines, and Best Buy have all announced breaches traced back to 7.ai, making this cyber incident a vendor compliance management issue.
Sears estimates 100,000 customers’ payment card details were maliciously accessed. Fortunately, stores and internal systems were not accessed. Delta estimates several hundred thousand customers’ data was exposed. Best Buy’s announced that only a small fraction of their online customer population would be impacted by this incident – but when you have a customer population as large as Best Buy, the amount of compromised data can’t be small.
From what we know, 7.ai’s clients’ internal databases were not breached; the malware resided in the provided chat service, and payment card details were accessed after a customer completed a transaction. Customers did not have to actually use the chat tool to be compromised. Several elements of this breach stand out to us and bring up several questions regarding PCI compliance and vendor compliance management:
- Why did it take six to seven months for 7.ai to notify its clients of this cyber incident? The incident occurred between September 26 and October 12, 2017, but Delta reports it was only informed of the breach on March 28. Sears reports it was told sometime in mid-March.
- How did Sears, Delta, and Best Buy attest to their own PCI compliance and were they actively monitoring 7.ai’s PCI compliance? PCI Requirement 12.8.4 explicitly states, “Maintain a program to monitor service providers’ PCI compliance status at least annually.” Knowing your vendors’ PCI compliance status provides assurance and awareness about whether they comply with the same requirements that your organization is subject to.
- Was 7.ai’s chat tool encrypted? In respect to PCI Requirement 4.2, the PCI DSS guidance states, “E-mail, instant messaging, SMS, and chat can be easily intercepted by packet-sniffing during delivery across internal and public networks. Do not utilize these messaging tools to send PAN unless they are configured to provide strong encryption.”
Importance of Vendor Compliance Management
This 7.ai cyber incident highlights how connected organizations and their vendors are and why attacks on third parties are so predominant. Organizations must understand that vendors are a major risk factor if they have access to customer data. An attacker gets two for the price of one – attacking a vendor, plus attacking their clients. It’s not likely that 7.ai will be a name to remember, but customers will remember that payment card details from Sears, Delta, and Best Buy were compromised. Organizations must perform due diligence when choosing vendors who will handle customer data.
In the past, managing vendor compliance contractually was adequate, effectively transferring risk and responsibility to the service provider. But now? Compliance demands a full chain of custody. An effective vendor compliance management program should include:
- A list of vendors who are subject to your compliance requirements.
- Policies and procedures that outline compliance and security training for vendors.
- Contractual agreements with vendors that provide a clear definition of compliance and security expectations.
- Evidence of due diligence.
- Continuous monitoring to ensure vendor compliance.
- A remediation plan for compliance issues.
Do you monitor your vendors’ compliance efforts? Have you performed due diligence when choosing vendors? For more information on establishing a vendor compliance management program, contact us today.