Does your Managed Services Partner have a security mindset?
When conducting your due diligence on a managed services provider( MSP) to manage and secure your point-of-sale network, it’s vital that the provider you work with makes their own internal security a priority.
The typical SME retail and restaurant IT team is heavily immersed in tactical day-to-day network operations. As a result, they are busy troubleshooting connections and devices to ensure that the POS network and remote network devices are secure and protected from external and internal threats.
This means that IT often finds itself with too little time during the day for managing network security, let alone long-range, strategic network planning. Many multi-unit restaurants and retailers have come to realize that staying on top of a sophisticated point-of-sale network security infrastructure taxes resources, and are opting to outsource some or all of their POS network management and security functions to a managed services provider (MSP).
It’s a good practice to ask your current or future service provider about their internal security protocols. At a minimum, they should live by the PCI DSS network security framework. However, they should also have an internal culture of security that is as important as the security of your business and payment data. Below are seven questions to ask your managed services provider to make sure they are keeping constant vigil over their own network infrastructure:
1. Does your managed services provider monitor their network for intrusion detection?
They should. It’s a PCI DSS requirement for Service Providers. PCI DSS r. 11.4 says service providers should “use intrusion-detection techniques to detect help prevent intrusions into the network. It goes further in the next requirement PCI DSS r. 11.5 stating that your Service Provider must “Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.”
2. Does your managed services provider perform penetration tests on their Infrastructure?
PCI Requirement 18.104.22.168 requires that MSPs conduct regular penetration tests. These tests validate the scope and effectiveness of segmentation controls and at a minimum must be performed every six months or after any changes to segmentation controls. The purpose of this additional penetration test is to ensure that segmentation controls continue to operate effectively throughout the year.
3. Does your managed services provider regularly monitor perform vulnerability scanning of their network infrastructure?
At a minimum, internal and external vulnerability scanning are required on a quarterly basis. As explained in PCI DSS r. 11, internal and external vulnerability scanning is mandated for Level One Service Providers whose technology and services are in scope when securing your CDE (cardholder data environment). Service providers should perform internal and external vulnerability scans at least quarterly and after any significant change to the network. Additionally, external scans must be performed by an Approved Scanning Vendor (ASV). The scanning vendor’s ASV scan solution is tested and approved by PCI SSC before an ASV is added to PCI SSC’s List of Approved Scanning Vendors.
4. Does your managed services provider have company-wide security policies?
Are their staff held accountable for understanding and adhering to the company’s policies? How do they educate their employees about their security policies? It’s one thing to check the box upon hiring new staff, but if the company doesn’t have a pervasive culture of data security, those policies don’t add much value in preventing breaches caused by phishing attacks or physical data theft.
5. Does your managed services provider train their entire staff on cybersecurity attack methods?
Spear-phishing attacks are the most prevalent delivery method for cyberattacks. Malware-laden attachments and URLs, credential phishing sites, and impersonation attacks are hidden among millions of messages. People open 3% of their spam and 70% of spear-phishing attempts. And 50% of those who open the spear-phishing emails click on the links within the email, usually within an hour of receipt. Your MSP’s entire staff must be trained regularly to identify spear-phishing attempts as well as other internal and external techniques used by hacking organizations.
6. Does your managed services provider deliver a Roles and Responsibilities Matrix?
Network security and PCI compliance can’t be put solely into the hands of an MSP. You need to understand how the services and products provided by your service provider map to PCI DSS requirements as well as your own business requirements – and which party owns each responsibility. The requirements that apply to an MSP vary depending on many factors, including the nature of services provided and the level of access it has to your CDE. For example, if your MSP provides managed firewall services they must meet PCI DSS Requirement 1.
7. Does your managed services provider practice Zero Trust Network (ZTN) principles?
Traditional network security has been configured to protect the perimeter. What’s inside your network walls has been presumed to be trusted. Zero Trust “mandates that information security professionals treat all network traffic as untrusted.”
Zero trust network security operates under the principle “never trust, always verify.” Your MSP should have multi-factor authentication in place for staff to access their infrastructure. In addition to MFA, they should also have protocols for identifying a client who calls into their SOC or NOC for support, perform regular network audits, and have controls in place for access permissions.
Managed service providers who are serious about preventing the exfiltration of sensitive data and improve their ability to defend against modern cyberthreats should have some form of Zero Trust principles applied to their controls.
The best way to get answers to most of these questions is to request your managed service provider’s Report on Compliance (ROC) – they should provide a current one. If they don’t have one, or can’t provide you with their ROC, they aren’t PCI compliant and are not qualified to provide network and payment gateway services to merchants who process payment cards.
The Cybersecurity and Infrastructure Security Agency (CISA) has released a notice regarding updates to the Iranian Cyber Threat Profile. You can view the original article online: https://www.us-cert.gov/ncas/alerts/aa20-006a. CISA advises that organizations consider these action items: Adopt a state of heightened awareness. Minimize gaps in personnel coverage, consistently …
Granting secure, PCI compliant remote access to network devices for authorized employees and service providers
Legacy equipment, like DVRs and ATGs, often expose an attack vector to the digital estate of the store, so how do you provide secure remote access to these and other network-connected devices for authorized employees, third-party service providers and business partners? Standards for PCI compliance included …
How to select a Verifone certified Managed Network Service Provider (MNSP) and prepare for outdoor EMV
Verifone’s Enhanced Zone Router (EZR) is reaching its end-of-life and cannot support the ever-evolving cybersecurity threats and outdoor EMV. As a result, Verifone previously announced that new installations should deploy devices with a certified Managed Network Service Provider (MNSP). What is in included Verifone’s MNSP program? …