PCI DSS 4.0 and Third-Party Apps in Merchant Business Ecosystems

An Introduction to Vorlon for Third-Party Merchant Compliance

For the modern US Retailer, the use of third-party applications has become indispensable, and many are critical to merchant operations. These applications offer functionalities that enhance the customer experience and operational efficiency, while also enabling the organization to scale revenues without the need for scaling headcount. However, they also pose significant risks to the security of payment card information. 

How PCI DSS 4.0 Addresses Modern Merchant Business Needs

The transition to PCI DSS 4.0 reflects the Payment Card Industry's response to evolving digital threats and technological advancements. The update focuses on enhancing security measures, encouraging the adoption of continuous security processes over compliance checkboxes, and introduces flexibility in how organizations can achieve and demonstrate compliance. These changes underscore a shift towards adaptability, acknowledging the diverse and dynamic nature of today's payment processing ecosystems. 

PCI DSS 4.0 also reflects the evolving nature of cybersecurity threats and the increasing complexity of payment environments. For any merchant organization, this means ensuring not only their environments but also those of their vendors are compliant. This update is an incredible step in the right direction, but also exposes an enormous gap in capabilities security teams have today for monitoring their compliance when their data is either sitting in or moving between their various third-party systems (e.g. customer data moving between a customer relationship management platform like Salesforce.com and financial operations platform like bill.com).

For the remainder of this blog, we will focus primarily on the impact to Retailers, though it should be noted that PCI applies to all that process credit card transactions/data including Retail, Service, Healthcare, etc.

The Risks

The use of third-party applications introduces potential risks, particularly if these apps access or process cardholder data outside the PCI-compliant environment. The risks range from data breaches to non-compliance penalties, both of which can significantly impact a retailer’s business.

As noted in Gartner^Ⓡ research, “according to the 2024 Gartner CIO and Technology Executive Survey, the top priorities for retail CIOs in the coming year are the successful execution of a unified commerce strategy for revenue, and margin growth.”¹ In a world where retail margins are dwindling, this leaves little to no room for compliance fines. 

Retailers might integrate a variety of third-party applications, such as customer relationship management (CRM) systems, e-commerce platforms promising greater digital expertise than can be built in-house, and cloud-based storage solutions, all of which likely have access to or store sensitive data outside of the retailer’s PCI environment and run the risk of data leakage. Payment gateways and analytics tools also often handle cardholder data, increasing the complexity of maintaining a secure and compliant ecosystem.

“Also those of their third-party vendors”

PCI DSS 4.0 has introduced yet another area for Retail CISOs to now monitor and secure—those of their third-party vendors. This attack surface is by no means novel to the seasoned CISO. Security vendors have introduced new tactics like SaaS Security Posture Management (SSPM) which began to gain prominence around 2020. I am confident most retailers either are using an SSPM solution today or have been evaluating them. The problem with SSPM solutions is that they focus on misconfiguration only—as if that is the only way a third-party application might be leveraged by attackers. It neglects the use of legitimate secrets by attackers of properly configured third-party apps. These solutions also look at changes over time versus continuously monitoring and alerting to abnormal behavior. 

How Vorlon Helps

Enterprises typically face the challenge of manually monitoring their third-party vendors, which can be both time-consuming and prone to errors. This traditional approach lacks the agility to respond to new threats in real-time, increasing the risk of compliance violations and security breaches. And if you’re only looking for configuration changes, and not monitoring for illegitimate use of perfectly configured tools, then you’re also missing a huge portion of the attack surface.

Vorlon, on the other hand, automates the monitoring process, and provides continuous visibility into vendor API activities. This not only reduces the workload on security teams but also enhances the accuracy and efficiency of detecting potential compliance issues. With Vorlon, retailers gain a proactive stance in managing third-party risks, leveraging technology to stay compliant and secure, which is a significant advantage over traditional, labor-intensive methods.

Vorlon provides a solution tailored to the needs of retailers facing the challenges of PCI DSS 4.0 compliance:

• Continuous Monitoring: Our platform offers near real-time insights into your vendors' activities, enabling you to identify and mitigate risks swiftly.
• Proactive Compliance Management: By keeping a close watch on third-party access to sensitive data, Vorlon helps prevent costly compliance violations, reducing the risk of fines and reputational damage.
• Flexibility in Compliance: PCI DSS 4.0 introduces more flexibility for organizations to demonstrate compliance. Vorlon supports this by providing detailed evidence of your third-party vendors' compliance status, tailored to meet the specific requirements of your retail operation.

Embracing Change

With PCI DSS 4.0, the goal is not just to comply but to enhance the security posture of retail operations in a way that aligns with business objectives. Those leveraging a tool for continuous monitoring of data in motion and third-party applications goes beyond meeting standards but enhancing the overall security and efficiency of security operations. Our platform is designed to integrate seamlessly with existing systems and processes, providing additional intelligence that complements efforts to protect customer data while ensuring compliance with the latest standards.

As we move forward in the era of PCI DSS 4.0, embracing the changes and the challenges it brings is crucial. With Vorlon, Retailers have a solution equipped to assist with managing the complexities of compliance, ensuring retail businesses remain secure against their third-party ecosystem, compliant, and ahead of the curve.

Being proactive about compliance and security is more critical than ever. Vorlon stands ready to assist US Retailers in adapting to these changes, ensuring that retail operations not only meets but exceeds the stringent requirements set forth by PCI DSS 4.0.

A Call to Action

Attend our webinar on May 16, 2024 for a greater look at the challenges Vorlon is addressing. The 30-minute session is hosted by our CEO and Co-founder Amir Khayat, and includes a demo of Vorlon by Lauren Lee, our SME and former Security Analyst to a large US-based bank.

Virtual Webinar

Thursday, May 16, 2024 @ 10am PT/1pm ET

Register to attend or view on demand after here.

1 Gartner, Infographic: 2024 Top Technology Investments and Objectives for Retail, October 2023 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.