Do You Have A Food Truck? If So You Should Accept Mobile Payments
August 20, 2019
Taking in an NFL Game? Leave Your Cash At Home
September 3, 2019
Did you know that when it comes to PCI compliance any business or person that you contract with to do work also must meet compliance standards? It’s true and so many times it is overlooked since those people or companies are not your business and you have no direct control over them. Unfortunately what they do not do (or in some cases do) can hurt you!
CBP
As an example (and also something that has nothing to do with payment processing) we look to a recent incident involving US Customs and Border Protection.
Everyday thousands of people enter the US legally through airports or by driving across the border. When people enter the country they are photographed along with their vehicle in an attempt to track people coming into and leaving the US. This includes images of the person as well as their vehicle and license plate. All of this information is stored on CBP’s computer systems and is controversial to say the least, attracting the ire of many members of Congress.
Government Contractor Breached
Now of course some government agencies need to hire contractors to do work just the way you might contract work out. In many cases those contractors specialize in a certain area and it is cheaper and quicker to hire them to do work than it is to train someone. On May 31 it was reported that one of CBP’s contractors, the Tennessee-based Perceptics, suffered a breach following reports of images license plates of people crossing the border were being shared on the dark web. The contractor was at first suspended and then blacklisted by the Federal government so there are consequences for their actions as well.
It was reported that the contractor had images of people and vehicles crossing the US/Mexico border at one particular port of entry which CBP did not name. Tens of thousands of images were stolen and could affect upwards of 100,000 people though the images do not contain any sensitive information like pictures of the passports and on top of that the Washington Post later reported that the breach also included budget spreadsheets, government contracts and PowerPoint presentations. CBP’s systems were not compromised in this attack.
What Went Wrong
There are two things wrong here. First is that the contractor had the images in their system without CBP’s consent. The second is that CBP is responsible for this information being lost even though it was a contractor’s fault. CBP will be tasked with identifying those affected and notifying them that their information was compromised. Of course Congressional leaders are concerned not only over the breach but also CBP’s proposed facial recognition system but that is not related to this topic.
If you do work with a contractor you can be affected by their actions (or inaction) when it comes to PCI compliance. They need to meet PCI standards as well. When you do work with a contractor their access to your system needs to be limited to what they need to complete their work and nothing more. If they do not need access to your customer records they should not be given it. If they do not need access to a part of your building they should not be given it.
In this case the information stolen was just images of license plates and while that is concerning it is not life shattering. But imagine if this was images of those people’s passports or other travel documents? All of this happened because a contractor had access to information that they did not need or neglected to delete and was negligent on their security. CBP will be the one to pay the price for their negligence. Learn from their mistakes and don’t let this happen to you.
