Apr 4 / Dennis Steenbergen

AMEX suffers Third-Party Data Breach

If you haven’t learned about the new American Express data breach, you can read about it here.  

https://www.mass.gov/doc/assigned-data-breach-number-2024-377-american-express-travel-related-services-company-inc/download

It seems there was a third-party data breach involving AMEX numbers, but the letter is thin on details. What we know is that relying on third parties not only transfers some risk away from you but also can still carry the reputational damage that AMEX is experiencing now. When selecting a third-party service provider it's critical to perform your own due diligence by vetting candidates. You can use detailed written agreements with them that promote a mutual understanding between each other’s cardholder protection controls and safe handling procedures. In fact, the Security Council has provided a useful information supplement titled “Third-Party Security Assurance and Shared Responsibilities”. In it, you can learn how to engage when shopping around for a new payment service provider for example, and scope the services that will be provided. It's important to be mindful of the reputation of the company you are thinking about engaging, insurance coverage, chained third parties, previous breaches, business continuity, and financial stability. Essentially, you are required to perform a risk assessment and document the results. 
Each risk assessment should begin with a non-disclosure agreement and then you can begin.

Demand compliance assessments

Even PCI DSS version 4.0 provides two options for Third Parties to demonstrate they are compliant. They can either undergo a full annual assessment to provide evidence to customers or they can have multiple “on-demand” assessments upon customer request. The latter seems like a lot of overhead and simpler just to engage a Qualified Security Assessor to perform the annual audit.

To be sure, requirement 12.8 (thank goodness the new version stayed with the old number) still controls the use of third-party service providers where we ensure that we have agreements in place, and identify which requirements apply to the customer and which to the service provider. That part in the new version has not changed. I would love to guess which of these items AMEX completed or failed to complete when considering this service provider. Time will tell.
Created with