Governance, Risk & Compliance Impacts of 3rd Party Web Client Interactions

July 17, 2020

GRC IT security frameworks are implemented to facilitate the management of the business and other organizational IT governance practices, enterprise risk assessment, issue mitigation, and compliance with applicable regulations and industry standards. GRC ‘regulatory standards’ are implemented as required by government mandates. Compliance with ‘industry standards’ requirements are not imposed by law, but are de facto requirements imposed by various industry-specific organizations to help maintain minimum acceptable levels of professionalism and excellence in performance. One overall directive they both have in common is the concept of “…the protection and preservation of critical information assets and intellectual capital.”

There are numerous IT GRC standards being implemented today and discussing them all now would not be practical. Some of the most influential and widely embraced are as follows:

  1. Payment Card Industry Data Security Standard (PCI DSS)
  2. California Consumer Privacy Act (CCPA)
  3. General Data Protection Regulation (GDPR)
  4. Open Web Application Security Project (OWASP)
  5. Center for Internet Security (CIS)
  6. National Institute of Standards and Technology (NIST)
  7. Mitre ATT&CK

Let’s take a high-level look at each one and discuss the implications of meeting the requirements for each as it relates to the impacts of the injection of 3rd party, side-loaded code and scripts into client-side browser interactions with web application architectures.

Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS is a set of de facto industry standard requirements that businesses and other organizations must be compliant with if they store, process or transmit cardholder data in order to process payment transactions. Compliance with the PCI DSS is mandatory for entities who are processing payment card data from the five (5) major payment card brands; AMEX, VISA, MasterCard, Discover and Japanese Central Bank (JCB)

The intent of the PCI DSS is to protect critical data elements associated with payment card transactions as follows:

Type I cardholder data (CHD) elements – Primary account number (PAN), cardholder name, and various service codes. The most critical data element of this type is the PAN; the PAN determines the actual scope of PCI DSS requirements compliance. Type I CHD has to be stored or transmitted using strong, industry-standard encryption or mathematical hashing, truncation or masking of the PAN.

Type II cardholder data elements – Card validation values (CVVs) and magnetic track or chip equivalent data that are unique to each card (also sometimes referred to as ‘sensitive authentication data SAD). Sensitive authentication data must never be stored following transaction authorization except for some extremely rare and special circumstances. If it is going to be stored prior to authorization, it must be protected via strong encryption and securely deleted when no longer needed.

Entities processing payment transactions often do so via web-based eCommerce architectures. Per PCI DSS section 6.x, only securely developed and administered applications are considered PCI DSS compliant in order to process such transactions. In addition, the PCI DSS requires that such applications be developed and maintained in accordance with OWASP Top 10 requirements (more on OWASP in a bit.) https://www.pcisecuritystandards.org

Data Protection And Privacy Regulations

California Consumer Privacy Act (CCPA)

California was one of the first states to enact personal data protection regulations. Now many other states in the US have followed suit in passing and enforcing their own Personally Identifiable Information (PII) and Personal Health Information (PHI) privacy regulations? Per CCPA, any business or entity conducting e-commerce transactions, or storing-transmitting PII-PHI via web-based architectures must do so only if the proper protections are in place.

General Data Protection Regulation (GDPR)

GDPR is a regulation imposed by European Union law that focuses on data protection and privacy with respect to specified PII.

* Note: Some eCommerce applications often process data elements deemed GRC sensitive or even restricted via some payment or payment re-direction web pages. As such, those web pages should only present and support those services necessary to securely facilitate the payment transaction and nothing more. Additional code, scripts, *.html tags, etc., that are used for gathering business intelligence, browser user interaction telemetry, info sharing with web marketing entities, etc., should not be present on payment or payment re-direction pages. Feroot technologies are unique in the industry in providing visibility and mitigation support for enforcing these requirements.

Data Protection And Privacy Regulations

Cybersecurity Frameworks

Open Web Application Security Project (OWASP)

OWASP is an online affiliation of web application developers that produce methodologies, documentation, tools, and techniques to support industry-wide secure web application development and administrative best practices.

OWASP principles and practices are supported by many GRC frameworks, and compliance with OWASP attributes is mandated by others. For example, compliance with OWASP Top 10 web application vulnerability mitigation requirements is mandatory for in-scope PCI DSS environments. The OWASP Top 10 is a standards based awareness document for web application developers and administrators. It represents a broad consensus with respect to the most critical risks to applications, based upon a 3-year rolling tally of the most critical web breaches found in the real-world web architecture implementations. https://owasp.org

National Institute of Standards and Technology (NIST)

NIST is a physical sciences laboratory and a non-regulatory agency of the US Department of Commerce. NIST supplies industry, academia, government entities and other organizations 1,300+ standard reference materials. In some instances, US organizations require compliance with NIST recommendations. For other entities, alignment with NIST recommendations is considered to be a best practice.

NIST has published a multitude of guideline documents including the 800 series of special publications. This series presents information that is of specific interest to the computer security community. NIST has also published SP 800-95: Guide to Secure Web Services. https://csrc.nist.gov/publications/sp800

Center for Internet Security (CIS)

CIS is a non-profit entity that helps to establish minimum acceptable secure baseline configurations for computer operating systems and other IT system attributes. Minimum secure baseline system configurations is mandated for compliance by some industry standards such as the PCI DSS. https://www.cisecurity.org

Mitre ATT&CK

MITRE ATT&CK and Client-Side Security of Web Applications

MITRE ATT&CK™ and framework - SaaS Matrix

Detection and/or protection of the client-side against a number of tactics including:

Mitre ATT&CK framework is a comprehensive matrix of tactics and techniques used by threat hunters, penetration testing teams, and social engineers to better classify attacks and help assess risk. https://attack.mitre.org

About authors

Ivan Tsarynny is CEO and co-founder of Feroot Security, Member GDPR Advisory Committee at Standard Council of Canada, and is based in Toronto, Canada.
David Mundhenk, CISSP, CISA, PCI QSA, PCIP, is a Principal Security Consultant for the Herjavec Group, and a founding member of the PCI Dream Team.