Description
In a recent notification letter sent to the Massachusetts Office of Consumer Affairs and Business Regulation, American Express (AMEX) announced that information of some of its card members may have been compromised when an unauthorized party gained access to it. The card company made it clear that the incident did not involve their own controlled systems but were owned and managed by a third-party payment processor that provides payment processing for numerous merchants. The information included data about their card members including names, current and previous issued card account numbers, and other card details such as expiration dates. It is unknown how many card members were affected by the incident..
Identify Indicators of Compromise (IoC)
American Express has not revealed how the incident was discovered and has opted not to name the service provider involved, stating that they do not share information about their business partnerships.
Actions Taken
American Express has notified the relevant regulatory authorities and launched an immediate investigation into the breach. The company reassures customers they will not be responsible for any fraudulent charges resulting from the third-party incident. Customers are advised to closely monitor their accounts for any unusual activity in the next 12-24 months and to download the AMEX app for notifications and security alerts.
Prevention
This incident underscores the critical importance of the Payment Card Industry Data Security Standard (PCI DSS) and highlights the need for companies to work towards adopting the latest v4.0 standard. The new standards are applicable to any organization handling card data, including third-party service providers (TPSPs). One of the new provisions coming into effect is the mandate that all entities with access to the Cardholder Data Environment (CDE) must implement multifactor authentication (MFA) to enhance access control security.
Merchants are required to perform their vendor due diligence to ensure that potential vendors are reviewed and selected based on their security practices. PCI DSS Requirement 12.8 emphasizes vendor management, requiring companies to maintain an up-to-date list of all third parties with access to account data as part of the comprehensive scoping process outlined in Requirement 12.5.2. This process, which must be completed by April 1, is critical for defining the scope of your CDE. For detailed information on the upcoming April 1 deadline or advice on transitioning to PCI DSS v4.0, reach out to HALOCK to consult with a PCI DSS expert.