Software Supply Chain Attacks: 4 Ways to Minimize Risk

What Are Software Supply Chain Attacks?

In software supply chain attacks, bad actors target three core areas:

• The components or processes that go into creating software
• The third-party systems that integrate with software solutions to increase functionality
• The connections between a software application and its users

Cybercriminals don’t attack targets directly. Instead, they slip through the cracks by exploiting vulnerabilities in lower-level systems or integrations with vendors outside the victim’s control or focus. 

For instance, rather than directly targeting a financial institution, threat actors will target a common software tool that financial institutions use in their internal operations. Then, when those institutions install or update the software, they unknowingly give the attackers access to their systems. By infiltrating a part of the upstream infrastructure in the supply chain, cyberattackers can potentially breach all end users, instead of just one company.

Supply chain attacks allow cybercriminals to exploit the weakest links in otherwise secure tech stacks — like an open-source dependency a developer uses to speed up time-to-market. That single, low-hanging vulnerability can affect every user who installs or connects to the compromised application. With so many third-party integrations in use across the payments industry, cybercriminals have more opportunities to infiltrate a company’s systems.

Why Supply Chain Security Is So Relevant to the Payments Space

Software supply chain attacks are an increasingly important topic in the payments, finance and banking industries. That is because of how common third-party connections are, especially as the financial space moves towards multi-service platforms and new fintech integrations.

The payments industry is designed as a series of layers, including card networks, acquiring and issuing banks, large payment processors and frontline payment providers like independent sales organizations (ISOs), payment facilitators (PayFacs) and software companies. 

Each layer connects to the others through software integrations. In addition, most players use third-party solutions (such as security systems, billing platforms, CRM tools, etc) to run their business, resulting in a larger surface area exposed to risk. This means that, at its core, the payments industry is naturally prone to third-party risk. It’s also a highly lucrative target, for obvious reasons, making a dangerous combination.

Today, fintech companies are introducing new, value-added payments technologies at a record pace, making the industry more complex and connected than ever. As a result, it’s crucial for industry professionals and their software partners to be aware of and proactive against the potential risks to the payments supply chain.

4 Ways to Mitigate Supply Chain Risks and Prepare for Future Threats

Most frontline professionals like ISOs, PayFacs and software providers have to rely on third-party integrations for the infrastructure necessary to sell payments and serve merchants. Since the cost and scale of building solutions in-house are simply too great for smaller players to take on, they rely on processors and fintechs.

There is no practical way for small payments companies to isolate themselves from a larger supply chain — nor should they. To stay competitive, it’s important for companies to understand what they’re good at and outsource the rest. Rather than building everything in-house, consider which solutions can be updated or sidelined as the business evolves and the market changes. Staying agile will help mitigate risks and ensure smaller companies find the most suitable partners. 

However, the more vendors a company works with, the more important in-depth risk reviews become. So, how do payments companies minimize the cybersecurity risks associated with software supply chain attacks?

Minimize Vendors to Reduce Third-Party Risks

The most straightforward and effective solution is to minimize the number of third-party integrations and, in turn, potential points of entry. But that’s easier said than done in payments and isn’t always sustainable long-term, especially since the best way to compete is to offer comprehensive, one-stop services. Many key functions depend on third-party integrations — from gateways to fraud screening to underwriting and onboarding. All are critical for payment providers and the services they resell to merchants.

To get around this issue, front-line payment companies should:

• Take the time needed to get to know their vendors in-depth
• Only partner with the number of third-parties their risk mitigation and review processes can keep up with

Over time, this will reduce exposure to systems with security flaws, lessening the risk of successful supply chain attacks.

Vet Potential Partners Thoroughly (and Focus on Security)

Minimizing connections by partnering with more feature-rich providers is moot if those providers have poor security. Because of that, it’s crucial to carefully vet any potential vendor that requires software integration or installation.

When selecting a payments partner, ISOs, PayFacs and software providers should take a “zero trust” approach. There is nothing wrong with grilling a potential partner over security, including potential supply chain weaknesses. The right partner will be happy to answer any questions and go into detail on security. They’ll also appreciate your proactive attitude towards security — something that benefits every level of the payments space.

Look for Ways to Reduce Scope and Minimize Liability

A big benefit of working with partner platforms is that, in some cases, they can shift liability for cyberattacks and data breaches away from smaller companies. For example, a company that stores credit card information is liable if its systems are accessed due to an upstream supply chain exploit. But what if they didn’t store sensitive payments data at all?

Using services like off-site data storage and network tokens can eliminate the need to hold or handle customer payment data. In that case, even if a provider was the victim of a supply chain attack, there would be no customer data to steal. And if theft occurs on the partner’s side — where the data is — the partner bears the responsibility and liability.

Leveraging partner solutions that reduce your security scope and shift liability away from your company is a great way to hedge against potential cyber threats. It may seem counterintuitive that third-party tools can reduce third-party risk, but when it comes to data, the best way to protect it is by not having access to it.

Take PCI-DSS Responsibilities Seriously

As of April 1, 2024, PCI-DSS 4.0 is now mandatory industry-wide. The new version of the payment card industry data security standard (PCI-DSS) includes important updates to areas that are highly relevant to supply chain attacks, including authentication, continuous compliance and monitoring, password management, encryption management, application program interface (API) security and more.

Beyond the immediate risk of hefty fines for failing to remain compliant, frontline payment companies need to stay fully up-to-date with the most recent release of PCI-DSS 4.0 to minimize the risks of supply chain attacks, both on their own systems and upstream with their partners.

Unfortunately, PCI compliance is a complex topic, and many smaller payments and software companies lack the in-house expertise necessary to manage it. In those cases, it’s critical to have a partner that can either provide expert guidance or absorb as much PCI burden as possible through secure products.

To learn how partnering with NMI can streamline compliance and significantly reduce your exposure to cyber risk, reach out to a member of our team today.