The Most Common Pitfalls in PCI Compliance

A person trying to lead a healthy lifestyle, who eats right, exercises regularly and gets enough sleep, should expect their body to respond in a positive manner. However, just like companies who are doing their best to keep customer data safe, and hackers at bay, the person can find himself with a health issue that is not apparent at first, but if left untreated could lead to severe consequences.

Since 2004, PCI Compliance has been the international standard major card companies enforce on their merchants, in an attempt to protect both themselves and the end customers. Made up of 12 main requirements, the PCI Data Security Standard (PCI DSS) is the industries ‘health check-up’ to find any missing key aspects that could affect the safety of the cardholder data. The consequences of not being PCI compliant can be catastrophic for a business, resulting in fines for the loss of private data, liability for fraud losses incurred against exploited cards, as well as the operational costs associated with replacing the accounts. Furthermore, the damage to the business’ reputation and own internal costs associated with the breach, can take years to fix. So if PCI Compliance is for the ‘greater good’, why do so many companies fail to meet compliance?

One of the main themes we have discovered throughout the years of performing PCI Compliance audits for clients, is companies often treat PCI Compliance as a single event and not as an ongoing process. Businesses attempt to cram all the necessary requirements into only a couple of weeks, instead of attending to their security on a daily, weekly, monthly and quarterly, as certain PCI requirements demand. Furthermore, keeping up with updated versions of the PCI DSS is imperative as new versions often include new requirements that will need to be planned for in advance. For example the new PCI DSS V3.2 released in April 2016, now requires companies to perform Penetration Testing every 6 months, instead of the usual 12, in response to the increasing risks cardholder data environments face.

The most common technical and procedural pitfalls companies meet can be easily sorted under the PCI control objectives:

1. Build and maintain a secure network

   Companies can invest heavily in hardware and software for cyber security, however something as simple as a misconfigured firewall or weak password, could be the crack through which a cyber criminal slips through.

2. Protect cardholder data

   Protecting cardholder data is the ultimate goal of PCI Compliance. However, if recent events such as the Target breach in 2014, have proved anything it is that businesses are still failing to properly encrypt customer data, both while in transit and on servers. PCI DSS requires the use of strong levels of encryption, because a complex decryption protocol or method can usually be enough to make the cardholder data useless to cyber criminals who do not have the decryption key.

   Also, businesses that do not have good network architecture can find PCI DSS more complicated that it needs to be. A main pitfall in this area is lack of correct encryption, but even more so the unnecessary access to cardholder data. This includes not properly segregating customer data from personal company servers via network segmentation, which not only gives hackers more access to roam, but also increases the cost of PCI Compliance as the scope will need to include everything that touches the cardholder data.  

3. Maintain a vulnerability management program

   Regular patching of software is not just good practice but one of the requirements of PCI compliance, unfortunately, it is something that gets over looked due to its simplicity. Businesses should remember that if it effects the cardholder data, then it is part of the scope and needs to be patched!

4. Implement strong access control measures

   Privileged user abuse is still one of the main internal and external risks to cyber security. Businesses are have bad habits when it comes to restricting access to data. As much as businesses should value and trust their employees, they shouldn’t freely give nonessential team members access, both digitally or physically.

5. Regularly monitor and test networks

   As mentioned previously, regular testing such as Pen Tests and Vulnerability Assessments are both required to be done frequently and on all network elements that concern cardholder data. These tests need to be performed by either an external 3rd party, or a certified internal member who is not part of the PCI assessment (to ensure partiality). These tests require both time and resources to plan and execute, and often result in a range of identified vulnerabilities that need to be fixed before PCI Compliance.

6. Maintain an information security policy

   Those who do not plan, plan to fail – companies that are not serious about their security will ultimately find themselves stuck due to poor planning for the future. Security policies are like a medical chart – they are individual to each company and require thorough planning and development by people with intimate knowledge of the company’s internal systems as well as its weaknesses.

If you find that this process sounds too complicated for your IT team to carry alone, there are many options available from PCI Compliant software (PA-DSS) to expert PCI Compliance auditors who can help you plan, test, access and gain your PCI compliance.