Top 5 common pitfalls of PCI DSS compliance

As a company certified as a Payment Card Industry Qualified Security Assessor (PCI QSA), we frequently receive inquiries from organizations that handle card payments regarding the key challenges to be mindful of when striving to achieve PCI DSS compliance, the Payment Card Industry Data Security Standard. In order to assist you, we have compiled a list of the most significant pitfalls to avoid if your organization aims to achieve or uphold compliance with this Standard. Here are our top five (5) recommendations to consider.

Scope creep

The cardholder data environment (CDE), as defined by the PCI DSS, encompasses all the components involved in handling cardholder data, including systems, processes, individuals, and technologies. This also includes systems that provide security and support to the CDE, commonly known as connected-to systems. Unfortunately, we have come across several instances where organizations have overlooked certain aspects of these systems and functionalities, such as domain controllers, key management servers, firewalls, intrusion detection/prevention systems (IDS/IPS), log management, security information and event management (SIEM), antivirus (AV) management servers, and others.

To address this scoping issue effectively, our best advice is to prioritize network segmentation. By isolating the systems within the scope from the rest of the environment, you can significantly reduce the number of supporting systems and functionalities that need to be taken into consideration. This approach allows for a more streamlined and manageable compliance process.

Lack of understanding where and in what form the organisation retains CHD

Developing effective defence strategies to safeguard cardholder data (CHD) held by an organization is virtually impossible without a thorough understanding of the specific data types being stored and the formats in which they are retained. Adhering to the long-standing mantra of Qualified Security Assessors (QSA), "if you don't need it, don't store it," becomes crucial in this regard. If the nature of an organization's services necessitates the retention of certain elements of CHD, it is vital to establish well-defined data retention policies that align with the requirements of the PCI DSS.

Organizations should ensure that data retention practices are clearly outlined, and data is appropriately handled according to PCI DSS guidelines. This may involve deleting unnecessary data, securely storing sensitive information, tokenizing data, or archiving it in compliance with the established standards. By adhering to these principles, organizations can effectively manage and protect CHD in line with the PCI DSS requirements.

Lack of effective vulnerability management

PCI DSS mandates that organizations conduct both internal and external vulnerability scans, and any identified vulnerabilities must be promptly addressed. Failing to address these vulnerabilities not only hinders an organization's recertification efforts but also exposes cardholder data (CHD) to potential risks and increases the likelihood of a data breach.

For organizations seeking initial compliance, it is necessary to have a single clean scan, meaning no vulnerabilities rated as 'High/Critical,' within the last quarter. Subsequently, to maintain compliance in subsequent years, it is mandatory to have clean scans for each quarter within the previous twelve (12) months. This requirement ensures ongoing vigilance in identifying and resolving vulnerabilities, thereby enhancing the security posture of the organization and protecting CHD from potential exploitation.

Lack of firewall rule reviews and associated six-monthly segmentation tests

In addition to the biannual review of firewall rules, service providers are also required to conduct internal segmentation testing twice a year, as per the PCI DSS requirements. Although organizations typically remember to perform annual penetration testing leading up to the audit, there are instances where segmentation testing is overlooked. These compliance milestones, along with other time-based requirements, should be documented in an operational security "calendar of events" to ensure they are not inadvertently neglected when the time comes.

Maintaining a comprehensive calendar of events helps organizations stay on track with their compliance obligations. By recording and tracking key milestones, such as firewall rule reviews, internal segmentation testing, and other time-bound tasks, organizations can ensure that they are not overlooked and are addressed in a timely manner. This proactive approach aids in meeting the requirements of the PCI DSS and contributes to maintaining a robust security posture.

Lack of commitment to PCI DSS compliance efforts ‘offseason”

Regrettably, numerous organizations view PCI compliance as a yearly obligation and overlook the importance of integrating the necessary practices into their day-to-day operations (referred to as "business as usual" or BAU processes). To mitigate risks and alleviate the pressure associated with the annual re-compliance process, it is crucial to adopt and manage the PCI program consistently throughout the year, including conducting a regular PCI DSS audit.

This entails various tasks, including staying proactive in terms of security testing, promptly addressing software patches and updates, maintaining robust user management practices, diligently monitoring and logging security events, and effectively managing relationships with third-party vendors. By incorporating these measures into BAU processes, organizations can minimize vulnerabilities, reduce the likelihood of breaches, and foster a culture of ongoing compliance.

Treating PCI as an ongoing commitment throughout the year allows for better risk management and streamlines the re-compliance process. It ensures that security measures are continuously audited, implemented, monitored, and updated, leading to enhanced data protection and a stronger security posture for the organization.