Top 5 common pitfalls of PCI DSS compliance

Alastair Stewart
|
Senior Consultant at URM
|
PUBLISHED on
8 Aug
2022

Table of Contents

As a Payment Card Industry Qualified Security Assessor (PCI QSA) company, we are often asked by organisations which process card payments what are main pitfalls to avoid in complying with the Payment Card Industry Data Security Standard (PCI DSS).  Well, here’s our top five (5) pitfalls to avoid if your organisation is looking achieve or maintain compliance with the Standard.

Scope creep

The PCI DSS defines the cardholder data environment (CDE) as all of the systems, processes, people and technologies that handle cardholder data and this includes systems that secure and support the CDE (i.e. connected-to systems).  On numerous occasions, we have found organisations that have overlooked some aspect of the systems and functions including domain controllers, key management servers, firewalls, intrusion detection / prevention systems (IDS/IPS), log management, security information and event management (SIEM) and antivirus (AV) management servers, amongst others.  Our best advice on addressing the issue of scoping is to maximise your network segmentation.  Isolating the ‘in-scope’ systems from the rest of the environment will greatly reduce the number of supporting systems and functions you will need to consider.

Lack of understanding where and in what form the organisation retains CHD

It is impossible to design defence strategies on how to protect the CHD stored by an organisation if there isn’t a comprehensive understanding of what type of data is being held and in what format it is retained.  As per the age-old QSA mantra ‘if you don’t need it, don’t store it’.  If the type of service that an organisation provides dictates that some elements of CHD must be retained, ensure that data retention is well defined and that data is deleted/stored/tokenized/archived according to PCI DSS requirements.

Lack of effective vulnerability management

PCI DSS requires organisations to perform internal and external vulnerability scans and any vulnerabilities that are found need to be addressed.  Failure to do so not only complicates an organisation’s attempts to recertify, but it can leave CHD vulnerable and increases the chance of a breach. Organisations looking to comply for the first time only needs to have one clean scan, i.e. no ‘High / Critical’ rated vulnerabilities from the last quarter.  In order to achieve compliance in subsequent years, a clean scan from each quarter from the previous twelve (12) months is mandatory.

Lack of firewall rule reviews and associated six-monthly segmentation tests

In addition to reviewing firewall rules every 6 months, service providers must also conduct internal segmentation testing twice a year.  While most organisations remember to perform the annual penetration testing leading up to the audit, we often come across occurrences of segmentation testing being neglected.  These compliance milestones, along with the many other time-based requirements, should be recorded in an operational security ‘calendar of events’, to ensure they are not overlooked at the appropriate time.

Lack of commitment to PCI DSS compliance efforts ‘offseason”

Unfortunately, many organisations regard PCI as a ‘once a year’ exercise and fail to incorporate the necessary behaviours into their ‘business as usual’ (BAU) processes.  To minimize risk and to reduce the stress of the annual re-compliance process, the PCI programme should be followed and managed throughout the year.  This includes, amongst others, staying on top of security testing, patching, user management, logging and 3rd party vendor management.

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more

Are you looking for a PCI QSA?

As a long-established PCI QSA, URM is able to deliver a full PCI QSA-led audit and produce a report on compliance (RoC) as well as deliver a full QSA-led self-assessment questionnaire (SAQ)
Thumbnail of the Blog Illustration
Information Security
Published on
14/3/2023
Preparing For a PCI DSS v4.0 Assessment

URM is sharing its experiences on how the changes to the PCI DSS v4 affect the assessment process and how organisations can best prepare for the differences.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
PCI DSS Reduction and Assessment

The Payment Card Industry Security Standards Council (PCI SSC) defines scoping as “the process of identifying all system components....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
13/6/2022
PCI DSS v4 – Changes at a Glance

After several years wait, and to surprisingly little fanfare, the PCI SSC released the new version of the PCI Data Security Standard (DSS).

Read more
Moving from our existing Pen Testers after 10 years was a difficult decision but I am really glad we did. It's been a pleasure working with you. The Pen Testing was extremely thorough and as hoped you were open to a collaborative deeper delve, far beyond what we were required to do for PCI DSS, which has been very useful.
Payment Service Provider
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.