Top 10 PCI DSS Compliance Pitfalls

Despite the fact that PCI DSS has been in effect for over a decade, and most merchants are achieving compliance, some of the world’s largest retailers have been hit by to data breaches. The sad truth is that achieving compliance doesn’t guarantee data protection, even for large organizations.

For example, more than five million credit card numbers were stolen in 2018 hacks of two major retailers. 

Earlier this year, I hosted a webcast with Jacques Lucas from Terra Verde (one of our partners) covering challenges and best practices for achieving and maintaining compliance with PCI DSS. In his role as a QSA, Jacques has "seen it all" in terms of what commonly causes stumbling blocks for organizations on their compliance journey, which he summarized in a slide covering the Top 10 Pitfalls for PCI DSS Compliance.

As a follow-on from the webcast, I wanted to dive into that area further to provide tips and best practices to help companies address those Top 10 Pitfalls for PCI-DSS. 

1. Improper scoping

The PCI DSS standard defines the scope of the cardholder data environment (CDE) as all of the systems, people, processes, and technologies that handle cardholder data. A common misconception is to overlook the systems that support and secure the CDE, and fail to include them in scope.

Specifically, any systems involved in managing the security of in-scope systems are also considered in-scope, and need to be secured and monitored. Some examples include: IAM servers; Domain controllers; Key Management servers, Firewalls/IDS/IPS systems; Log management/SIEM systems; AV Management servers and more.

Pro-tip: Segmentation and monitoring are the two critical success factors in avoiding the pitfalls associated with improper scoping. Isolate in-scope assets from the rest of your environment with granular network segmentation and access control policies. Additionally, monitor all access activity to validate compliance and respond to emerging risks.

2. Failing to patch systems regularly

PCI DSS requirement 6 outlines the need to patch systems on a regular basis. Additionally, it specifies that critical security patches must be installed within a month of their release. The challenge is that patching processes can be very disruptive, and even well-established companies can easily fall behind. For example, in one high profile breach it took the company more than four months to identify an unpatched vulnerability that provided a foothold for their devastating data breach.

Pro-tip: Identifying unpatched assets and applications is a must. Be sure you schedule regular vulnerability assessment scans and prioritize patching and remediation procedures for your in-scope systems. Monitor your in- scope systems with a combination of security controls including host-based and network-based IDS, file integrity monitoring, and SIEM event correlation.

3. Failing to audit access to cardholder data

PCI DSS requirement 8 outlines how to secure access to cardholder data, specifically requiring two-factor authentication for remote access to all in-scope systems. While many organizations have implemented two-factor authentication, they often fail to audit this access to verify that these controls are working as expected.

In fact, SecurityMetrics reports that insecure remote access was the largest single origin of compromise being used in more than 39% of investigated breaches against merchants.

Pro-tip: Implement two-factor authentication on all of your CDE assets. Schedule periodic audits against these assets, to verify that controls are working properly. Additionally, enable monitoring on all CDE assets to capture a baseline.

Finally, configure your SIEM to trigger alarms for all activity that falls outside this baseline so you can respond quickly to potential threats.

Source: 2017 SecurityMetrics Guide To PCI DSS Compiance

4. Failing to review and monitor audit logs daily

PCI DSS requirement 10 covers all of the implementation details for logging and log monitoring within the CDE. Unfortunately, these logs are worthless unless and until you have a process to review them and technology to support it. By reviewing logs on a daily basis, you’ll discover errors and anomalies that may signal a threat - before they do any damage.

Fact: It takes an organization an average of 206 days to detect a data breach2. If most organizations were successfully reviewing logs on a daily basis, they’d find breaches within hours rather than days (or, months).

5. Failing to shut down third party vendor remote access after use

Third party vendors often request remote access for a variety of valid reasons - to post, download, or transfer data,  to update systems and applications, or to troubleshoot any of the above. The challenge is lack of follow-up once that access is no longer needed, leaving gaping holes in your network.

Pro-tip: Automate the termination of third party access once it’s no longer needed. Regularly review accounts and their access level (especially the privileged ones) to determine if they’re still necessary. Monitor third party access and trigger SIEM alerts when activity is outside the norm. Keep asset inventories continually updated, and document vendor access requests to facilitate follow up.

6. Failing to identify and change vendor default configurations

2084 passwords. That’s the current number of default passwords stored on for over 500 different technology vendors. Failing to change the vendor’s default password leaves the door wide open to cyber criminals keen to steal credit card holder data to sell on the dark web.

Pro-tip: In addition to changing vendor default passwords, here are some additional best practices:

Change the name of default administrator accounts to ones that are unrecognizable as “privileged”

Change Wi-Fi configurations for Wi-Fi routers connected to the CDE (rename default SSID names, encryption keys, and SNMP community strings)

Develop, implement, and assess configuration standards for each of your in-scope asset groups

Disable unnecessary services and protocols

Monitor configuration changes to critical system files with File Integrity Monitoring

Source: Ponemon 2017 Cost of a Data Breach Study commissioned by IBM 

7. Obsession on putting things out of scope

It’s understandable that some IT teams would want to reduce the scope of the CDE, since that can shrink the cost,  time, and effort in achieving, maintaining, and demonstrating PCI DSS. There are a few techniques on reducing PCI DSS scope, such as reducing the number of systems that process cardholder data locally. As an example, tokenization eliminates CHD from being stored locally, within your environment by outsourcing to a payment services provider.

While these scope reduction techniques may help reduce some of your overall risk, they’re not a silver bullet. You’re still on the hook to verify and demonstrate that your customers’ CHD is protected, no matter where it resides or how it’s being managed.

Pro-tip: Don’t waste time obsessing over ways to narrow your exposure. Do the right thing and secure and isolate any systems that handle CHD, secure and monitor them. After all, your QSA may not agree with your narrow scope definition (even after all that hard work).

8. Failing to track where cardholder data is stored

Some merchants may mistakenly believe that outsourcing CHD storage will offset their PCI DSS responsibility. It doesn’t. In fact, even if you outsource payment processing to a third party provider, you’re still responsible for knowing and attesting to where and how the CHD is stored, managed, and accessed. And since some payment processing providers may conduct business globally, it’s essential to verify these details before deciding to outsource to them.

Pro-tip: Regardless of whether you’re storing CHD locally or outsourcing to a provider, ensure that you’re actively tracking where and how it’s being stored, who is accessing it, how they’re accessing it, and when and why they need to. Actively assess security controls with periodic vulnerability scanning, update inventories, and continually monitor activity to respond to threats and verify compliance.

9. Storing sensitive authentication data after authorization

PCI DSS mandates the protection of Sensitive Authentication Data (SAD) which is comprised of full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks, and more. Cyber criminals put a high value on SAD or “magnetic stripe data” because access to this raw data enables them to clone stolen credit cards for resale.

Some merchants who rely on recurring billing may falsely believe that they must store all SAD for this purpose.  Instead, reduce your exposure by using a third party credit card vault and tokenization provider. In this setup, the CHD is replaced with a token during billing and payment authorization procedures.

Fact: Credit card numbers remain in the top 10 most popular types of stolen data traded on the dark web. The value of stolen credit card account numbers varies from $5-$110, with CVV data adding a $5 uplift, full bank info another $15 and a full package of name, SS#, birthdate, and other personal data adding another $303.

Source: Here’s How Much Your Personal Information Is Selling for on the Dark Web

10. Addressing PCI DSS compliance only during annual audit

Let’s face it. PCI DSS compliance is deadline-driven. This can often lull IT folks into only following good monitoring practices when an audit or assessment is approaching. The downside is that you’ll find yourself constantly playing catch-up.

As we know, security and compliance work is never done. Security and compliance are more easily achieved and maintained when they become embedded into your standard operating procedure.

Pro-tip: Consolidate event correlation and threat detection technologies into a single platform for continual assessment and automated compliance status reporting. Implement security platforms that enable continuous monitoring and vulnerability assessment to achieve sustained PCI DSS compliance.

In summary, remember that compliance is more of a journey than a destination. Considering the need for continuous due diligence, look for security approaches that support a rapid, scalable, and orchestrated response. Specifically, multi-functional security monitoring platforms simplify threat detection and response while also helping your team scale to meet the complexities of changing compliance requirements.

Thanks to our valued partner Terra Verde for their input and collaboration in developing this Top 10 list.

Glossary of Terms

PCI - Payment Card Industry

PCI DSS - Payment Card Industry Data Security Standard

PCI SSC - Payment Card Industry Security Standards Council

CHD - Cardholder Data

CDE - Cardholder Data Environment

SAD - Sensitive Authentication Data

AOC - Attestation of Compliance

ROC - Report on Compliance

SAQ - Self-Assessment Questionnaire

QSA - Qualified Security Assessor

ASV - Approved Scanning Vendor

CAV - Card Authentication Value (JCB)

CVV - Card Verification Value (Visa and MasterCard)

PAN CVC - Card Validation Code (MasterCard)

CSC - Card Security Code (Amex)


Article Link: