How most service providers fail PCI DSS audits.

This article was also featured in the TSYS Ngenuity Journal

Mark Miner, SecurityMetrics
By: Mark Miner
PCI security assessors visit service providers to poke through every nook and cranny of company policy, documentation, and network security for PCI compliance. Ninety-nine percent of the time, we find problems, even in well-established organizations employing experienced IT staff.

Most organizations get the obvious requirements, like encrypting card data. However, some important aspects of PCI are often missed. I’ve used my experiences over the last six years to compile a list of top PCI security mistakes service providers make. Hopefully, it will aid you in your quest for data security and PCI compliance.

SEE ALSO: What are Service Provider Levels and How Do They Affect PCI Compliance?

1) Not understanding your scope . . . and what data you’re storing

A group of blind men come upon an elephant in the middle of the road. Each touch one part of the elephant to figure out what it is. One touches the elephant’s trunk and thinks it’s a snake. One touches the elephant’s leg and thinks it's a tree. One touches the elephant’s ear and thinks it's a fan.
PCI security

Departments sometimes act like the blind men when it comes to defining their PCI scope. Chief technology officers decide which Self-Assessment Questionnaire (SAQ) applies without consulting other departments. IT departments make network decisions without understanding segmentation. Upper management makes plans for a new POS terminal without advising IT of their new responsibilities. In many instances, a view at the whole picture is neglected.

SEE ALSO: PCI 3.0: What You Need To Know

Just the other month, I spoke with an IT administrator who assured me the encrypted table in their department was the only place the company stored card data. Period. A few days later while talking to a help desk manager, I found an application that allowed customer service agents to type unencrypted credit card data in a comments field. See why interdepartmental communication is crucial to understand your PCI scope?

To finish the story, it’s only after the blind men collaborate that they figure out what they’re touching is an elephant. In order to correctly scope your environment, all departments in the organization must collaborate.
If all departments aren’t involved in understanding and defining your card data environment, you’re left with a partial picture and insecure environment.
Tweet: If all depts. aren’t involved in card data environment definition, you’re left with a partial picture: http://bit.ly/1zJj2dOTweet

2) Thinking that policy is just paperwork

When people think encryption, they think security. When people think policies and procedures, they think boring paperwork.

A few years ago, I helped a large company through their painful first year assessment. The next year, they transferred the card environment responsibility from one technical group to another. The problem was, they hadn’t communicated policies to the new group, who thought the environment was more complicated than necessary. So, they removed all network segments controlling card data security. Because someone forgot to clearly communicate policy to this new IT group, they had to go back and re-architect everything, making their second security assessment as painful as their first.

Having clearly written policies and communicating those continuously to employees is a critical part of having a secure environment. If corporate management pushes the culture of PCI security through company policies, it gives the “why” that guides employee decisions. If there is no “why”, people may fail to correctly implement controls, or may implement them sporadically and leave gaps in security.

3) Failing to sufficiently secure inbound and outbound access to the card environment

Breaches resulting in loss of cardholder data are rarely caused by one looming problem. Multiple issues like overly broad permissions, insecure remote access, and lack of file integrity monitoring all have a part in leading to card compromise. This is how it is with most breaches.

A business’s last line of defense is its access controls (also known as firewall rules.) Most threats can be blocked by simply and selectively restricting access to places in the card environment.

Unfortunately, secure access controls are rarely set up correctly. In fact, I see insecure inbound and outbound firewall rules in 90% of first time assessments. It’s common for people to make their outbound access rules overly permissive, or protect the wrong systems from malicious inbound traffic. When considering access controls, don’t forget the outbound rules. If correctly configured, these rules can help prevent attackers from getting card data out of the environment.

4) Not keeping systems up-to-date

Hackers and their sneaky tools find ways into organizations through vulnerabilities. The best way to avoid these vulnerabilities is by installing software updates that contain essential PCI security enhancements.

I conducted an assessment of a merchant whose main POS system server hadn’t been patched for 12 years—12 years! Needless to say, the system had a vast number of vulnerabilities. He hadn’t applied patches because he was convinced patching the system would break things in the process. Eventually, he had to replace the entire system because getting to current patch levels would be too difficult.

SEE ALSO: Security Patches in Your Business: Complying with PCI Requirement 6.1

5) Assuming log monitoring is only for forensic investigators

Companies are great at monitoring logs for performance, but when it comes to log monitoring for security, they really need to step up their game.


Most people incorrectly view logs as important only after an event has occurred. What they may not realize is if they carefully monitor logs they can stop a breach before it even happens, or at the very least limit data loss.

SEE ALSO: Why Encryption is (Sometimes) Not Enough

A colleague of mine examined a business’s logs as part of their first time assessment. While reviewing intrusion detection system logs, he realized the company was in the process of being breached! It was truly lucky that my colleague sampled those logs. Because of the company’s lack of log monitoring, they probably wouldn’t have caught it until customers began complaining of stolen cards. In this situation, they had the notification tools in place, but weren’t bothering to watch them.

You can do it!

Without proper preparation, most organizations would fail their first PCI assessment. PCI compliance is difficult. There are many security aspects that service providers might never have considered. If service providers fix the five top problems I’ve listed, they’ll be way ahead of most, and much more resistant to compromise.

Mark Miner has been a Principle Security Analyst at SecurityMetrics for over 6 years. He is responsible for overseeing the activities of the company’s assessment teams and has completed over 80 PCI DSS and PA-DSS security assessments.
Current Hacking Trends Ebook
Wednesday, December 3, 2014