Learn which areas of the PCI DSS business have the most trouble. 

By: Mike Riesen
If you’re struggling with some parts of the PCI DSS, you’re not alone. When it comes to PCI compliance, businesses are often doing great with some requirements . . .  but not so great with others.

Unfortunately, not being compliant in some aspect of PCI DSS leaves your business vulnerable to potential attacks. According to our forensic data, in nearly every case of investigated breached merchants in 2015, the vulnerabilities attackers used to gain access to merchant systems were covered by specific sections of the PCI DSS. In other words, if the merchant had been compliant with those sections, the breach likely wouldn’t have happened.

SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant

Keep in mind that being compliant with PCI DSS requirements doesn’t guarantee that your company will never get breached. But compliance will make sure you’ll have the tools, processes, and procedures in place to help your organization identify, respond to, and mitigate those types of events quickly.
Where in the PCI DSS do businesses have the most problems?
Here are the top ten areas where merchants struggle to become compliant.

SEE ALSO: Top 10 PCI SAQ Areas Where Merchants Struggled

1. Requirement 12.5.3-12.6.a : Establish and document security incident response procedures, administer user accounts, and monitor/control access to data. 

PCI requirement
Surprisingly enough, many businesses have trouble establishing security incident response procedures. Many businesses don’t realize that a data breach is a very real danger and they need to be sufficiently prepared, should it happen.

SEE ALSO: 6 Steps to Making an Incident Response Plan

Another common problem businesses have is implementing limited access, which means limiting which employees have access to valuable data. Many businesses don’t have a defined policy for which employees should have access to sensitive data. This hurts them because employees could be gaining access and leaving vulnerabilities in the business’s card data environment.

Getting compliant
Have a current incident response plan ready to go for if/when your business gets breached. Make a list of employees that should have access to your card data, and set up role-based access. You should clearly identify and document the roles and responsibilities of the people on your team who are in charge of breach response.

SEE ALSO: How to Manage a Data Breach: 5 Steps to Keep Your Business Safe

2. Requirement 12.10.1a: verify incident response plan 

It’s not enough to have an incident response plan, you need to test and update it based on those results and from your annual risk assessment. If your plan is just sitting on the shelf collecting dust, it’s not going to do you any good.

By testing your incident response plan, you make sure it will cover all aspects of handling a data breach in your business.

Getting compliant
Make sure you’re testing and updating your response plan regularly. Part of updating includes verifying responsibilities, procedures, processes, and legal requirements.

3. Requirement 9.9.2.b Verify personnel are aware of procedures for inspecting devices and that devices are periodically inspected for evidence of tampering. 

No device is secure indefinitely. It’s good to have procedures in place for regularly inspecting your payment devices and other devices handling card data. All it takes is for a social engineer to install some malware to steal data. Having regular inspections to make sure no machine is malfunctioning or has been tampered with will help add security.

Getting compliant
Regularly inspect devices that receive, store, or transmit card data. Here’s a list of devices you’ll want to have inspected/scanned regularly:
Keep in mind, these procedures won’t do much if your employees aren’t following them. Make sure all employees are trained in these procedures.

4. Requirement 12.1: Establish, publish, and maintain a security policy 

Many companies do have security policies, but rarely update and actually use them. As a result, there isn’t a clear standard on security, which can open up many vulnerabilities in your business.

Getting compliant
You need to have a policy set in place that handles everything your company should be doing to secure card data. Your policy can include:
  • incident response policy
  • employee training policy
  • firewall policy
  • physical security policy
  • business continuity policy
  • acceptable use policy
  • data retention and storage procedures
  • SDLC (Secure Development Life Cycle)
When creating your security policy, keep your business’s needs in mind. For example, you may need to focus more on your employee training policy if you have many different employees.

SEE ALSO: The Cost of a PCI Security Policy: What You Need to Know

5. Requirement 1.1.3.a: Establish a diagram that shows all cardholder data flows across systems and networks. 

You can’t protect your data if you don’t know where it is. Many businesses are storing unencrypted card data in places they don’t even realize. As a result, this makes it easier for hackers to find and steal that card data.

Getting compliant
It’s a good idea to diagram and document cardholder data flows. A cardholder data flow diagram shows where your card data enters, is stored, and leaves your business environment.  Diagram all the systems, networks, and employees that handle card data, and make sure you’re securing it. Have your diagram include descriptions of the transport mechanisms used to move card data from one location to another.

Some places that may store card data include:
  • Computers/laptops
  • Mobile devices
  • Servers
  • Error logs
  • Database backups
SEE ALSO: How Much Credit Card Data do You Store? (It’s More Than You Think.)

6. Requirement 9.9.2.a: Verify documented processes include procedures for inspecting devices and frequency of inspections

PCI requirement failuresImagine if one of your POS devices is infected with malware that steals your customer’s card data. If you aren’t regularly inspecting and documenting these devices, the infected device could go months without being discovered, causing you to lose more data.

It’s important to document these inspections to prevent liability, should a breach occur.  This can also help detect and prevent possible breaches through tampered POS devices.

Getting compliant
Make sure your documentation process includes these inspection procedures. Also list how often these devices are inspected, and the results of these inspections.

7. Requirement 12.3.3: List devices and personnel with access to data

Part of keeping track of your card data is keeping track of everything and everyone that processes and stores it. This helps prevent confusion and discourages social engineering. A social engineer will have a harder time stealing card data if you’re monitoring who can access it.

Getting compliant
Make a list of all the devices and employees in your business that have access to data. Keep this list updated as you gain and lose employees, and as you receive and discard devices.

8. Requirement 12.3.5: List acceptable uses of used technology

This requirement helps businesses establish and define the acceptable uses of technology in your environment. For example, you may have a policy that says employees shouldn’t access internet on devices that store card data.

Establishing procedures on technology use can prevent a “back door” from being opened to attackers. It also helps you to manage and control gaps in configurations and operational controls, preventing exploitable vulnerabilities.

Getting compliant
Document and list all acceptable uses of the technology in your business environment. Train all employees on these procedures, and be clear on what is and isn’t allowed for devices, especially those that interact with card data.

9. Requirement 1.2.1.b Examine firewall and router configurations to verify traffic is limited to what is necessary for the cardholder data environment

It’s not enough to simply install a firewall; you need to configure it and make sure the traffic you’re getting is only what’s needed. Reducing traffic in your cardholder data environment reduces the amount of potential vulnerabilities. Your firewall implementation should include a rule that denies all inbound and outbound traffic that does not have a justifiable need.

SEE ALSO: Configuring and Maintaining Your Firewall with SecurityMetrics Managed Firewall

Getting compliant 
Verify that your firewall is configured properly and is limiting the traffic to only what’s needed. Scheduling regular inspections quarterly is a good idea to make sure it’s working correctly.

SEE ALSO: How to Configure a Firewall in 5 Steps

10. Requirement 1.1.3.b: Make sure a process exists to keep the cardholder diagram current. 

Like anything you document, it’s important to update your cardholder data flow diagram regularly. Businesses change and so do policies, networks and methods. Your diagram needs to reflect those changes, if any are made to your cardholder data flow. For example, if you change where the card data is stored, you’ll need to reflect that in your diagram.

Getting compliant
Establish a regular schedule in updating your card flow diagram. This should be quarterly or when there’s a significant change to your card data environment.

Getting PCI compliant can take time, and every business struggles. Make sure you are compliant with these requirements, and you’re already doing better than many businesses.

Need help getting PCI compliant? Talk to us! 

Mike Riesen is a Security Analyst and has been with SecurityMetrics for over 2 years, doing PCI DSS assessments. He is a graduate from the University of Utah, and has worked in the IT industry for over 15 years.

SecurityMetrics Guide to PCI DSS Compliance