See where merchants had the most trouble with PCI compliance in 2016. 

By: George Mateaki
Security Analyst
CISSP, QSA
To learn more about PCI compliance, read the 2017 SecurityMetrics Guide to PCI Compliance.

Do you have troubles with PCI and filling out SAQs? Well, you’re not alone.

Many merchants still struggle with completing PCI requirements and SAQs. We wanted to see which areas of PCI gave them the most trouble, so we scanned our merchant data base in search of areas where merchants struggle most frequently to be compliant.
Here are the top ten SAQ areas where merchants had the most difficulty with PCI DSS in 2016.

SEE ALSO: Top 5 Security Vulnerabilities Every Business Should Know

10. Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes

Business environments change constantly. That being said, many businesses have difficulty applying these changes to their security and PCI DSS compliance. Just like your business may require updates to technology, your security policies need to be updated as well.


Tips to get compliant
  • Have a set time to review your security policy. Create a recurring calendar event.
  • Include procedures for updating policies with new business changes.
  • Create a signature block that allows for notes on who reviewed and approved and also the date that it happened.

9. Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel


The problem businesses have is lack of security awareness in employees. While they may have a security policy, most of their employees don’t really know about it, or don’t know their own roles in security. It’s important to make sure all security responsibilities to be defined.

Tips to get compliant
  • Hold quarterly training on security policies for employees
  • Make sure all policies are available to employees

8. Requirement 9.9.2.a: Verify documented processes include procedures for inspecting devices and frequency of inspections


It’s important to have specific procedures set in place for inspecting devices. Make sure all devices are regularly inspected for flaws and vulnerabilities. This includes patching up vulnerabilities that may appear and making sure everything is documented.

Tips to get compliant
  • Have procedures in place to ensure all inspections are documented
  • Document all procedures regarding device inspection and device security

7. Requirement 9.9.2.b: Verify personnel are aware of procedures for inspecting devices and that devices are periodically inspected for evidence of tampering 


This requirement revolves around training employees on procedures for inspecting devices and making sure devices are regularly inspected. This is particularly helpful to combat social engineering, since many social engineers often tamper with equipment and slip in and out unnoticed.

Tips to get compliant
  • Train employees on social engineering
  • Make sure employees are aware of policies regarding devices

6. Requirement 12.8.4: Maintain a program to monitor service providers’ PCI DSS compliance status at least annually

Businesses should make sure their service providers are also properly protecting card data. Remember that if your service provider is handling cardholder data, they’re responsible to be compliant with PCI DSS. If they aren’t and there’s a breach, your business could be held liable.

Tips to get compliant
  • Put someone in charge of the program to monitor service providers
  • Meet with service providers regularly to go over PCI DSS requirements

5. Requirement 12.8.5: Maintain information about which PCI DSS requirements 
are managed by each service provider, and which are managed by the entity.

Businesses should actively manage service providers and document which providers are responsible for specific parts of PCI DSS requirements. It’s important to make sure everyone is on the same page when it comes to PCI DSS compliance.

Tips to get compliant
  • Organize the documents on your service providers according to responsibility
  • Place someone in charge of handling service providers’ information
  • Create a matrix or spreadsheet that clearly defines PCI responsibilities for both the service provider and the entity receiving the service

4. Requirement 12.1: Establish, publish, maintain, and disseminate a security policy. 


It’s amazing how many businesses don’t have a set security policy, or if they do, they haven’t used it in years. Creating and maintaining a security policy will help your business to remain secure and keep your data safe from hackers.

Tips to get compliant
  • Assign someone to be in charge of creating and maintaining the security policy
  • Talk to a QSA to determine what’s required from your business in security

3. Requirement 12.10.1: Create the incident response plan to be implemented in the event of system breach.

Many businesses don’t want to deal with a data breach, but it may be inevitable. You’ll need to have a plan in place for what to do if a breach happens. And if a breach happens, you’ll be glad you did.

Tips to get compliant
  • Determine areas in your business that could be potential targets
  • Tailor the incident response plan to your specific business environment
SEE ALSO: 6 Steps to Making an Incident Response Plan

2. Requirement 12.6: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.

The basics of this requirement? Training, training, and more training. It’s crucial that your employees are informed on security and know what the procedures are for handling card data securely.

Tips to get compliant
  • Train employees on security procedures quarterly if not monthly
  • Send out daily security tips through email to help employees keep security on their minds
  • Use multiple channels for security awareness (e.g. posters, meetings, newsletters)
SEE ALSO: Employee Data Security Training: What You Should Do

1. Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.

While it’s important to have an incident response plan, it’s also incredibly important to make sure this plan is distributed and understood by all personnel. This is where many businesses struggle.

It’s not enough to simply have an incident response plan if no one in your business knows about it. Make sure your employees are aware of the plan and their own roles in it.

SEE ALSO: 6 Phases in the Incident Response Plan

Tips to get compliant
  • Do tabletop exercises to test your employees and work out any issues with your incident response plan
  • Make sure employees are well trained in incident response procedures
Need help with getting PCI DSS compliant? Talk to our experts and see what you need to do!

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.