Posted on by

Failing a PCI Assessment

8 sure-fire ways to go down in a blaze of glory

Businesses that store, process, or transmit credit card data are required to prove PCI compliance every year. For seasoned PCI veterans, this process often proves challenging.

If you are new to the Payment Card Industry’s Data Security Standard (PCI-DSS), compliance can be a daunting process added to your already existing task list, leaving limited time to prepare and execute.PCI Blaze of Glory

Whether it’s the first PCI Assessment, or yet another annual assessment, not keeping the program current or possessing a solid understanding of the PCI controls can earn you an “epic fail.”

Failing a PCI Assessment may not cause your business to come to a grinding halt, but it will likely have many negative side effects, such as fines or losing the ability to process credit cards.

So without further ado… here are eight ways to shoot your PCI assessment in the foot, with some suggestions for overcoming each of them.

 

1.) Poor Vendor Management
Build the Bridge

How is your relationship with your payment processor? Who watches all your sensitive hardcopy get pulverized while the document shredding truck sits at your site? Are they PCI compliant? Read the papers, many breaches are vendor caused!

 

2.) Lack of Key Management
Keep the key close to your heart

Key ManagementWhere are your cars keys right now? In your pocket? On the desk? Jacket pocket? That spare house key still in the plastic rock next to the porch? That isn’t fooling anyone.

What about your encryption keys for your cardholder data? Do you know where they are stored? Have you changed them since Bob, your network engineer, left nine months ago? Not properly managing your encryption keys can spell disaster for you during an audit, but worse, could allow nefarious employees and hackers access to sensitive cardholder data.

 

3.) Failing to Annually Review Documentation
When was the last time you took a peek?

The last time you reviewed your policies,Stack Overflow you were probably trying to cure a bad case of insomnia. Aside from being a PCI requirement, an annual policy review can help a company realize that they aren’t doing things by their own rules, or realize that there could be a more efficient way to perform a task. A best practice is to annotate, complete with dates, reviewer initials and notes about what, and if anything was changed.

 

4.) Not Classifying Data
For your eyes only

While we are on touching on stimulating topics, nothing says sexy like data classification. Do your employees know that the reports with plain text credit card numbers should be locked up when they hit the bar for lunch? Sure, your network diagram is a Visio Rembrandt, but should your network engineers have it framed above their mantle or be using it as cubicle wallpaper? PCI requires you to classify data so that it may be handled in a proper fashion. So create a Data Classification scheme, train your team, and put controls in place to verify they are adhering to the policy! A clean desk program has nothing to do with a bottle of 409 and paper towels! It’s about making sure your staff knows to lock up “sensitive data” when away from their workspace, and to use confidential recycle bins and cross cut shredders.

 

5.) Unsecure Data Transmission
Mayday, Mayday, Are you there?

Your Company Name HereHow are you transmitting your sensitive data? If there is a legitimate business need to transmit primary account numbers then so be it, but make sure your cryptography is up-to-date. If you’re still using SSL version 2.0, then you’re in the wrong. The SSL V2.0 cipher was found to have flaws and was deemed insufficient a few years back. SSL v3.0 is considered strong cryptography, but that can always change, so make sure you stay ahead of the trends.

And you thought unsecure data was data lacking self confidence, ha!

 

6.) No Risk Assessment
Risk not, Want not

The days of having a Risk Assessment on the back of a bar napkin are gone. PCI DSS V2.0 has always required a risk assessment (RA), but as of September 12, 2012 the Special Interest Group (SIG) provided clarification requiring a formal RA. Formerly those assessments took more shapes than spandex stretched over a large woman at Wal-Mart. So update your RA now. Feel free to review SIG conclusions discussed in previous blogs.

 

7.) Lack of Patch Management
Aye, Aye Mate

How do you handle your patches? Not the one over Jolly Rogeryour eye, Jack Sparrow. PCI requires that critical patches are installed within 30 days of release. You need a documented process to ensure that they are rolled out within the allotted timeframe? A lot of them are tested first and then rolled out incrementally, or even all at once. The last thing you want is to cripple your business because of a patch that breaks a process unintentionally.

 

8.) Testing the Incident Response Plan when an Incident Occurs
It’s not the size; it is how you use itIncident Response Plan

What if that patch breaks your system? How is your Incident Response Plan (IRP) working? Have you tested it recently? Do you even have one?

Not testing your IRP annually and performing lessons learned is another great way getting your business on the “PCI blacklist.” Additionally, pairing a penetration test with your IRP test will better prepare you for a ‘live’ incident. It will also increase efficiency.

 

The Bottom Line

There are several ways that you can fail your PCI-DSS assessment, but have no fear, help is only a phone call away. You can reach out to a third party to assist in any of the aforementioned areas and other PCI-DSS compliance questions. If you are looking to add a new payment card stream, or if you have questions on reducing costs and remaining compliant, take a look at advisory services or continual compliance meetings as a possible solution. If you are unsure if your current risk assessment is PCI worthy, SecureState can help.

Ultimately, taking the necessary steps and being proactive throughout the year is the best thing that you can do to maintain your compliance, but if you sit there and wait until a month before your assessment, then failure often becomes your only option. PCI Compliance isn’t just passing an annual PCI Audit, it is a risk based program to safeguard credit card data.

It’s the right thing to do for compliance, the right thing to do for limiting your risk – financial and reputation, and it’s the right thing to do for your customers.

Comments...

    10 months ago

    HI Jason,
    This is very well put!

    The way you written this is excellent. It puts in plain English what is avoided my most or for some reason gets a half hearted effort.

    In your opinion, which do you think is the bigger barrier for organisations doing something like data discovery and classification – Penny pinching or increased work load?

    Viv

      10 months ago

      Thank you for your kind words. Depending on management buy in, cost would be a bigger barrier as opposed to increased workload. Budgetary concerns, in my opinion, always take precedence as you can push individuals and delegate tasks as needed to help with workload issues.

Leave a Comment...

Your email address will not be published. Required fields are marked *


*