Companies that store, process, or transmit credit card data must comply with the Payment Card Industry (PCI) Data Security Standards (DSS). However, implementing the required controls and reporting on them per PCI protocols can be difficult to manage internally, and some companies require external validation.Nevertheless, companies can overcome PCI compliance challenges with the help of a Security Standards Council (SSC) approved third party.
Overcoming the Biggest PCI Compliance Challenges
The PCI DSS framework is one of the most widely applicable cybersecurity regulations, as almost all companies that process credit card or debit card payments will need to comply.
There are two areas to consider for overcoming the biggest PCI DSS compliance challenges:
- The top challenges facing companies who need to implement all the PCI DSS controls
- Best practices for overcoming PCI DSS compliance issues and ongoing adherence
Top PCI Compliance Challenges Facing Businesses
Implementing any compliance framework to the fullest extent is challenging; failing to do so, however, can be more painful in the long run. For example, the Founding Members of the PCI’s Security Standards Council (SSC)—VISA, Mastercard, Discover, JCB International, and American Express—can leverage enforcement penalties on companies who don’t comply. These may include fines for data breaches or seizure of credit card services.
Most critically, placement on a Terminated Merchant File (TMF) like Mastercard’s can damage your company’s reputation. TMF placement and the resulting reputational harm can cause severe and long-term losses that dwarf PCI DSS compliance challenges.
The most significant challenge can be not complying at all.
Challenge #1: Assessing Your PCI Compliance Needs
The first PCI compliance challenge is determining your company’s compliance and reporting requirements. The SSC’s Founding Members determine the PCI Levels that define a given company’s compliance burden according to annual transaction volume.
Per VISA’s guidance, the Levels break down as follows:
- PCI Level 4 – Merchants who process fewer than 20 thousand annual e-commerce transactions must submit just a Self-Assessment Questionnaire (SAQ) form annually.
- PCI Level 3 – Merchants who process between 20 thousand and one million annual e-commerce transactions submit a SAQ and Attestation of Compliance (AOC) annually.
- PCI Level 2 – Merchants who process between one and six million transactions annually across all channels (including e-commerce) must submit a SAQ and an AOC annually.
- PCI Level 1 – Merchants who process over six million annual transactions across all their channels must submit their SAQ and a Report on Compliance (ROC) annually.
Note: The controls that companies need to implement stay the same, irrespective of Level. Every company needs to implement all of the PCI DSS.
Challenge #2: Implementing the PCI DSS Framework
The second challenging element of PCI compliance involves the depth and breadth of security safeguards companies need to install. The PCI DSS comprises six Goals and 12 Requirements:
- Goal 1 – Building and maintaining secure networks and systems
- Requirement 1: Maintain firewall configurations to protect all cardholder data.
- Requirement 2: Remove and replace vendor-supplied default security settings.
- Goal 2 – Protect all cardholder data in storage and transmission
- Requirement 3: Protect all cardholder data in internal or external storage.
- Requirement 4: Encrypt cardholder data prior to open network transmission.
- Goal 3 – Maintain a threat and vulnerability management program
- Requirement 5: Install and update antivirus and antimalware programs.
- Requirement 6: Maintain security for developed systems and applications.
- Goal 4 – Implement robust access monitoring and control measures
- Requirement 7: Restrict cardholder data access by “business need to know.”
- Requirement 8: Require user authentication for access to system components.
- Requirement 9: Restrict all physical and proximal access to cardholder data.
- Goal 5 – Monitor and assess networks at regular, frequent intervals
- Requirement 10: Monitor access to cardholder data via network resources.
- Requirement 11: Assess security systems and processes often and regularly.
- Goal 6 – Develop and maintain a staff-wide information security policy
- Requirement 12: Disseminate a policy allocating security roles for all personnel.
Each of these Requirements also breaks down into various sub-requirements, which have particular Testing Procedures for assessing and ultimately verifying compliance.
Challenge #3: Documenting and Reporting on Controls
Once all PCI DSS controls have been installed, another compliance challenge arises: assessing and reporting on compliance per the requirements of your PCI Level. Level 4 companies are the only ones who can submit an annual SAQ without external validation.
The SAQ is relatively straightforward to complete, but compiling answers requires visibility into all security practices. Companies must indicate a yes or no answer for every single PCI DSS control, establish that the control doesn’t apply, or signify that they have a compensating control in place. Non-applicable and compensating control answers require additional explanation. Many companies find this process much more manageable with the help of a PCI DSS advisor.
Companies above PCI Level 4 need to seek out the services of a Qualified Security Assessor (QSA) to help them verify their compliance via an AOC or ROC (an Attestation of Compliance or a Report on Compliance). The AOC requires documentation that controls are in place at a given time, whereas the ROC requires on-site, long-term auditing.
Challenge #4: Implementing Additional PCI Standards
Another challenge of overall PCI compliance stems from the fact that the PCI DSS may not be the only framework your company needs to implement. According to the PCI’s guidance on its standards, there are two other widely applicable guides.
The first is the Payment Application DSS (PA DSS), which applies to most software developers and integrators of payment applications. The PA DSS comprises 14 Requirements:
- PA DSS Requirement 1 – Ensure “full track data” is not retained after transactions.
- PA DSS Requirement 2 – Protect all stored cardholder data across all networks.
- PA DSS Requirement 3 – Protect user accounts with secure authentication features.
- PA DSS Requirement 4 – Log and analyze all activities involving payment applications.
- PA DSS Requirement 5 – Maintain the security of all developed payment applications.
- PA DSS Requirement 6 – Safeguard all wireless transmissions pertaining to payments.
- PA DSS Requirement 7 – Assess vulnerabilities and maintain all application updates.
- PA DSS Requirement 8 – Facilitate the implementation of secure network architecture.
- PA DSS Requirement 9 – Prevent all internet-connected storage for cardholder data.
- PA DSS Requirement 10 – Ensure safe, easy remote access to payment applications.
- PA DSS Requirement 11 – Encrypt cardholder data for transmission on open networks.
- PA DSS Requirement 12 – Ensure that all non-console administrative access is secure.
- PA DSS Requirement 13 – Develop a PA DSS Implementation Guide for all parties.
- PA DSS Requirement 14 – Assign PA DSS responsibilities for all stakeholders.
There are also two standards that collectively make up the PIN Transaction Security (PTS), which apply to manufacturers of PIN entry terminals. The two applicable frameworks are:
- The PCI PTS Hardware Security Module (HSM) Modular Security Requirements
- The PCI PTS Point of Interaction (POI) Modular Security Requirements
While many of the controls across these frameworks overlap, they must be implemented and assessed independently and irrespective of each other. Each adds compounding challenges.
Challenge #5: Mapping to Other, Non-PCI Frameworks
Finally, all of the PCI compliance challenges from above are compounded further by the fact that PCI standards may not be the only regulatory compliance your company has to follow.
For example, the healthcare industry’s covered entities must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Companies that contract with the US Department of Defense (DoD) need to follow Defense Federal Acquisition Register Supplement (DFARS) regulations, which inform the NIST SP 800-171 and CMMC frameworks.
Mapping controls across these and other frameworks can be challenging. Thus, many companies solve this problem by unifying their controls according to a single framework. For example, the HITRUST CSF includes controls that meet or exceed all compliance requirements.
Strategies for Successful PCI DSS Implementation
The best and easiest way to address PCI compliance challenges is contracting dedicated PCI compliance advisory services from a third-party cybersecurity service provider, such as RSI Security. Our expert team will work with your company to assess and address all PCI compliance needs, along with any specific difficulties unique to your company.
RSI Security has been helping enterprises achieve PCI DSS compliance for over a decade. We’ve serviced over 250 clients in advisory, implementation, and reporting capacities and are an SSC-approved QSV.
Our strategies have helped our partners overcome their PCI DSS challenges and maintain compliance, avoiding penalties and reputational harm that can come from a lapse, in addition to cyberattacks.
Strategy #1: Begin with an Analytical Assessment
Companies need to assess their current cybersecurity infrastructure and determine which parts of it are or aren’t compliant and necessary adjustments. RSI Security can help companies get started on this process with a free cyber risk report.
However, compiling information on open risks and vulnerabilities is not enough to determine your company’s compliance remediation needs. For that, you need a detailed, analytical assessment of all information technology (IT) and security systems, cross-referenced against the Testing Procedures for every PCI DSS control. Such a thorough assessment will detail all remaining implementation requirements, along with how to measure your progress relative to PCI thresholds.
Strategy #2: Streamline Framework Implementation
Once you have an implementation strategy in place, you’ll need to begin installing any missing safeguards and making corrections or adjustments to existing controls and systems. A well-prepared organization will streamline this process by building out future-proofed solutions, like optimal visibility scanners and controls that maximize flexibility across different frameworks.
As a company grows, compliance needs multiply; PCI compliance is more challenging with more significant transaction volumes. Growth may also mean entrance into new sectors and new regulations.
A hallmark of RSI Security’s architecture implementation services is its scalability and long-term resilience. We will advise on or construct network and cloud architecture that works with your current systems and future additions. We can also assist with secure application development and endpoint security, including mobile device monitoring.
Strategy #3: Report on Compliance with Confidence
Once all needed controls are in place, your company must assess and verify that they meet PCI’s Testing Procedures standards. For smaller companies, the SAQ can be completed without assistance. However, an advisor can help to minimize the time you spend filling out your SAQ. Advisors also help simplify the more strenuous AOCs and ROCs.
One method that RSI Security employs to optimize these processes is testing your security integrity prior to filling out the official documentation.
A PCI-focused penetration testing can measure:
- The robustness of your perimeter and network controls via external pen-testing
- The internal security and ability to stop an insider threat via internal pen-testing
Strategy #4: Implement Continuous Patch Monitoring
The last strategy for achieving long-term adherence to the DSS and reporting requirements despite all the PCI compliance challenges detailed above is undergoing a continuous patch management program. This service scans for any vulnerabilities across your implementation and security systems. If the assessment finds weak points, the appropriate patches are identified and deployed.
This is required as a part of PCI compliance; PCI DSS sub-requirement 6.2 specifies patch monitoring as a necessary component of ensuring security across applications and programs.
However, beyond what is required as part of PCI DSS Requirement 6, patch monitoring can facilitate long-term adherence to all regulations in the PCI framework, along with all other required controls you need to maintain. RSI Security will scan for gaps at regular intervals (monthly, weekly, daily) and immediately begin patching vulnerabilities in real-time. All deployed patches will be documented for your compliance efforts.
Professional PCI Compliance and Cybersecurity
The most impactful PCI compliance challenges companies face involve initial assessment, full framework implementation, documentation and reporting, complying with other PCI frameworks, and mapping to and from non-PCI regulatory guides.
To alleviate these challenges, companies should seek out professional advisory and testing services that provide assessment, implementation, and reporting guidance, along with long-term patch management as part of their PCI compliance strategy.
To start identifying and addressing your PCI challenges, contact RSI Security today!