The Payment Card Industry Security Standards Council (PCI SSC) requires all organizations that collect, process, store, or transmit card payments to comply with security frameworks—of which the most widely applicable is the PCI Data Security Standards (DSS). Ultimately, the goal of the PCI DSS is to protect sensitive payment card information from breach risks. However, many organizations grapple with PCI compliance security challenges.
What are the Most Common PCI Compliance Security Challenges?
The scope of PCI DSS Requirements covers organizations that process credit and debit card payments using devices, applications (web or otherwise), or software. The breadth of PCI DSS creates PCI compliance security challenges, the most common of which include:
- Meeting the PCI DSS requirements
- Mitigating evolving PCI vulnerabilities
- Managing a PCI-compliant security policy
- Verifying and reporting your PCI compliance
- Managing third-party vendor PCI compliance
Regardless of common PCI compliance security challenges, adhering to the PCI DSS framework helps protect the sensitive data processed by your organization from breaches.
Challenge #1: Meeting PCI DSS Requirements
The most fundamental challenge is installing all controls and systems required, per the PCI DSS v3.2.1. There are 12 Requirements, housed within six Goals, for organizations processing cardholder data (CHD. They include:
- Goal 1 – Securing payment processing networks and systems
- R1 – Establish firewalls to protect cardholder data.
- R2 – Avoid using default vendor-supplied passwords or any such security parameters.
- Goal 2 – Protecting cardholder data
- R3 – Secure cardholder data.
- R4 – Transmit cardholder data via encrypted measures across open public networks.
- Goal 3 – Managing vulnerabilities to card payment processing systems
- R5 – Provide malware and antivirus protection for all systems.
- R6 – Establish secure systems and applications.
- Goal 4 – Implementing access control security
- R7 – Establish business privileges for cardholder data access.
- R8 – Monitor and authenticate access to system components.
- R9 – Implement physical access restrictions to cardholder data.
- Goal 5 – Periodically scanning and testing networks
- R10 – Track access to cardholder data and applicable network resources.
- R11 – Test security processes and systems periodically.
- Goal 6 – Implementing a security information policy
- R12 – Establish an information security policy, specifically for personnel.
Navigating the implementation and upkeep of some of the complex PCI DSS Requirements often results in compliance challenges. However, working with an experienced PCI DSS advisory partner can help alleviate these challenges and protect your customers’ sensitive data.
Challenge #2: Evolving PCI Compliance Security Vulnerabilities
As organizations expand, there is a greater need to address the PCI compliance security vulnerabilities associated with processing sensitive data across various applications, networks, or devices. Threat actors are consistently devising sophisticated attack vectors, underscoring the need to address evolving cybersecurity vulnerabilities.
If organizations don’t take steps to control their PCI DSS compliance scope (e.g., via segmentation) as they grow, they risk unmanageable environments and compliance violations.
Poor Patch Management
Unpatched systems, software, or applications, if not remediated in a timely fashion, can be exploited by threat actors and present a cybersecurity vulnerability and PCI compliance risk. Some of the critical systems that are left vulnerable if unpatched include, but are not limited to:
- Security systems, such as intrusion detection/prevention systems
- Public-facing devices, such as those used at point-of-sale terminals
- Databases, such as those storing CHD
Patch management can be challenging for organizations, especially when faced with evolving security infrastructure and unpredictable release schedules.
PCI DSS Requirement 6.2 suggests that organizations use reputable outside sources to identify security vulnerabilities and “assign a risk ranking (for example, as high, medium, or low) to newly discovered security vulnerabilities.”
Guidance on risk assessment can be found in the National Institute of Standards and Technology’s (NIST) Special Publication 800-30.
Additional Patch Management and Requirement 6.2 Factors
Other factors to consider for patch management, per Requirement 6.2, include:
- Ranking of vulnerability risks based on industry best practices
- The potential impact of vulnerabilities, based on factors such as:
- Affected systems
- Vendor classification
- Common Vulnerability Scoring System (CVSS) metrics
- Developed or newly released patches should be deployed within 30 days.
- Beware of zero-day vulnerabilities (i.e., those that are undiscovered or those that have been found but do not yet have an available patch).
Security patches should be installed promptly, minimizing vulnerability windows for data breaches. Organizations should also protect systems and software from vulnerabilities by installing security patches supplied by vendors. While waiting a few days can allow other organizations to live-test patch compatibility, you’ll begin risking PCI compliance if you wait too long. Therefore, it’s crucial to establish a policy of deploying security patches within one month of release.
Web application risks
Besides patch management, web application risks threaten PCI compliance security for many organizations. Specifically, evolving web application risks and vulnerabilities can leave public-facing web applications exposed to cyberattacks.
The most common web application vulnerabilities to PCI compliance security include:
- SQL injection flaws, based on unvalidated input data and insecure APIs
- Cryptographic failures during CHD transmission, specifically:
- Fully readable primary access numbers (PANs)
- Poor cryptographic key encryption
- Access control gaps due to unrestricted URL access
As a PCI compliance security measure, it is crucial to remediate any web application risks upon detection. Public-facing vulnerabilities represent massive compliance risks. However, it is challenging to keep track of new web application risks, especially with consistent changes to CHD environments.
With the help of an experienced and official Approved Scanner Vendor (ASV), your organization can address evolving web application risks, ensuring robust PCI compliance security and minimizing threats to your public-facing web applications.
Challenge #3: Maintaining Updated PCI Compliance Security Policies
The goal of PCI DSS Requirement 12 is to ensure that organization compliance policies are well-defined, aligned, and up-to-date to help secure sensitive CHD. Still, many organizations face various challenges with updating compliance policies, the most common of which include:
- Poorly defined compliance scope
- Irregularly monitored security controls
- Poor communication of security policies
Addressing these challenges can help improve your organization’s PCI compliance security.
Poorly Defined Compliance Scope
It is challenging to fully define PCI DSS scope during significant organizational changes (e.g., rapid expansions, mergers, large partnerships). As a result, organizations can encounter vulnerabilities in CHD processing, transmission, or storage. The most critical of these include:
- Security gaps in CHD processing channels – If not addressed promptly, vulnerabilities in payment channels can result in data breaches. Specific vulnerabilities along processing channels include poor tracking of CHD during:
- Reception at point-of-sale terminals
- Transmission through payment channels
- Deletion from the CHD environment.
- Gaps in CHD processing procedures – It is critical to ensure adherence to security policies for all parties involved in processing CHD, preventing vulnerabilities from:
- Personnel operating errors at point-of-sale terminals
- Errors in personnel deleting CHD from storage environments
- Personnel erroneously storing CHD or sensitive authentication data (SAD), such as CVV codes, without a legitimate business need. Organizations subject to PCI DSS compliance should note that only payment card issuers are permitted to store SAD; merchants cannot do so.
Per PCI DSS Requirement 3, organizations are required to minimize CHD storage, except for business, legal, or regulatory needs. Consistent personnel misalignment with security policies addressing Requirement 3 can compromise CHD and SAD.
Irregular Monitoring of Security Controls
Although the continuous monitoring of security controls in dynamic CHD environments can be incredibly challenging, an organization can encounter PCI compliance security vulnerabilities due to a lack of consistent oversight. The most critical of these include:
- Exposure of CHD environment to external, potentially malicious traffic
- Exposure of CHD to segmented environments not included within an organizations documents PCI DSS scope
- Poorly segmentation of CHD environments from unauthorized personnel access
Minimizing CHD risks requires regular security control monitoring—at least once annually and, critically, after changes to the CHD environment. Specifically, your organization should ensure year-round security for all systems, applications, or networks processing CHD.
Poor Communication of PCI Security Policies
Another challenge to PCI data security is efficiently communicating the scope of a PCI DSS security policy to all relevant parties, including relevant personnel, third-party vendors, and related business associates.
The most threatening of these challenges include:
- Improper documentation of results from penetration testing and vulnerability scans for use as references in instituting policy updates
- Improper documentation of the organizational policies and procedures themselves
- Lack of a dedicated, internal PCI compliance role or team
- Lax DSS adherence between compliance assessment and reporting periods
- Gaps in communication channels regarding password use policies, resulting in access control vulnerabilities
- Employee turnover or changes in privileged account users, with improper transitions in security procedures
Clear and timely communication of changes to PCI DSS security policies is critical to maintaining compliance and ensuring robust PCI data security.
Scope of PCI DSS Requirement 12
PCI DSS Requirement 12 requires organizations to establish and implement a PCI compliance security policy, conducting annual reviews to roll out necessary updates, especially after significant changes to the CHD environment.
Requirement 12 also requires organizations to implement security policies around:
- Risk assessment processes to identify critical assets, threats, and vulnerabilities—documenting them accordingly
- Proper use of critical technologies to eliminate unauthorized access to the CHD environment
- Clearly defined security responsibilities for all relevant parties
- Assigned security management responsibilities
- Awareness of all CHD security protocols and procedures
- Personnel screening to minimize the risk of internal attacks
- Defined policies for managing partnerships with third-party service providers, ensuring the protection of CHD and associated environments
- Acknowledgment of service provider scope of responsibilities regarding CHD security
- Incident response plans to address any breach attacks immediately
Implementing an up-to-date PCI compliance security policy based on these Requirements can help your organization achieve PC compliance and minimize data breach risks. Working with an experienced PCI compliance partner can help your organization streamline the process and institute effective security policies.
Challenge #4: PCI Compliance Verification and Reporting
Depending on your PCI level, your organization will need to report on PCI compliance.
An organization’s PCI Level is based on its annual transaction volume and is determined by individual SSC Members (Visa, Mastercard, American Express, JCB International, and Discover). As a result, reporting on PCI compliance security can be challenging for organizations if they’re unsure of their Level and which reporting forms apply.
Many organizations can assess their PCI compliance internally using a Self-Assessment Questionnaire (SAQ), and if required, submit a Report on Compliance (RoC) and Attestation of Compliance (AoC). Merchants must partner with an official Qualified Security Assessor (QSA), such as RSI Security, to complete and submit both an RoC and an AoC.
Challenge #5: Managing Third-Party Vendor PCI Compliance
PCI compliance security is also crucial for third-party vendors, such as those providing services including:
- Collecting CHD at point-of-sale terminals
- Processing and transmitting CHD across networks
- Software development of CHD-processing software
- Note that organizations developing payment applications are subject to the Payment Application Data Security Standard (PA-DSS).
Third-Parties and PCI Compliance
One of the biggest PCI compliance security challenges is ensuring third-party vendors comply with the definition of your organization’s PCI DSS scope. This is because compliance culpability ultimately falls on the primary organization regardless of whether the third party was at fault. For this reason, merchants must thoroughly evaluate their partners and periodically check to ensure they maintain DSS compliance.
Some of the specific challenges to managing third-party vendor compliance include, but are not limited to:
- Use of unsecure internal and external applications for processing CHD, specifically those:
- Containing test accounts, user IDs, and passwords
- Developed to the vendor-suggested but not industry-best standards
- Outside of internally-defined PCI DSS scope
- Vendor use of unsecure access control protocols, including:
- Password reuse across multiple accounts
- Elevation of privileges for regular user accounts
- Unsecure authentication protocols, allowing vendor access to CHD environment
When working with multiple service providers, you can benefit from outsourcing PCI compliance security to an experienced PCI assessment partner that the PCI Security Standards Council has approved. Official recognition as a QSA and ASV requires its own recurring and rigorous assessment period. These partners, including RSI Security, provide compliance advisory services to simplify your overall PCI compliance security.
Robust Security Measures for PCI Compliance Challenges
PCI compliance security is a critical component of securing your organization’s sensitive data and protecting your customer and industry reputation. As a leading expert on PCI compliance, RSI Security can help guide your organization through the top PCI compliance security challenges, ensuring robust security for CHD.
To learn more about our suite of PCI compliance advisory and other related services, contact RSI Security today.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.