PCI DSS – 5 Most Commonly Observed Control Failures
As a general guideline, any organization that accepts credit or debit card payments must comply with the PCI standards. Organizations that fail to comply with the deadlines face substantial fines and penalties and potential expulsion from card payment programs. Beyond the economic charges of non-compliance, organizations could suffer reputational and brand damage if a security breach compromises the payment card information.
Not withstanding the fines and penalties, many merchants still are not aware of PCI DSS compliance. There are many reasons for non-compliance. They include a lack of awareness among merchants, underestimating the complexity and cost of remediation efforts, and compliance fatigue resulting from the need to respond to a broad range of requirements that impact the organization.
The encryption of stored payment card information is a controlled requirement that many merchants struggle to comply with, primarily because of available technologies’ complex technical and intrusive nature. The compliance’s data encryption requirement ensures that the data will remain inaccessible in the event of the breaching of other security control measures. Unfortunately, many company databases, mainframes, and other systems designs do not natively support encryption solutions. Process re-engineering and data reduction are approaches used by many merchants to decrease the amount of payment card data that needs to be encrypted.
1. Lacking a clear definition of the payment environment that is in the scope of PCI DSS certification
Many organizations attempt to assess their payment environment without a clear understanding of the in-scope environment. It includes understanding all payment processes, including how payment card data enters the environment, where the data is processed and stored, how it leaves the environment, and with whom data sharing occurs. Lack of a clear understanding often leads to an incomplete compliance assessment and residual risk.
2. Encryption key management
The biggest challenge is the effective utilization of encryption and tokenization tools. Four principles of key management should be adhered to fix weaknesses in the process. Effective key management includes 1) Key policy management, 2) Key storage, 3) Key authentication, and 4) Key authorization and Key rotation.
3. Seeing compliance as an IT issue
Because of the many technical controls in the standard, many organizations consider compliance an IT problem and look to the IT department to fix it. This approach generally leads to a technology-centric approach that does not adequately consider non-IT procedures and controls. PCI DSS compliance is a business imperative that involves people, processes, and technology. It must be jointly owned and addressed by IT, business leadership, and other relevant groups in the organization. Leading organizations establish a PCI DSS compliance unit with IT (including security), legal, business, internal audit, and treasury representation to oversee compliance efforts.
4. Underestimating the complexity of PCI DSS compliance
Many organizations underestimate the complexity of PCI DSS compliance efforts. A contributing factor to the underestimation perception is that management often does not fully understand the extent of the payment environment and the number of databases, systems, technologies, and applications that need to be PCI DSS compliant. Remediation, especially in IT environments, can come with a hefty price tag that may be difficult to accept. Compliance also requires cultural changes for many organizations, which are time and again met with resistance.
5. Securing stored payment card information
Many businesses regard the PCI DSS as one of the most challenging compliance standards. Merchants often overcome their initial concerns as they become more aware of the various approaches available to them to protect payment card data and the standard’s flexibility. Compliance need not be this herculean task that is difficult to tame. Partnering with Nollysoft can make the herculean task a lightweight task! Nollysoft is here to help!
At Nollysoft, we help organizations with PCI compliance by making it very simple via an application called Panthera. To learn more, connect with us!
Many organizations attempt to assess their payment environment without a clear understanding of the in-scope environment. It includes understanding all payment processes, including how payment card data enters the environment, where the data is processed and stored, how it leaves the environment, and with whom data sharing occurs. Lack of a clear understanding often leads to an incomplete compliance assessment and residual risk.
Many organizations attempt to assess their payment environment without a clear understanding of the in-scope environment. It includes understanding all payment processes, including how payment card data enters the environment, where the data is processed and stored, how it leaves the environment, and with whom data sharing occurs. Lack of a clear understanding often leads to an incomplete compliance assessment and residual risk.