When I was in training for my PCI ISA certification in 2012, I heard the instructor say, “and remember, the DSS requirements loop.” As someone brand new to the world of PCI Compliance, I had no idea what he was talking about. 

The more experienced I became, the more I understood just how interconnected and interdependent the PCI DSS requirements are. As I grew in my role as a PCI ISA, I was able to avoid the perils and pitfalls that come with the complexity of hundreds of PCI requirements, sub requirements, guidance documentation and other cross-reference material.

For example, did you know that requirement 11.2.3.b loops back to requirement 6.1? In fact, the QSA must validate that all rescans were performed until “either passing results were obtained or all “high-risk” vulnerabilities as defined in PCI DSS requirements 6.1 were resolved.” Not all requirements that are interdependent have a direct call out like this.

If you have high-risk vulnerabilities that haven’t been resolved in your environment, your QSA could very well mark more than one requirement as not in place.

There’s often a cascading effect on requirement failures when one requirement is not in place. Given that a PCI Report on Compliance is an all or nothing endeavor, the cascading effect of requirement failures is definitely a pitfall you want to avoid.

Some pitfalls exist in places were you might not normally think to even check. For example, in 2018, the PCI Security Council added PCI DSS requirement 6.2 to the SAQ-A, which brought servers that redirect to hosted payment pages into scope for patching. No doubt, a wise update; however the change was not widely broadcasted nor made apparent to merchants who redirect their internal payment systems to an internal billing page on an iFrame. Whether you have one or thirty internal payment systems redirecting to an internal iFrame, those servers are now in scope for requirement 6.2.

The peril that most ISA’s or PCI program managers will face is having to tell the finance department, application developers, system admins, etc., that their systems are now in scope and they must provide evidence of patching. Let’s hope they’re doing it anyway.

Scope is another pitfall that many merchants may stumble into. We’re going to chat about scope in an upcoming blog post. Stay tuned!

At Payment Card Assessments, we know how to cross check all the relevant requirements, guidance documentation, FAQs, etc., to ensure PCI DSS Compliance. We can help your organization avoid the perils and the pitfalls and get your program off and running in the compliant direction. Request a call back today!


Discover more from Payment Card Assesments

Subscribe to get the latest posts sent to your email.

Build Clean Keep Clean: The Secret Sauce to Maintain Continuous PCI DSS Configuration Compliance

The founders of Payment Card Assessments know all to well what it’s like to receive a scan report with over 2,000 configuration failures, a standards team that didn’t communicate changes to the scanning team, and an implementation team that had no idea what they were supposed to do to an in-scope asset before it went into production. 

Leave a Reply

Discover more from Payment Card Assesments

Subscribe now to keep reading and get access to the full archive.

Continue reading