For most merchants, PCI DSS Compliance is a confusing, complicated mix of requirement complexity, lack of knowledge, and an ever changing threat landscape. From small retailers to global merchants, PCI is frequently met with grumbling reluctance and often treated like an annual fire drill. With the upcoming publication of PCI DSS v4.0, it’s time to shift how merchants view their PCI responsibilities and their challenges.
Ready? Let’s dive into the 7 most common challenges merchants face.
Scope
For many merchants, scope is a moving target that is difficult to identify. If you can’t identify your scope, your annual assessment will be a mess from the start. In our article, How to Manage PCI DSS Scope, you’ll learn the definition of scope, examples of scope and 6 ways to oversee your scope. Without a complete asset inventory, it will be challenging to meet requirements that ask for a sample of system components. An accurate inventory is critical to your ability to meet your contractual and legal obligations to maintain security and compliance for your cardholder data environment.
Change
The only thing constant is change, right? No exception when it comes to your PCI DSS Compliance program.
- Changes to your in scope asset inventory
- Changes to your network
- Changes to your standards, processes, and procedures
- Changes to how people work – in office, at home, hybrid
- Changes in personnel
- Changes to the PCI DSS (version 4.0 is coming…are you ready?)
System Drift
Merchants with an in-house (on prep or even in the cloud) cardholder data environment struggle with keeping their systems updated, patched, and current. System drift happens when your assets stray from the required configuration standard for that OS or technology. System drift also happens when a merchant has
- Out of sync configuration scan policies
- Inadequate break/fix processes
- Lack of build clean/keep clean processes
Missing Logs
Missing logs are a common occurrence for a variety of reasons. Merchants are in a catch 22 with logging as this needs to be a 24/7/365 operation. If you have systems that stop logging and you don’t catch it, you run the risk of being non-compliant with PCI DSS Requirement 10.7. Merchants must have 90 days of logs immediately available and retain 12 months worth of logs. Systems break. That’s a given. But to stay compliant, organizations need to be monitoring and alerting on their systems for this exact event. Add a robust remediation plan (for example, this type of event gets logged as a major outage and fixed within 24 hours).
Your QSA will not be able to put 10.7 in place if you can’t provide 90 days of immediate logs and 12 months of archived logs. Only your acquirer can accept the risk in order for you to move forward with your annual report on compliance.
Vulnerability Management
Vulnerability management spans several requirement areas (2, 5, 6, 11) and is notorious for being the ONE. BIG. AREA. that most merchants struggle with. If you go through the 2020 Verizon Payment Security Report, requirement 11 is the hardest control area for merchants to achieve and sustain compliance. Why?
- Patching (85% of all breaches are due to lack of patching)
- Passing vulnerability scans and rescans
- Meeting the frequency requirement(s) that is stated in the PCI DSS.
- Meeting one’s own vulnerability remediation schedule
People
PCI DSS Compliance can add a significant burden on personnel. It’s often above and beyond their “normal” day-to-day activities. As a former PCI ISA, I started identifying PCI fatigue as a blocker to the annual report on compliance. It’s a real thing. And it’s a huge challenge to overcome if your organization doesn’t give your PCI compliance program the proper resources and attention. Other factors that makes the people factor a challenge:
- Lack of understanding the PCI DSS and the legal obligations
- Churn
- Lack of teamwork among teams that must provide proof of compliance
Scale and Complexity of the PCI DSS
Once upon a time a senior director once told me that getting a report on compliance was like killing a forest just for documentation. No doubt, it can be viewed as a complicated and complex paper exercise. Even the requirements have requirements. And to make it even more complicated, requirements are often interconnected and interdependent AND some of them come with implied or explicit frequencies.
- Hundreds of requirements
- Requirements with frequencies
- Requirements with dependencies
What Else?
Is there something else your organization is struggling with when it comes to achieving and sustain PCI DSS Compliance? Drop a comment below or request a call back today! Payment Card Assessments is currently booking gap assessments for merchants who need to better position themselves for PCI DSS v4.0.
