For most merchants, PCI DSS Compliance is a confusing, complicated mix of requirement complexity, lack of knowledge, and an ever changing threat landscape. From small retailers to global merchants, PCI is frequently met with grumbling reluctance and often treated like an annual fire drill. With the upcoming publication of PCI DSS v4.0, it’s time to shift how merchants view their PCI responsibilities and their challenges.

Ready? Let’s dive into the 7 most common challenges merchants face.


For many merchants, scope is a moving target that is difficult to identify. If you can’t identify your scope, your annual assessment will be a mess from the start. In our article, How to Manage PCI DSS Scope, you’ll learn the definition of scope, examples of scope and 6 ways to oversee your scope. Without a complete asset inventory, it will be challenging to meet requirements that ask for a sample of system components. An accurate inventory is critical to your ability to meet your contractual and legal obligations to maintain security and compliance for your cardholder data environment.


The only thing constant is change, right? No exception when it comes to your PCI DSS Compliance program.

  • Changes to your in scope asset inventory
  • Changes to your network
  • Changes to your standards, processes, and procedures
  • Changes to how people work – in office, at home, hybrid
  • Changes in personnel
  • Changes to the PCI DSS (version 4.0 is coming…are you ready?)

System Drift

Merchants with an in-house (on prep or even in the cloud) cardholder data environment struggle with keeping their systems updated, patched, and current. System drift happens when your assets stray from the required configuration standard for that OS or technology. System drift also happens when a merchant has

  • Out of sync configuration scan policies
  • Inadequate break/fix processes
  • Lack of build clean/keep clean processes

Missing Logs

Missing logs are a common occurrence for a variety of reasons. Merchants are in a catch 22 with logging as this needs to be a 24/7/365 operation. If you have systems that stop logging and you don’t catch it, you run the risk of being non-compliant with PCI DSS Requirement 10.7. Merchants must have 90 days of logs immediately available and retain 12 months worth of logs. Systems break. That’s a given. But to stay compliant, organizations need to be monitoring and alerting on their systems for this exact event. Add a robust remediation plan (for example, this type of event gets logged as a major outage and fixed within 24 hours).

Your QSA will not be able to put 10.7 in place if you can’t provide 90 days of immediate logs and 12 months of archived logs. Only your acquirer can accept the risk in order for you to move forward with your annual report on compliance.

Vulnerability Management

Vulnerability management spans several requirement areas (2, 5, 6, 11) and is notorious for being the ONE. BIG. AREA. that most merchants struggle with. If you go through the 2020 Verizon Payment Security Report, requirement 11 is the hardest control area for merchants to achieve and sustain compliance. Why?

  • Patching (85% of all breaches are due to lack of patching)
  • Passing vulnerability scans and rescans
  • Meeting the frequency requirement(s) that is stated in the PCI DSS.
  • Meeting one’s own vulnerability remediation schedule


PCI DSS Compliance can add a significant burden on personnel. It’s often above and beyond their “normal” day-to-day activities. As a former PCI ISA, I started identifying PCI fatigue as a blocker to the annual report on compliance. It’s a real thing. And it’s a huge challenge to overcome if your organization doesn’t give your PCI compliance program the proper resources and attention. Other factors that makes the people factor a challenge:

  • Lack of understanding the PCI DSS and the legal obligations
  • Churn
  • Lack of teamwork among teams that must provide proof of compliance

Scale and Complexity of the PCI DSS

Once upon a time a senior director once told me that getting a report on compliance was like killing a forest just for documentation. No doubt, it can be viewed as a complicated and complex paper exercise. Even the requirements have requirements. And to make it even more complicated, requirements are often interconnected and interdependent AND some of them come with implied or explicit frequencies.

  • Hundreds of requirements
  • Requirements with frequencies
  • Requirements with dependencies

What Else?

Is there something else your organization is struggling with when it comes to achieving and sustain PCI DSS Compliance? Drop a comment below or request a call back today! Payment Card Assessments is currently booking gap assessments for merchants who need to better position themselves for PCI DSS v4.0.

Build Clean Keep Clean: The Secret Sauce to Maintain Continuous PCI DSS Configuration Compliance

The founders of Payment Card Assessments know all to well what it’s like to receive a scan report with over 2,000 configuration failures, a standards team that didn’t communicate changes to the scanning team, and an implementation team that had no idea what they were supposed to do to an in-scope asset before it went into production. 

5 Actionable Tips To Crush Your Next PCI Report on Compliance

Have you almost quit your PCI Compliance job after submitting your organization’s Report on Compliance?

Don’t be shy. It’s okay if you walked away.

I almost quit I submitted the first PCI Report on Compliance I ever worked on.

December 21, 2012 a day that still dredges up heartburn.


I didn’t quit.

I didn’t walk away.

Instead, I saw the opportunity to build a world class PCI DSS Compliance program.

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.