72% of merchants fall out of 

PCI DSS compliance within 6 months of achieving their Report on Compliance

2020 Verizon Payment Security Report

What sets merchants who have successful PCI Compliance programs apart from those that don’t? Merchants who can maintain their security controls long after they’ve submitted their annual Report on Compliance (RoC). That’s who.

Maintaining security around your cardholder data environment is complicated. No clear champion from the C-Suite, lack of attention on critical control areas, who’s job is it anyways?

We all can agree that mistakes happen. But a mistake repeated over and over again becomes a choice. The following are the biggest and most common mistake-choices merchants are making:

Mistake Number 1

Level 1 merchants have no idea what the scope of their assessment really is. They think they do. But they don’t. They don’t even know they have teams storing cardholder data on spreadsheets in SharePoint.

Mistake Number 2

Level 1 merchants don’t plan the work that’s required for their annual Report on Compliance. It’s a hot mess at the start and only gets worse.

Mistake Number 3

Level 1 merchants don’t have 4 quarters of passing ASV scans or internal and external scans and they’re still remediating pen test failures from 2 years ago.

Mistake Number 4

Level 1 merchants don’t have a build clean/keep clean process to help them manage configuration drift. 

Mistake Number 5

Level 1 merchants don’t have a way to alert personnel when in-scope servers stop logging; which means their security operations center can’t monitor, alert, and investigate daily security events.

Are you sick and tired of starting your annual Report on Compliance off with dozens of requirement failures? 

Payment Card Assessments is here to help. 

We’re hosting our first master class, Assess Smarter, Not Harder, on June 15, 2022. In our master class we’re going to address the five biggest mistakes most merchants make, why they continue to make them, how to take corrective action to strengthen your security posture. You’re also going to learn:

  • How to pinpoint and remediate key issues before, during, and after your annual Report on Compliance.
  • Master how to revise and enhance your critical compliance processes to show maturity in your compliance program.
  • Learn actionable steps on how to create a sustainable PCI DSS compliance program that saves time, effort, and money.
  • And we’re going to introduce you to Polaris PCA, the first of its kind automated workflow tool with a robust PCI Knowledge Base, integrated PCI DSS Industry Standards, and Payment Card Assessments’ Best Practices.

Register Today

Days Hours Minutes Seconds

Firewalls and Routers: How to Take Control of Unruly Firewall Rules, Configurations and Network Connections

Best Practice: Developers and system administrators request changes to firewall rule sets all the time. Whether it’s to do work on system components or test system components, these changes can make a mess out of your rule sets. It’s so easy for someone to unintentionally request an “any” rule which is prohibited in the cardholder data environment. Our best advice is to insert your ISA or someone on the compliance team into the firewall rule change review.

5 PCI Compliance Headaches You Can Live Without

If PCI Compliance were easy, every organization would be doing it, right?

But it’s not.

The sad statistic from the most recent Verizon Payment Security Report is that 57% of all merchants fail to sustain PCI DSS Compliance.


There are so many reasons. Where do we start?

Let’s start with the 5 PCI Compliance headaches everyone can live without.

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.