These PCI DSS Compliance tales would be funny if they weren’t true.

Let’s face it, If you’re in charge of your company’s PCI DSS Compliance program, you need a spine of steel and the confidence to guide the security team, the business team, and the C-level suite.

One the course of 10 years as a PCI ISA at a level 1 merchant, I’ve collected a crypt filled with PCI Compliance disatrophes.  

Ready? Let’s dive in!

“What do you mean 3,000 end user devices are in scope?”

During a RoC QSA interview I had a system administrator say “I forgot how I configured the anti-virus management console.” I stopped the interview right then and there.

“We can’t just delete the credit card data we discovered in SharePoint.” (Yes, yes you can!)

“The credit card data has always been there.” Said a real life senior director as if to make it credit card data found on SharePoint in the clear with cvv okay. 

“Why do we need to worry about credit card numbers that have expired?” For real. 

The first email on a Monday: “Hi…one of our outsourced call centers was breached…” mmm…true story. 

Keep reading. Here’s another great PCI DSS Compliance story….

“Can you make this scan result go away?” Just as soon as you fix the problem. Does that work for you?

“You’re system administrators are sharing passwords.” Whhhhhyyyyyy???? 

“Pause and resume stopped working 6 months ago…” Oh felgercarb….(bonus if you know what TV show that came from)

“VoIP isn’t in scope. Our call volume is low.” Right. Sure. Try again.

“We don’t store credit card data anymore so we don’t have to worry about PCI compliance.” 

This PCI DSS Compliance story is a doozy!

“If I had known we signed a contract to maintain PCI compliance we never would have signed a contract with that acquirer.”

“The delete file has at least 20,000 credit card numbers in it. The file has never been deleted.” Ooph 

“There’s a GRC tool that can do PCI, SOC 2, GDPR, NYDFS, and wash the dishes…” seriously, I wish. 

“PCI DSS v4.0 customized approach is going to be so much easier” <cough> Good luck with that.

Which one PCI DSS Compliance story hits home? More than one? 

If you’re looking to uplevel your PCI DSS Compliance game or get your staff fully trained in aspects of PCI DSS that no one but Payment Card Assessments diving into, now’s a great time to sign up for our upcoming workshops or book one of our coaching packages. 

Join the Nolan & Cressey PCI Resource Center Today!

Gain immediate access to courses, guidebooks, monthly Q&A calls and more! 

Need 1:1 Help? Check out our PCI Coaching Packages!

5 Hour Block of PCI Compliance Coaching

SOS! PCI Compliance HELP

This is a one hour block of time to help you problem solve a security control failure, a gap in a current process, or just understanding specific PCI requirements.

Tags: , , , , , , ,

Blog Posts

20 Feb 2023
PCI DSS, PCI Report on Compliance

4 Smart Ways To Stop Overcomplicating PCI Compliance

You can do PCI Compliance the Smart Way or the Hard Way. Which way do you choose?

You know that saying, “objects appear bigger in the rearview mirror,” right?

When it comes to PCI Compliance, satisfying the requirements often looks bigger the more you stare at them. And when you look at the requirements in isolation, they often look next to impossible to implement. Your brain (and my brain) want to over complicate what needs to be in place to secure the cardholder data environment.

Maybe you jump immediately to implementing the newest shiny security tool without thinking of how it will impact other in scope systems.

Maybe you leap to more complexity by adding layers of security controls and processes when one solid, repeatable process will do.

Or maybe you bury your head in the sand and sing lalalalalalalalalalala….(honestly, there were days I wish I could’ve done that!)

PCI Compliance doesn’t have to be complicated.

Here’s 4 smart ways to stop overcomplicating your PCI Compliance program:

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.