As a Payment Card Industry Qualified Security Assessor (PCI QSA) company, we assess hundreds of organizations annually. Reviewing our client’s PCI Programs year after year, there is a pattern of common gaps that inhibit organizations on their road to compliance. These gaps can make the certification process more painful than it needs to be, creating additional complexity and work effort while putting deadlines and customer opportunities at risk.
Below are the most common Governance and Technical gaps that we see during our engagements:
Key Governance Controls
- Asset Inventory: Not maintaining a list of hardware and software components that includes a description of function/use for each, and wireless access points.
- Policy and Procedures: Not reviewing all information security policies and procedures annually. Putting a “Last Reviewed” date on the policies, even if no changes were made, will help assessors quickly identify if your documents have been reviewed within the last year and forego any redundant interviews to clarify when documents were last reviewed.
- Record Keeping: Keeping accurate records of Change Management tickets regarding when changes occurred to your IT infrastructure, including privilege changes to users’ accesses.
- Annual Risk Assessment: Not conducting an annual risk assessment that identifies any risks associated with your organization’s most critical assets and any threats that may be associated with devices. This should be documented in a formal risk register, either in report form, a spreadsheet, or located in a Governance Risk and Compliance application that allows for exporting reports.
- Security Training: Forgetting about a yearly enterprise-wide cyber security training session for all employees. Additionally, not keeping track of which employees have or have not finished the annual cyber security awareness training.
- Vendor Management: Allowing vendors to have 24/7 access into your network, instead of only allowing them for a specified time period. Not maintaining a list of service providers and what services they provide to your organization. Not maintaining the PCI compliance status of service providers that are handling credit card data on behalf of your organization.
Key Technical Controls
- Network Segmentation: Organizations not conducting an annual segmentation test to verify that controls are working as intended to truly separate the Card Data Environment from all other company networks. The annual segmentation test can also be included in the annual internal Penetration Test.
- Two Factor Authentication for Remote Access: Not requiring administrators to use Multi-Factor Authentication (i.e. requiring a user to input a code received on a cellphone or physical token) to log into the corporate network whenever not at the office, directly connected to the corporate network.
- Central Log Server: Not using a separate log server for devices to send system and audit logs to. Without this in place, hackers can clear out the logs on compromised systems to try and cover their tracks during a breach.
- File Integrity Monitoring: Not having some sort of change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities.
- Examples of files that should be monitored:
- System executables
- Application executables
- Configuration and parameter files
- Centrally stored, historical or archived, log and audit files
- Additional critical files determined by the entity (for example, through risk assessment or other means)
- IDS / IPS: Not having intrusion detection or prevention solutions in place. This can often be accomplished by enabling an IDS/IPS solution on an already existing firewall.
- Rouge Wireless Detection: Not having a process, either manually walking around or using an automated tool, to test for the presence of wireless access points, and detect and identify all authorized and unauthorized wireless access points on a quarterly basis. (The asset inventory mentioned above will help achieve compliance with this control).
- Vulnerability Scanning: Not conducting an external vulnerability scan by an Approved-Scanning Vendor (ASV), at least every three months. Not conducting an internal vulnerability scan. There should be four internal and four external* vulnerability scans available for the assessor to review.
*If you switch vulnerability scanning vendors, store the last four scans in an accessible location prior to switching to a new vendor, because not having scans available due to using a new tool is often not an acceptable excuse by your QSA.
PCI should be part of your annual work plan and not reserved for a once-a-year security check. In order to be compliant and truly keep sensitive credit card data secure, the requirements delineated within the PCI DSS Standards should be followed and managed throughout the year.
If you have fallen into any of the above PCI gaps, we hope that this list will provide a helpful bridge on your road to compliance.