Common mistakes in PCI Implementation

PCI-DSS compliance standard has been around for more than 10 years now. The standard has evolved over the years and as compared to the first version released, the current version has tried to make the requirements clear for both the merchant and the service provider. Unlike the previous iterations, PCI version 3.0 and 3.1 have brought in 24 evolving requirements (new) because of the evolution in technology and the way IT is managed.
There is clear rise in larger portions of IT being outsourced and with the evolution of the cloud; the organizations may not own any infrastructure at all. Hence it becomes really important that the organization has a clear understanding and agreement of control ownership with all its service providers who store or process cardholder data.
Even after multiple versions and the standard being around for a while, the organizations still find it difficult to run a successful PCI program. Following is a list of a few common mistakes that organizations have been repeating over the years and still fail to improve:

  1. Bad scoping - The scope is never clear, the information is not available centrally and businesses / LOB's start new processes without informing Risk and Compliance teams.
  2. Incorrect interpretation - The standards are never clear and your IT teamÔÇÖs interpretation may not necessarily match with the auditor's.
  3. Partial data discovery - The cardholder data is all over the place and with lack of proper documentation and control, organizations may take forever to find all the technology assets where the cardholder data resides.

Is there a way to fix it?
Yes, a simple 3 step approach may help address them:

  1. Scoping - Spend more time and effort in scoping. Take a top down approach to identify all businesses/ LoB's/ departments/ service providers that store or process cardholder information and document them in workflows/ dataflow diagrams
  2. Discovery tools - Use data discovery tools to ensure all the technology assets, databases and file stores have been identified that may store cardholder information
  3. Validation - Always validate your scope and control interpretation with a QSA before you start your remediation.

Lastly the best way for PCI DSS compliance is to continually improve processes to ensure on-going compliance, rather than treating compliance as a one-time project.

Rate this article: 
Average: 1 (1 vote)
Article category: 

There are 2 Comments

Missed the disclaimer: This article is my personal view and is based on my own experience of executing and supporting PCI engagements.