How to Avoid These Five PCI-DSS Pitfalls

Kudos to you for taking credit card data security seriously! You’re likely feeling good about taking that big step to properly secure your customer’s credit card data by becoming PCI DSS accredited. And you should! However, did you know that compliance alone does not necessarily guarantee data security? Here are five things to look out for to ensure the credit card data is truly secure and that you don’t find yourself caught in one of these common pitfalls.

1. Failing to review firewall rules and perform penetration segmentation tests every half year

According to the PCI DSS standard, service providers must review firewall rules and perform penetration segmentation tests every half year. Though most companies remember to do the PTs leading up to the audit at the end of the year, they often fail to do the proper checks mid-way through the year. Mark it in your calendar so you don’t forget these important steps in your PCI compliance!

2. Failing to Manage Vulnerabilities

As part of the PCI DSS standard, vulnerability checks need to be performed on a quarterly basis. Additionally, any vulnerabilities that are found need to be remediated during the same quarter. Failure to do so leaves credit card data vulnerable and increases the chances of a security breach. Unlike the initial certification which requires a vulnerability check during the last quartey only, when being recertified, checks are required on a quarterly basis.

3. Improper Scoping

When it comes to PCI the ‘scope’ is the cardholder data environment (CDE) and includes all of the systems, people, processes, and technologies that handle cardholder data. It is important to note that systems that support & secure the Cardholder Data Environment must also be included in the scope of PCI DSS. Examples include antivirus, patch management, vulnerability scanners and the like.

4. Storing SAD (Sensitive Authentication Data) After Authorization

During the payment process, service providers collect Sensitive Authentication Data (SAD) to authorize the payment. However according to PCI Regulations, you are only allowed to use SAD strictly to process the payment and may not store the data after completing the authorization.

5. Addressing PCI DSS Compliance During Audit Period Only

PCI should be part of your annual work plan and not reserved for a once-a-year security check. In order to be compliant and truly keep sensitive credit card data secure, the requirements delineated within the PCI DSS Standards should be followed and managed throughout the year.