Survey’s Out, Most Common PCI Gaps Revealed

by Sarah Harvey / February 24th, 2015

It’s becoming more and more obvious every day, the need for enhanced security. As the security landscape changes, the threats to our sensitive data become more serious, and as a result the controls we put in place have gotten stronger. We see a new data breach in the headlines on an increasingly regular basis, as lots of criminals often target cardholder data, specifically. The PCI Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and keep this sensitive data uncompromised. PCI DSS applies to all organizations or merchants that accept, transmit, or store any cardholder data.

Full compliance with the new requirements of the revised standard, PCI DSS v3.0, became effective January 1st of this year. The new version of the standard has a strong focus on greater risk areas in the threat environment, greater understanding of the purpose of each requirement and how to apply these requirements, increased clarity of requirements, and alignment with changes in industry best practices.

As a PCI Qualified Security Assessor, we find that it is challenging to obtain and maintain a compliant PCI environment. We surveyed our QSA team and the most common PCI gaps reported by far were:

  • Poorly managed firewalls
  • Inadequate policies and procedures
  • Lack of documented system configuration standards
  • No penetration testing and/or vulnerability scanning
  • A formal, annual Risk Assessment is not performed
  • Inadequate encryption key management
  • Undocumented application development standards
  • No formal Security Awareness Training program
  • Audit and security event logs are not enabled or monitored
  • File integrity monitoring is not performed
  • Background checks are not performed
  • Data flow of sensitive data is not documented
  • Incident response plans are not developed
  • Insecure remote access without two-factor authentication
  • Open wireless networks

Compliance does not guarantee security, but a secure environment is a compliant environment. After you’ve checked for these most common gaps, perform a Gap Analysis to determine the steps you need to take in order to reach your information security and compliance goals based on the current state of your organization’s security controls.

For more information about PCI Compliance or for help in performing a Gap Analysis or Self-Assessment, contact us today.