Most Common PCI Gaps

by Sarah Harvey / December 5th, 2019

In the payment card industry, our auditors come across the same vulnerabilities and gaps time and time again across different organizations. Even for a retailer as big as Macy’s, security gaps showed up in full force when their payment card systems were breached in 2018.  Did Macy’s security team take the time to mitigate the most common PCI gaps? Could they may have saved the millions of dollars by implementing best practices? To give your organization an advantage as you start your PCI audit process, we have gathered common PCI gaps that can be associated with each PCI DSS requirement. Let’s get a head start on your PCI compliance journey.

Where PCI Requirements Meet Common PCI Gaps

Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data

It’s common for organizations to lack proper firewall management, but misconfigured firewalls have led to mega breaches. Although your organization may have properly installed a firewall, understanding its configurations (especially in AWS) and access points is vital to the security of your organization.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

In general, poor management of passwords or weak password requirements can be the gateway hackers need to access valuable information buried deep in your systems. Over 29% of breaches in 2019 involved the use of stolen credentials, according to Verizon’s 2019 Data Breach Investigations Report. Are you working to prevent the misuse of stolen passwords to access secure data in your systems?

Requirement 3: Protect stored cardholder data

How do you protect the stored cardholder data that is vital to your business? By implementing methods of encryption, truncation, masking, hashing, and more.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Any transmission of cardholder data is a red flag in your security processes, but especially when it crosses misconfigured or weakened wireless networks. To gain compliance with PCI Requirement 4, cardholder data that your organization transmits over public networks must be encrypted.

Requirement 5: Use and regularly update anti-virus software or programs

While it’s impossible to keep your information secure for its entire lifetime, having updated anti-virus software is vital to making sure your systems are as secure as possible. During a PCI gap analysis and audit, you can expect an auditor to check that you’re regularly updating virus-protection software.

Requirement 6: Develop and maintain secure systems and applications

When you have an undetected vulnerability in an application or system, you’re setting your organization up for a data breach. This common PCI gap usually begins as early as the development stage, but can be remediated through vulnerability testing and penetration testing. In 2019, Verizon reported nearly 10% of all data breaches involved the action of exploiting vulnerabilities. By engaging in vulnerability scanning and penetration testing, you’re further ensuring your organization won’t be another number added into that statistic.

Requirement 7: Restrict access to cardholder data by business need to know

Should everyone in your organization have open access to your most sensitive data? Absolutely not. Cardholder data needs to be accessed only by those employees whose duties depend on that cardholder data.

Requirement 8: Identify and authenticate access to system components

How do you trace the actions of each user in your system? Are your user IDs and passwords secure? How do you know if your users are who they say they are? Does your staff know what to do if they suspect their account is at risk? Many PCI gaps stem from identification and authentication controls.

Requirement 9: Restrict physical access to cardholder data

Physical security is your first line of defense and is also an area where some of the most common PCI gaps are found. Whether in the form of a misuse of an ID access card or through an unlocked door, hackers can gain access to improperly disposed cardholder data if your physical security isn’t a priority.

Requirement 10: Track and monitor all access to network resources and cardholder data

How do you determine the cause of a security incident or data breach? By understanding your access controls and utilizing logging and monitoring tools. Implementing these mechanisms gives you the ability to track user activities and access, which is crucial in preventing, detecting, and minimizing a data breach.

Requirement 11: Regularly test security systems and processes

Performing tests like risk assessments, vulnerability scanning, and penetration testing to find and mitigate potential risks and vulnerabilities is extremely important to maintaining a secure environment for cardholder data. By ignoring this common PCI gap, you’re lacking an extremely important line of defense against hackers.

Requirement 12: Maintain a policy that addresses information security for all personnel

Your organization may think its information security policy covers all the necessary security requirements, but without regular updates and proper implementation, your policy is useless. Make sure you maintain written documentation for policies including an incident response policy, employee training policy, business continuity plan, data retention policy, and other security policies that might prove to be gaps in your environment. According to IBM Security’s 2019 Cost of a Data Breach Report, organizations that thoroughly tested their incident response plans had breaches with a total cost $1.23 million less than than those without proper incident response plans in place. Which side of that cost would you rather be on?

Set Your Organization Up for Security Success

If you want to make sure your security procedures are up to date, thorough, and adequately protect your systems, knowledge about common gaps is a great place to start. You don’t want to find yourself halfway through the PCI audit process only to realize your policies and procedures are inadequate or your physical security measures aren’t advanced enough to protect you against hackers. You especially don’t want to be sitting at your desk when you learn there’s been a major breach of cardholder data because you had a gap in the form of weak passwords. In the financial industry, alone, there were over 927 incidents in 2019. You don’t want to be an organization adding to that number in the next few years. Set you organization up for security success by mitigating these common PCI gaps early on in the audit process. Contact KirkpatrickPrice today if you’re ready to learn more about the PCI audit process.

More PCI Resources

What is a PCI Audit?

Guide to PCI Policy Requirements

6 Steps of a PCI Audit