9 PCI Myths That Can Cost CIOs

PCI blog image

As breaches continue to happen, the adage of not if but when continues to ring true. The following 9 myths regarding PCI compliance are worth a review as many organizations allocate funds to cybersecurity spending. 

Myth 1. PCI compliance is not worth our time as an organization.

As more and more organizations and even the tech industry itself moves toward a risk-based approach, the notion of annual reporting on cybersecurity and technology risk is not far off.   PCI DSS requires organizations regularly test security processes and systems. Though this is a challenge, PCI compliance audits may help organizations as they make decisions regarding technology and risk.

Areas to address include:

  • Network Security:  Non-firewalled connections are a risk, and restrict access to only those who need access. 
  • Data Storage: this is always a vulnerability when data is stored. Keep data retention to a minimum.
  • Application Security:  Does one application provide access to every application? if so, revisit this practice.
  • System Access: Limit access and track access by regularly changing credentials and logins. 
  • Authentication: Requiring two-factor authentication is not just an option anymore.
  • Tracking Changes: Maintain logs of every change  to confirm sensitive transaction data is secure
  • Privileges: Have admin privileges been changed or new user created?

New call-to-action

Myth 2. PCI compliance is not continuous.

The mindset of security beyond compliance is one that many businesses struggle with, however the struggle does not need to exist with PCI compliance. Requirements 10.5.5 and 11.5 require the use of file integrity monitoring software to help ensure log data cannot be changed without generating alerts. 

The PCI security standards council discusses the three-part process needed to ensure continuous PCI compliance.

  • Continual Assessment
  • Immediate Remediation
  • Regular Reporting 

With continual assessment, this year-round, ongoing assessment helps to ensure an IT environment is secure, and risk of suffering a data breach it mitigated.  immediate remediation is simply addressing and fixing the non-compliance concerns as they arise. Many organizations are choosing to implement monthly or quarterly reporting in all cybersecurity areas, not just focusing on those within the compliance perspective. 

With the 2018 addition of PCI requirement 12.11, service providers now have to perform quarterly reviews ensuring personnel are following proper security policies and operating procedures. many organisations are simply choosing to implement a quarterly review as well. 

Myth 3. PCI compliance is difficult to achieve.

Though there are challenges when implementing and maintaining any compliance requirement, if the processes are put into place from the beginning, achieving PCI compliance doesn't have to be a chore.

As previously mentioned, human error is the single greatest point of failure when it comes to information security risks. Ensuring that a policy is put in place doesn't have to be daunting.

  • Review and document where data is stored
  • Test security policies
  • Use the right software 
  • Conduct quarterly reports
  • Complete SAQ(if needed)

Myth 4. PCI compliance equals data security, so our data is secure.

Just as PCI requirements evolve, data security is evolving at a rapid pace. If your data security policy is not in place, most likely PCI compliance will not be in place as well. The three areas to review when reviewing PCI compliance policies include; process or policy, people or staff, and software. 

Subject to change at any moment, PCI compliance should be viewed as temporary, and many organizations have learned the hard way, either via a breach or system compromise.

| Download  the 2019 PCI Checklist to review PCI DSS 3.2.1 requirements today | 

Myth 5. PCI compliance is outsourced so it does not concern our internal organization.

Though outsourcing of maintaining PCI compliance is common, what cannot be outsourced is the responsibility.  

Many organizations do not realize they still need to have measures in place so potential risk and security issues still exist.  As noted by SecurityIntelligence, outsourcing does not "provide automatic compliance"  further commenting that "if vendors mishandle returns and expose credit data, retailers are on the hook". 

Myth 6. PCI compliance software is not worth the costs.

Non-compliance fees can be costly, and monthly penalties can add up quickly.  There are many factors organizations need to consider when evaluating P{CI compliance costs. 

  • Physical environment
  • Business type
  • Number of employees
  • Senior Leadership
  • In-house PCI knowledge
  • Hardware
  • PCI fees
  • QSA

Though the compliance level can help with predicting compliance costs, the above factors can vary the costs significantly. As previously noted, for many smaller  businesses and organizations who process fewer than 20,0000 transactions, the costs can average around $10,000 or below.

When looking at PCI software, there are 4 key features organizations can look for:

  • Proactive Change management
    • What was changed
    • Who made the change
    • Where the change was made
    • When the change tool place
  • Auditing Capabilities
    • A complete audit trail is needed for PCI compliance
  • Integrated Ticketing
    • Look for a solution that can differentiate good change from bad
  • Automatic Vendor Change Identification
    • The ability to eliminate false positives saves time and resources
    • Look for a cloud-based service that automatically identify changes due to patches and updates 

7. PCI compliance does not apply to us because our organization is small.

Though many organizations may not believe  there is a "worth", or dollar value attributed to PCI compliance, this belief is not always founded.  As noted in a recent post about 3.2.1, there are not exemptions based on the size of the organization.

Regardless of size, organizations should want to to be compliant, as it is not only applicable, but it is also a requirement, regardless of size.

New call-to-action

Myth 8. PCI compliance does not apply to our brick and mortar location, and we only have POS devices. 

A previous study reported, 91 percent of retailers  were not compliant with PCI DSS during a six month review. Though many businesses may not realize it, point of sale(POS) systems require file integrity monitoring as they are directly involved with processing of credit cards. Changes to the OS and applications on POS systems can cause system downtime and in worse case scenarios, a breach of credit card data.

Though the thinking behind keeping an infrastructure safe and secure is valid, securing a POS system can at times seem a "hard sell" from a budgeting perspective as the ROI on POS systems are non-existent. 

Myth 9. We've never had an issue, so PCI compliance is not a big deal.

As previously stated, it is not a matter of if but when.  The latest from Symnatec reports web attacks are on the rise, and with employees being one of the largest security risks, or "issues, compliance should be a big deal. 

Financial Costs after a data breach can include:

  •  Merchant processor compromise fines: $5,000 – $50,000
  •  Forensic investigation: $12,000 – $100,000+
  •  Onsite QSA assessments following the breach: $20,000 – $100,000
  •  Free credit monitoring for affected individuals: $10-$30/card
  •  Card re-issuance penalties: $3 – $10 per card
  •  Breach notification costs: $2,000 – $5,000+
  •  Technology repairs: $2,000 - $10,000+
  •  Increased in monthly card processing fees
  •  Legal fees
  •  Civil judgments

Source: Security Metrics


Ways to improve PCI-DSS compliance efforts can include: 

  • Education of your employees/people
  • Placing responsibilities on the right individuals
  • Enforce Unique User IDs
  • Invest in the right tools

It is also worthy to note that Symantec's latest data on user name usage still lists the most common user names used in attacks included "admin", "root", and "default", while "123456", [BLANK], and "admin" were the top three passwords.

PCI compliance doesn't have to be a challenge. Not sure where to begin? Download  the 2019 PCI Checklist to review PCI DSS 3.2.1 requirements today.

Download our 2019 Essential PCI compliance checklist now! 

 

Jacqueline von Ogden

Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".