10 Ways To Fail A PCI Audit

Working on compliance with payment card data security guidelines? Don't make these common mistakes
8) Expecting Product Panaceas

Technology is only one leg on the security and compliance stool. Processes and well-trained people to carry them out are also needed.

"The technology piece of it doesn't work without having someone to install it and maintain it," Russo says "And if they don't do it correctly, you've got issues."

Simply deploying log management won't get you off the hook on access control requirements; installing a Web applica- tion firewall doesn't absolve you from encrypting cardholder data; and no technology can keep the auditor from flagging you for failing to have an information security policy. That's the point: PCI requirements are meant to mitigate breach risk at multiple levels.

9) Trusting Just Any Service Provider

Increasingly, merchants are turning to service providers to fulfill PCI DSS requirements. If you use a third party, make sure it's one approved by the PCI Council.

The PCI Council is coming out with a training program for a new Qualified Integrator Reseller certification to make it easier for merchants to vet their service providers for PCI competence, Russo says. The new program is meant to ensure that outsourcers know how to properly install required applications so they don't leave holes and that they inform merchants of anything they need to do once the service provider leaves, Russo says.

10) Expecting PCI Compliance To Ever Be Finished

With PCI, the curtain call never comes, because compliance is continuous. A company that has been validated by an assessor one week could fall out of compliance the next if network infrastructure, and IT practices change, or a new patch isn't installed correctly. If someone installs a new POS device or application incorrectly--even if it's compliant with the Payment Application Data Security Standard--you're still out of compliance.

And as infrastructure goes out of compliance, so does control over cardholder data.

With the changes in PCI DSS 2.0, the latest update to the standards as of January 2011, companies now need to find and document all storage, processing, and transmission of cardholder data, says Michael Garvin, senior principal security analyst for Symantec. If this only happens once a year during the annual assessment, then data can drift over the next 11 months, leaking into places it shouldn't be and leading to compliance problems a year later, he says.

Every PCI audit failure is different, but one commonality is that the companies involved are doomed to spend a lot of money and time fixing things in order to eventually to get the PCI stamp of approval. Companies that succeed on the first try find that preparation and timely use of advisers can cut the chances of costly, common mistakes. That can also greatly reduce the cost of PCI compliance efforts over the long haul.

Sidebar: Red Flags

Four Requirements To Watch Out For

Which PCI requirements are the hardest to meet? Verizon Business in its 2011 Payment Card Industry Compliance Report found the four that are the most likely to be flagged during the first pass at PCI validation:

>> Requirement 3: Protect stored data.

>> Requirement 10: Track and monitor all access to network resources and cardholder data.

>> Requirement 11: Regularly test security systems and processes.

>> Requirement 12: Maintain a policy that addresses information security.

The low level of compliance with these four requirements indicates that encryption of data at rest "continues to be a major headache" for companies, the report says. The very low showing of requirement 12--to maintain an information security policy--is a bad sign since you need a clear statement of what you want in order to drive good practice. --Ericka Chickowski

Sidebar: Don't Make An Enemy Of Your Auditor

You don't need to be best buddies with your Quality Security Assessor, but it doesn't hurt to avoid irritating him or her. Seasoned auditors recommend avoiding these interpersonal communications gaffes.

>> Don't BS. "Many IT staff have learned that if they use big words or complicated technical language, management may leave them alone," says Glenn Phillips, president of IT compliance and auditing firm Forte. "A good audit team won't fall for it and will know the language."

>> Don't be condescending. "My biggest pet peeve is when network administrators, developers, or any other positions that are more technical in nature attempt to undermine my technical knowledge," says Andrew Weidenhamer, audit and compliance practice lead at SecureState, an information security management company.

>> Don't argue. "This red flag tells auditors there may be something hidden under the rocks, and auditors just love to turn over rocks," says Jim Hurley, managing director of Symantec's IT Policy Compliance Group.

>> Don't lie or misdirect. "Any good auditor is going to do what's necessary to uncover what is needed for the audit," Weidenhamer says. "This is true even if it means talking to six more individuals or collecting 35 more pieces of evidence." Lies are bound to come out. --Ericka Chickowski