Top 10 PCI Compliance Mistakes

Configuration mistakes, access control gaffes, and scoping issues top the list of common PCI errors
6. Using Compensating Controls As A Crutch
According to Bower of Voltage, if you think that compensating controls are a way to skirt around compliance burdens, you're probably tackling this PCI business the wrong way.

"Compensating controls are used when there is no means of directly meeting the requirement. For example, some organizations will assume that because they have legacy systems they cannot encrypt or tokenize stored card data in a database or application," he says. "Today, it's entirely possible to do that -- even on legacy systems like Mainframe and HP Nonstop to reduce the risk of a breach whist meeting the compliance need."

Besides that, he warns that compensating controls can cost the organization a lot in paper audits and additional investments in business processes and tools.

7. Bringing PA DSS-Certified Software Out Of Compliance
Just because you've bought some PA DSS certified software to process credit cards doesn't mean you're off the hook just yet, warns Marc Gaffan, co-founder of Incapsula.

"Software that is PA DSS certified must be run and operated in a PCI compliant environment in order to suffice the PCI DSS regulations," he says. "This means that you need to ensure that your IT environment and all related service providers are also PCI compliant in order to uphold the overall compliance of your certified software or e-commerce platform."

8. Failing To Separate Duties
Both PCI DSS Requirements 3.4.1 and 3.5 mention separation of duties as an obligation for organizations, and yet many still do not do it right, says Todd Thiemann, senior director of product marketing for Vormetric.

"In order to properly implement separation of duties, enterprises need adequate staffing," Thiemann says. "One common mistake is allowing developers or DBAs to see production data. This usually occurs due to understaffing in IT departments."

9. Poorly Managing Encryption Keys
PCI Requirement 3.5.1 states that organizations need to store cryptographic keys securely in the fewest possible locations and forms. Problem is, most organizations are terrible about key management.

"Enterprises should never store encryption keys alongside encrypted data. It doesn’t help if you lock the door with the key taped to the doorknob," Thiemann says. "Too many encryption solutions do not include proper key management and enterprises are prone to cutting corners when it comes to properly managing encryption keys."

10. Failing To Track Cardholder Data Flows
According to John Nicholson, counsel for the global sourcing practice at the Washington, D.C.-based law firm of Pillsbury Winthrop Shaw Pittman, organizations don't do enough to map their data flows for cardholder data to find out the whats, wheres, hows and whys of what's stored.

"Through that process, organizations can identify collections of cardholder data -- and other data that could be subject to a data breach -- and either get rid of it or encrypt it at rest," Nicholson says. "A lot of times companies discover that they are storing cardholder data in Excel spreadsheets or other formats that are difficult to control and protect. By doing the kind of data flow analysis I've mentioned, companies can identify these practices and deal with them."

Think that nobody still actually stores cardholder data in spreadsheet? It really does happen, says Ken Menken, CEO of Capalon Communications, Inc.

"True story: A medium-sized business came to us because they needed a better and more convenient solution for online registrations. Their then-current solution was their hosting provider e-mailing them a daily Excel spreadsheet, including all credit card information -- complete with CVV codes," Menken says. "And that didn't happen in 2009 -- it just happened now, in 2012. I cringe just thinking about it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.