- February 4, 2022
- Posted by: Gradeon
- Category: Compliance
PCI compliance isn’t at the top of everyone’s to-do list. But make any of these common mistakes, and you can be fined a substantial amount of money. Avoiding these seven mistakes can mitigate this exposure and makes a complex process a little more forgiving.
Believing without verifying
Outsourcing does not automatically ensure that your business is PCI compliant. For example, a third party may use the ISO 27001 security standard as evidence of compliance. Always ask to see the Attestation of Compliance as ISO standards alone do not guarantee compliance.
Choose your partners wisely and at least make the following checks to verify PCI compliance:
Don’t accept ISO standards in place of an AOC. If this document is not supplied, you’ll need to track their processes to ensure full PCI DSS compliance
Take time to read the AOC. It should apply to your actual business environment and be clear on your responsibilities as a customer. If the PCI Consultant has written the AOC document in response to your request, then you may not have followed PCI compliance processes
Establish through the proposed contract, which is liable for fines, forensic analysis and the independent compliance report if a breach occurs. You’ll require a recorded agreement if the worst should happen
Look for an AOC signed by a PCI QSA as a sign that the third party is compliant and has been independently assessed
Confusing vulnerability scans with full compliance
Passing the vulnerability scan is only a tiny part of the more comprehensive PCI compliance process. Avoid third parties that provide a PCI DSS compliance badge based on vulnerability testing alone.
Completing the wrong Self Assessment Questionnaire
Ensure that your organisation has completed the appropriate SAQ. These correspond to specific circumstances. For example, if you handle face to face payments, you may need to complete an SAQ B, while an eCommerce site may require an SAQ A.
While these may need you to fulfil around 30 requirements, the total SAQ D covers 330 compliance items. Therefore, completing the SAQ that relates directly to your compliance needs makes sense.
Not realising your SAQ always covers web hosting
Check with your third party web host that they bear PCI DSS responsibilities in your environment.
While your third party providers may offer PCI compliant software, it may not cover your specific business environment. If your business improperly stores data, operates without a firewall or your business website is incorrectly configured, you may be in PCI violation. As an additional safeguard:
At a minimum complete SAQ A
Consider additional controls, including File Integrity Monitoring (FIM)
Ensure someone is tasked and given the time and resources to ensure PCI compliance
Believing PCI compliance doesn’t apply as you don’t store card data
PCI compliance covers transmitting and processing as well as storing data. Therefore, if you undertake any of the following processes, PCI compliance applies to you:
You’re transmitting data if card payments are taken via form submission on your website and then transmitted to a third party
If you take telephone payments and enter details via a workstation, you’re transmitting data, and you must properly secure the workstation
Card data can be transmitted via a VoIP network which then falls under PCI compliance
Even if you outsource all payment details to a third party via a redirect page, you will still need to complete SAQ A as standard
If you believe that outsourcing in itself ensures PCI compliance, you could be making a big mistake. However, as a business, you still have a responsibility to ensure that your third-party provider is entirely PCI compliant or that you’re actively tracking their progress to full compliance.
Not taking threats seriously because you won’t be fined over a data breach
The fundamental purpose of PCI DSS is to prevent loss through fraud. Not fully responding to PCI compliance requirements makes it easier for an attacker to exploit a data breach. Once that happens, you’ll trigger a chain of events:
An initial fine
Independent forensics investigation
Independent PCI QSA report on compliance by a 90-day deadline
Further fines for not meeting the requirements by the deadline
Even if you’re PCI compliant, you can face fines of thousands or be sued by your acquiring bank, customers and card processors. Therefore, compliance offers greater legal leverage than specific legal protection unless specified in your contract.
Not spotting the warning signs
These are some of the warning signs that can flag up a lack of full PCI compliance:
Your third party provider is slow to apply security updates or only uses them to the website, not the underlying architecture
There’s no documented response plan should a breach occur
Your provider agrees upon no PCI compliance responsibilities
To avoid this mistake, look for the following signs:
Your third-party provider quickly supplies you with the AOC document, signed by a QSA
Website admin requires two-step authentication, and access can be limited
The provider is happy to be externally audited
PCI compliance can be complicated, but avoiding these mistakes will protect your business if a breach occurs. Schedule a free consultation today to see how we can help you be PCI Compliant!