Failing PCI Compliance Requirements: Top 7 Reasons


As we continue to report on Cyber Security News, data breaches are becoming more and more common in today’s environment – you only have to check out our recent posts on “EA web server hacked as part of Apple phishing scheme” to see that. However, we thought that we would look into ways that companies can protect themselves from this occurring – starting with looking at the top reasons that companies are failing PCI compliance requirements. But firstly, lets look at PCI compliance in a little more detail to understand how it might prevent data breaches such as these.

What is PCI standards compliance and why is it useful to me?

The Payment Card Industry (PCI) standards provide an extensive set of recommended controls for organisations to implement to secure credit card data appropriately. The framework promotes secure data storage and transmission to ensure that customers credit card and personal data is held safely, thus preventing data breaches that may cost corporations thousands or even millions of pounds. The framework allows organisations to develop an effective payment card data securing process – ranging from prevention controls through to detection and incident response. Compliance with the standard has successfully shown a significant reduction in data breaches, whereas failing PCI compliance requirements could cost organisations hundreds of thousands and loss of customer confidence.

With a constant threat of cyber criminals and data breaches, it is more important than ever for organisations to protect their own and their customers data. It is now a requirement for organisations processing credit card data to be compliant with the PCI compliance requirements. But some organisations are failing PCI compliance requirements for a number of reasons, potentially through misunderstanding, lack of resources and funding or inability to implement appropriate controls. However, failing PCI compliance requirements is no longer realistic for organisations that may face monetary fines, business restrictions and, in dramatic cases, shut down of business units if they fail to comply.

The PCI Council provides further details on the standards, tools and approaches organisations can take to gain PCI compliance. This guide looks at the top 7 reasons that organisations are failing PCI compliance requirements and provides guidance on how to meet PCI in a more cost effective manner.

pci compliance chart

A subset of PCI controls

Failing PCI Compliance Requirements Reason #1: Poor Network Configuration.

One of the most common reasons for organisations failing PCI compliance requirements is an inappropriate network architecture. Network architectures need to be appropriately configured to protect customers’ credit card data. The architecture needs to contain effective security enforcing functions including strong access control lists, intrusion detection systems and locked down firewalls, if appropriate. A risk managed approach should be taken to determine the type of controls necessary for the network, however, the network should be configured appropriately to allow for this. For example, a DMZ at the perimeter of the network enforces an outer layer of access control to provide a further tier of controls – allowing for defence in depth. A DMZ can be utilised to store applications and services that should be made available to users outside the internal network, it may also be useful to put IDS boxes and VPN termination points in the DMZ.

Failing PCI Compliance Requirements Reason #2: Weak Network Segmentation

 Network segmentation is a strong mechanism to split security domains in your network. For example, the PCI compliance requirements allows organisations to appropriately segment their network into appropriate silo’s, thus reducing cost of controls when only applying to a particular area of the network. If your corporate network is huge in size then you should consider segmenting it into PCI only segments where credit card data is processed, stored or accessed. This will include all PCI-related devices, applications and databases. If the segment is logically separated, you don’t need to apply PCI controls across the entire environment. Organisations that find themselves continually failing PCI compliance requirements may wish to consider segmenting their network to PCI only silo’s and investing controls specifically in that environment.

Failing PCI Compliance Requirements Reason #3: Weak Encryption Standards

One control that will result in organisations failing PCI compliance requirements is weak encryption. In the shadow of the heartbleed bug, encryption of data in transit and at rest is more important than ever. As payment card data transits networks it is a very lucrative opportunity for hackers to intercept and decrypt, resulting in compromised data. Sending data in the clear is compliance suicide in today’s environment so it is imperative that organisations implement strong encryption mechanisms for data in transit. PCI compliance regulations state that the use of strong levels of encryption are necessary to protect customer data, and organisations that fail to do so may be fined or brought offline altogether. Make sure that you utilise the latest cryptographic standards to remain compliant with PCI regulations.

Failing PCI Compliance Requirements Reason #4: Default Configurations

This is basic, basic information security advice – change default configurations and default passwords across your estate! Although this might seem obvious, it is something that many organisations can overlook when they are concentrating on their costs for large systems such as IDS. Default configurations ranges from leaving unnecessary services open on systems processing credit card data right through to leaving firewalls open with a default allow stance. Ensure that you lock down your PCI devices by disabling unnecessary services while locking down those firewall rules to a deny stance.

Failing PCI Compliance Requirements Reason #5: Physical Security

While some consultants may find it difficult advising on the physical security of PCI located sites – it is a necessity to ensure that sufficient physical boundaries and controls are in place to protect customer data. Data warehouses right through to end points processing payment card data needed to be protected to a commensurate level, this includes authentication via swipe card and PIN access where necessary, physical barriers to data centres, security guards if appropriate and even CCTV. Organisations often fail PCI compliance requirements due to lax physical security boundaries, so make sure that you perform appropriate audits and implement controls to protect your equipment from compromise.

Failing PCI Compliance Requirements Reason #6: Information Security Policies and Procedures

Information Security Policies should be enforced in any company in the current climate, none more so than those who process credit card data. Organisations failing PCI compliance requirements often do so because there is limited control on their policies and procedures resulting in a lack of control of employee actions. As well as a standard Information Security Policy, PCI compliance mandates that a suite of policies should be implemented to account for any systems in place, including configurations, security operations and staff procedures. Processes should be documented in a step by step fashion to ensure that systems are not messed with unnecessarily. Senior stakeholders should be involved throughout this process and should authorise any policy documents. As with any policies, these should be disseminated throughout the organisation appropriately to ensure that staff have appropriate situational awareness.

Failing PCI Compliance Requirements Reason #7: Governance

As briefly mentioned in the above reason, the final reason involves a lack of governance in place throughout the organisation. A governance structure should be in place to cater for any event to occur. For example, a governance structure in place to deal with incidents identified via monitoring should be established. This will allow for effective escalation to take place and efficient response times. Failure to have an appropriate structure in place may resort to organisations failing PCI compliance requirements.

As cyber criminals continue to find more sophisticated methods of compromising company data, PCI requirements will adapt to ensure that companies have appropriate controls in place to manage personal and sensitive data. The requirements may seem daunting to many organisations at first, but with appropriate expertise and understanding of the requirements companies can afford to implement the controls in a relatively cheap manner. However, a lack of understanding of requirements and controls to implement can often lead to organisations failing PCI compliance requirements.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *