- Not conducting a formal Readiness Assessment. It’s important with PCI DSS compliance to truly understand all facets of the Payment Card Industry Data Security Standards (PCI DSS) provisions, which essentially means answering the “who, what, when, where, and why” of PCI with a comprehensive Readiness Assessment. And by no means should it be looked upon as yet another added cost to the engagement, rather, a proactive and necessary measure for properly defining and understanding many important facet of PCI, which by the way, is always a moving target, to say the least. A competent, well-skilled PCI-QSA, such as Charles Denyer of NDB Advisory, can provide your organization with a PCI DSS Readiness Assessment. Knowing what you are getting into is important!
- Having no buy in from senior management and others. “Going it alone” as the saying goes, can have its risks and rewards – but in the case of PCI DSS compliance – it’s not only a bad idea, but one that creates real challenges for organizations. Sure management may very well be aware of their organization undertaking PCI compliance, but have they provided true operational and financial support, have they taken the time to really understand the commitment and effort needed? If not, then it’s time to make them aware of this, and soon. Remember, setting expectations for PCI compliance is a must, no questions about it.
- Failing to understand PCI Scope. Organizations struggle with this immensely – after all – determining the actual scope for purposes of PCI compliance can be challenging, and it’s not always a black and white answer? Do you have a “flat” network? What is the true definition of the cardholder data environment (CDE)? What third-party providers are in scope? These, and many, many other questions, often require thoughtful consideration for PCI compliance.
- Not conducting Remediation efforts. As a PCI-QSA, I’m amazed at the lack of remediation efforts by companies pursuing PCI compliance. What I find more troubling is that these remediation efforts – when even conducted – are only undertaken for a sample of system components, not the entire population of in-scope items. Being compliant with the Payment Card Industry Data Security Standards means meeting all the stated requirements for ALL in-scope systems components, not just a chosen few. A PCI-QSA with true independence and professionalism will always tell their clients that, and that’s exactly what I’m doing here! Simply put, remediate, and remediate all items that are in-scope for an actual PCI DSS assessment.
- Failing to recognize the importance of policies and procedures. Here’s an issue that seems to go unnoticed many times regarding PCI compliance – after all – how challenging and time-consuming can it really be to develop PCI policies and procedures? Very challenging and time-consuming, just look at the amount of documents that’s required by PCI – policies for this, procedures for that – get the point? Sure, PCI compliance is technical in nature, but don’t lose sight of one of the most important requirements, and that’s developing a comprehensive set of PCI policies and procedures. As a PCI-QSA, my advice is to hire an expert consultant to develop a customized set of these policies (which is part of the services offered by NDB Advisory) or to use the high-quality PCI security policies from pcipolicyportal.com.
Supporting point 3 there is a good white paper “8 ways to reduce the scope of PCI DSS” here.