Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Compliance Management, GRC

Common PCI DSS Mistakes

Common PCI DSS Mistakes
Written by

Megan Baldwin

Published on

20 Jun 2021

Common PCI DSS Mistakes

 

When it comes to the Payment Card Industry Data Security Standard (PCI DSS), there are common mistakes that every QSA or ISA sees, regardless of sector and organization size.

Addressing the following five points within your organization will go a long way in eliminating that frantic scramble in the month before an audit, where everyone is feverishly checking payment card terminals, modifying dates on documents and checklists, and ‘refreshing’ staff on all things relating to information security.

1. Focusing only on compliance

Many organizations miss the point that the objective of PCI DSS is protecting cardholder data through sustainable payment security, which is evidenced by compliance. Always keep in mind that the annual audit is a point in time assessment of your payment card security efforts. If the wheels fall off the moment the assessor leaves, your organization is failing to meet its obligations to protect cardholder data.

2. Organisations forget that the PCI DSS is the MINIMUM

The PCI DSS has the challenge of being a global standard that needs to be applied to legacy systems as well as the latest technologies in everything from multi-national conglomerates to less mature organizations. Any organization that has chosen to accept card payments is responsible for applying the relevant controls applicable to its environment, as well as any other controls that support the goal of securing cardholder data. This may require using other information security standards alongside the PCI DSS.

3. A lack of governance and structure in managing a PCI DSS program

Ensuring controls are not only in place, but working as they should be day in day out requires a plan. The PCI DSS touches many areas of the organization, and it must be acknowledged that it is a business requirement. It’s not the sole responsibility of the IT department because it mentions firewalls, just as it’s not the sole responsibility of the finance department because it involves payments. The day-to-day management of PCI DSS requires a coordinated effort across the whole organization and should be included as part of overall information security and data protection efforts.

4. Creating policies, processes, and procedures purely for compliance

Failing to embed PCI DSS controls as business as usual will have all the hard work undone in the blink of an eye. Often organizations will create these documents to meet what they assume an assessor wants to read, but creating the required document set needs to involve key staff to discuss and work through the requirements, as well as analysing how staff need to carry out their day-to-day responsibilities. The inclusion of key staff is vital to the success and practical application of policies, processes and procedures.

5. Believing that payments are not ‘core’ or ‘critical’ to the organization

What happens to the organization if card payments are no longer accepted? How does that impact the day-to-day operations? The expectations of the customer? Without the formal acknowledgment of the importance of payment acceptance, many organizations fail to secure the required budget or staff resources to maintain the security controls.

The PCI DSS does not have to be an overwhelming burden on your organization – by making the changes above in terms of how you approach it and with a change in mindset from compliance to security, you can help your organization not only achieve compliance, but maintain the controls that are in place to protect cardholder data.

About SureCloud

SureCloud is a provider of Gartner recognized GRC software and Cyber & Risk Advisory services. Whether buying products or services, your organization would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling a seamless integration of information, taking your risk programs to the next level.