How not to fail a PCI DSS audit

Carding Forum

Carding Forum

Professional
Messages
2,788
Reaction score
1,363
Points
113
PCI DSS


Companies that provide financial services on the market with the participation of payment cards, for example, online payment services, must comply with international security standards.

In order to obtain a certificate of compliance with the data security standards of the payment card industry (PCI DSS), it is necessary to undergo certification and periodically confirm that the company complies with all the basic standards for working with customer payment information.

Security evaluators of the payment card industry note that during 99.9% of inspections they had to deal with violations, even in stable companies with experienced IT staff.

Most of them fulfill obvious requirements, for example, encryption of payment card data, leaving out the more minor, but equally essential security aspects.

Here are five essential tips to help you pass your next PCI DSS audit.

Clearly define the scope of activities and the amount of data that is stored

Different departments of a company that works with payment card details do not always interact with each other. Technical leaders complete a self-assessment sheet (SAQ, a necessary part of the audit) without consulting other agencies, and senior management plans to release a new POS terminal without consulting programmers.

This leads to the fact that during verification, the data that represent different departments do not line up in a logical chain, or even contradict each other.

For example, in one of the companies, an IT administrator assured the auditor that all payment card data is stored encrypted in one folder.

A few days later, during a conversation with the help desk manager, it was discovered that while serving customers, agents were entering decrypted credit card information into the comment field.

Security policy only exists on paper

Usually, encryption is associated with data security, and house rules are perceived as paperwork.

However, non-compliance with the schedule can provoke unwanted consequences.

One company, on the eve of the next audit, transferred card management to another technical group, forgetting to explain the principles of internal policy to employees. The group felt that the architecture of this department was more complex than necessary and removed all network segments that control the security of the card data.

Having a clear internal routine and systematically performing routine paperwork can avoid security gaps.

Make sure that access to / from the payment storage is securely protected

Violations are rarely due to any one factor. For example, excessive privileges of access to information, unreliable remote connections, and lack of monitoring of file integrity can provoke data leakage.

Unfortunately, Security Access Control is rarely configured correctly. In fact, in 90% of cases during the first audit, access to information is not protected correctly. More often than not, the rules for accessing information are too liberal, and the systems of protection against malicious traffic are built incorrectly. Also, companies forget about the rules for outputting information from the system, in case the attackers still manage to break the protection and get inside the storage.

Install security and other software updates regularly

Security systems constantly monitor the emergence of new malware and update their antivirus software. If a company does not install new software in a timely manner, it will constantly face cyberattacks, the reflection of which is not provided for in the current version of its security system.

Don't ignore reports

Regular reports on system performance are designed not only to increase profits, but also to protect customers' payment data. At the same time, in order to prevent payment fraud, it is necessary to establish constant monitoring of these registers.

In one of the companies, during the audit, it was possible to record a cyberattack. The organization has debugged a system of notifications about system failures, but no one monitored the status of these sensors.

Non-compliance with the requirement can cost the company more than just the loss of the PCI DSS certificate. Neglect of the rules for handling payment cards creates an additional opportunity for payment fraud.
 
You must log in or register to reply here.

Similar threads

P
PCI DSS standards
Replies
0
Views
640
President
P
P
Implementation of encryption according to PCI DSS
Replies
0
Views
571
President
P
Professor
Cyber Insurance for Retail 2026: A Financial Cushion or an Investigative Tool That Knows Everything About You?
Replies
0
Views
293
Professor
Professor
Investor
All about CC carding for beginners and professionals carders - CC merchants / CC drops / Reroute / Pickup / Antifraud etc. (trash info)
Replies
0
Views
98
Investor
Investor
Student
Detailed Phone Script Variation for Payment Security / EMV / Tokenisation Training or Compliance Call
Replies
0
Views
311
Student
Student
Back
Top