You can help your clients ratchet up data security by spotting these five common PCI compliance mistakes along with recommended fixes.
Failing to accurately define PCI compliance scope
When a part of your point-of-sale (POS) solutionis "in-scope" for PCI compliance, that network or database must meet all security standards. You probably know that getting every piece of hardware in the average business PCI-compliant would introduce unneeded expense.
That's why smart merchants work to limit the number of business systems that come in contact with sensitive card data and must meet compliance standards. But a common mistake is forgetting about systems connected to in-scope systems.
Ask your client if a designated out-of-scope business system could affect cardholder data security. If the answer is yes, then the system must fall in-scope.
Failing to track cardholder data flow
Mapping the path of cardholder data within the organization often results in greater clarity about what information is stored, where it's kept, and why. During the process, merchants can identify collections of data that could be subject to a breach and proactively get rid of or secure those data with encryption.
By zeroing in on data that are stored in formats that are difficult to control and protect—like Excel spreadsheets—business owners are much less likely to make PCI compliance missteps.
Failing to change default vendor configurations
Like those of us who continue to use "password" or "1234" in order to secure online accounts, leaving default vendor passwords and configurations in place can put cardholder data at risk. That's because of the increasing use of virtualization: where a virtual rather than actual version of a computer hardware platform or storage device can be created.
These virtual machines can be easily duplicated and deployed using vendor-supplied defaults and are often difficult to detect by traditional IT controls. That's why you should remind customers to always change any vendor defaults for hardware and software.
Neglecting policies and strategies for data security
As with the process of PCI compliance, keeping data secure 24/7 requires daily attention. Often when policies are first put in place, compliance rates are very high. But as the novelty wears off—and employees don't see the benefits of maintaining good security practices—tasks are neglected, updates are delayed, and security gaps can be exploited.
That's why businesses need specific strategies in order to maintain a secure environment every second of the day. Set up a regular schedule to apply the latest security patches, ensure employees use strong passwords that must be changed regularly, and store credentials securely.
Underestimating the importance of physical security
Securing networks and other virtual environments is often where businesses focus most prevention efforts. But physical security can be just as important.
By incorporating and maintaining controls governing who can access POS systems and other physical infrastructure, business owners can prevent many attacks on computer systems and servers.
Ensure your clients aren't needlessly putting cardholder data and their own businesses at risk by making these PCI compliance mistakes.
What are some of the common PCI compliance mistakes you see that could be avoided?