Skip to content
blackhawk logo

PCI DSS Compliance Vulnerability Checklist

It used to be that banks were the most vulnerable when it came to financial fraud, being that they were the place “where the money is” according to 1930’s bank robber Willie Sutton.

In the 21st century, merchants are now the biggest targets when it comes to having something of value to steal, and it isn’t always money. Large global retailers, small e-commerce start-ups, and everyone in between that has something to sell are targets for payment card fraud.

For more than a decade, Payment Card Industry Data Security Standard (PCI DSS) has been in effect, requiring all merchants to achieve and maintain compliance. With industry analysts forecasting a booming holiday season and unprecedented retail sales going into 2020, it’s likely that any organization that handles credit card or any other types of payment card data are not only on hackers’ radars, but may already be compromised.

Vulnerability Checklist

You can’t protect yourself, if you don’t know where your security gaps are. Here are 6 areas of vulnerability you should review to discover if your organization is PCI DSS compliant.

1. Size of your environment

Did you know that the PCI DSS standard defines the scope of the cardholder data environment as all of the systems, people, processes, and technologies that handle cardholder data, including the systems that support and secure that environment— AV Management servers, Domain controllers, Firewalls/IDS/IPS systems, Log management/SIEM systems and more?

Two ways you can ensure you have a handle on your environment are segmentation and monitoring. Using granular network segmentation and access control policies enable you to isolate in-scope assets from the rest of your environment, and monitoring access activity can help ensure compliance.

2. Limited staff resources

To be PCI DSS compliant, you must regularly patch systems and install critical security patches within a month of their release. This often falls through the cracks when your tech staff is already stretched thin.

You don’t have to worry about patches or any other regular management and maintenance if you put those tasks in the hands of a trusted managed security services provider (MSSP). For a whole lot less than what it would cost to hire an experienced tech full-time on your team, you can get even more from an MSSP who has a whole team of experts working for you. They can even work around your schedule for minimum disruption to your business and customers.

3. Keeping up with daily audits

Requirement 10 of PCI DSS details logging and log monitoring within your environment. But those logs don’t mean a thing if you aren’t reviewing them on a daily basis. That’s the only way you’ll learn about any anomalies or errors that could be signs of a threat.

It’s in your best interest to set up a process of reviewing logs daily so you have a clear picture into what is happening. Don’t have the time? Ask your MSSP to watch your back as part of their security protection.

4. Third-party vendor remote access

Because third-party vendors often have access to confidential and sensitive data, including credit card and social security numbers, they can intentionally or unintentionally leave you at greater risk and not in compliance. Third-party vendor access can make your organization vulnerable 3 ways: by allowing attacks through their systems to reach yours; compromising your already weak endpoint protection; and leaving gaping holes in your network when they leave.

It’s up to you to ensure that the access you provide is reviewed regularly, that privileged access is only given to those who need it most, and that your monitoring their access to determine abnormal activity. Also when their work is done, terminating their access immediately.

5. Disorganized solutions and storage

Is your storage process a bit like Frankenstein’s monster—made up of so many disparate pieces that you’re not really sure what is stored where? Or have you outsourced payment processing to a third party figuring onus is on them?

No matter how you choose to store payment information—locally or outsourced— it’s up to you to know where and how that information is being stored, who’s accessing it, how it’s being accessed and why it’s being accessed. Developing and implementing processes throughout your organization can make audit time less stressful. It’s also wise to actively assess security controls with periodic vulnerability scanning, update inventories, and continually monitor activity to respond to threats and verify compliance.

6. Only thinking about PCI DSS compliance when it’s audit time .

And speaking of audit time, is that the only time that PCI DSS compliance comes to mind? Making security and compliance apart of your standard operating procedure will save you time, money and stress.

You may think that it’s easier said than done when it comes to establishing and maintaining security and compliance processes, but it doesn’t have to be difficult. By consolidating event correlation and threat detection technologies into a single platform, you can reap the rewards of automated status reporting. Better yet, talk to a IT security specialist to find out what solutions will have the greatest impact on your well-being and compliance status.

Security Specialists at Your Service

BlackHawk Data is here to strengthen your security posture, help you remain consistent in your PCI DSS compliance, and ensure you and your customers will have a happy holiday and a prosperous new year.

We take a holistic approach to cybersecurity, securing from the endpoint to the edge with a focus on data visibility. By incorporating open tools to provide data insights, intrusion detection, compliance monitoring and vulnerability scanning with the leading security products, we close any and every gap in your cybersecurity.

Would rather have a trusted partner take over the reins of your security to ensure it’s up to par? We can do that too with our Managed Security Services. From network and security operations center support to event monitoring and incident management, we will analyze, classify, prioritize, and contain security incidents, should they occur, and provide you with a detailed monthly report so you always know where you stand.

Don’t leave your security to chance.