Monthly Archives: September 2015

Top five PCI compliance mistakes and how to avoid them

Unfortunately, a lot of businesses are making mistakes when it comes to achieving PCI compliance. There are many reasons why this is the case, from not understanding the requirements that are in place to underestimating the importance of them. Keeping that in mind, in this post we are going to take a look at some of the most common PCI compliance mistakes while also providing you with tips on how to avoid them.

Mistake #1 – Failing to change vendor default configurations

One key requirement of PCI DSS compliance is to change any default passwords and configurations. If you utilise vendor-supplied defaults, your virtual machines can be duplicated and deployed with ease. Thus, make sure you change all defaults so that you can manage and secure your virtual machines.

Mistake #2 – Not having code reviews

Whenever you make any alterations to your network and system, you must test them before they implemented. This is essential to make sure that the changes don’t result in any vulnerabilities arising in the environment. Secure coding standards must be documented and implemented as a key part of this.

Mistake #3 – Not using a firewall

Firewalls are one of the most fundamental elements of data security and PCI compliance. They should be implemented at every point of entry and exit. Moreover, simply having firewalls in place is not enough to protect your business. You will also need to have the correct configurations in place while it is vital to have a complete understanding of what is allowed in and out, and why this is the case, as well as full documentation of any changes.

Mistake #4 – Storing cardholder data in plain text

If you don’t need to store data, then you should always avoid doing so. However, if this is essential, there are some steps you need to take to protect the data in question. Firstly, you need to encrypt all cardholder information, and encryption keys need to be stored securely and effectively. You should also never store CCV data, PINs and the full 16-digit card number in your database and log files.

Mistake #5 – Not understanding cardholder data

Finally, one of the most common and damaging errors is not understanding cardholder data, and thus being unable to adequately protect it. You need to understand what information is retained once a sale has been made, as well as where it is stored and why. Without this information, you won’t be able to secure the data, as you won’t know what you’re looking for. You need to determine what you acquire from your customers, and you must recognise that PCI compliance applies to all merchants and retailers that process, transmit and store cardholder data.

The five mistakes mentioned merely scratch the surface of the different errors companies make when trying to achieve PCI compliance. To discover more about what is required of you, take a look at our PCI Compliance Map.