The Five Most Common Findings in a QSA PCI Compliance Assessment (and one that might surprise you!)

While each institution is different in the way they process payment information across various departments and areas, many of the same challenges to achieving PCI compliance exist in every organization. Below are five of the most common gaps our Security Advisors have noted during CampusGuard’s Readiness Review Assessments.

1. Payment card information is processed on computers that are also used to handle day-to-day activities (e.g. checking email, researching a topic on the web, etc.).
   Are you aware of someone in your department who is using their PC to process card payments for the occasional payment made via phone? Allowing staff to use their general purpose workstations to process payment card transactions is a big no-no. All systems used for payment processing activities must be locked down and segmented from the rest of the organizational network, otherwise they pull the rest of the network-connected devices into PCI scope and create a lot more work for everyone. In a similar way, if you are specifically directing people to use computer labs, kiosk machines, or other public-use computers to make payments, this can also inadvertently bring these devices into your PCI scope. Do not direct customers or offer payment card entry on any device that has not been properly secured or approved by your PCI Team. Consider working with a PCI-listed third party service provider who can offer a hosted solution for your customers to go to and make payments on their own.
2. Payment card information is coming in through unencrypted e-mail messages and the staff is accepting / processing these payments.
   During our interviews, staff will often admit that they occasionally receive e-mails from customers wanting to make payments and the e-mail contains cardholder data (CHD). They go ahead and use the information to complete the request thinking that, since this is a one-off, there is no PCI impact. E-mail is not a secure method for sending or receiving cardholder data, and is specifically forbidden for this purpose in the PCI Data Security Standards. We recommend that you educate your merchants and their staff about this, and work with them to eliminate this process immediately. If you haven’t already, implement a formal policy denying the use of e-mail for payment acceptance across the institution and train all staff on what to do if they receive an e-mail with payment card details. You may also want to consider installing a filtering device on your e-mail server to automatically reject messages with cardholder data.
3. Policies and procedures governing the handling of payment card data are incomplete or non-existent.
   Documentation is critical to any organization but is often lacking and/or not made a priority. Policies and procedures governing payment card practices at the organizational level, as well as department level, are required by the PCI DSS to be documented, current, and complete. For a full list of documentation requirements (by SAQ type), please contact your CampusGuard CRM. You may also want to take advantage of our template library prior to updating your policies or procedures.
4. A formal security awareness training does not exist or it is not given out on a consistent, annual basis.
   Educating your staff (and relevant third-parties) on general information security best practices can go a long way in preventing expensive mistakes due to human error. Training on the PCI DSS must be provided to all staff members with access to cardholder data upon hire and at least annually. As per the heading for Requirement 12 in the PCI DSS, remember that “…’personnel’ refers to full-time and part-time employees, temporary employees, contractors and consultants who are ‘resident’ on the entity’s site or otherwise have access to the cardholder data environment.”
5. Oversight of third-party vendors that handle payment card data is not performed in accordance with the PCI DSS.
   You may have outsourced your payment handling, but you cannot completely outsource your PCI compliance responsibility. It is important that you know, and document, all third-party service providers involved in handling payment card data on behalf of your customers. It is also critical to ensure the appropriate contractual language is in place defining which specific PCI DSS requirements are the responsibility of each entity. Requesting an AoC from these payment-related service providers annually will ensure their compliance efforts are sufficient and help to protect your institution from collateral damage should they experience a breach of cardholder data.

You would be surprised how often this occurs, but:

1. Passwords are written down and / or shared (i.e. pinned to the corkboard above the computer or taped to the monitor).
   This practice is not only insecure but shared passwords, like accepting e-mailed in cardholder data, are specifically forbidden by the PCI DSS. Even though people are always a little embarrassed when we point it out, if we don’t work with them to identify an alternate solution then they are likely to repeat the behavior down the road. Help your staff implement secure password practices by teaching them methods to create strong passwords or pass phrases. If they have difficulty remembering multiple passwords across multiple systems, you may also want to provide a secure password locker or software solution that has been approved by your IT Team for retaining passwords.

What do each of these findings have in common? They can all be remediated through a change in human behavior – stop using your computer and use the provided PCI-compliant equipment; do not accept e-mailed in CHD for payments; prioritize and complete your payment-related policies and procedures; ensure your payment-related training and vendor management programs follow all PCI DSS requirements; and never share your password (publicly or with another person).

If you are aware of any of these activities occurring within your department, please reach out to your PCI Team and/or the CampusGuard Team to help you find a compliant, alternate solution. The best solution is one that is PCI-compliant AND allows you to run your business as you need to; and this can be achieved by working together.

Below is some additional commentary from our Security Advisor Team:

(Ko): Staying compliant with the PCI DSS is the hardest part of everyone’s PCI Compliance Journey. These common findings can crop up even *after* you initially validate compliance with the PCI DSS. Ensuring that your staff receives training on information security best practices and on your policies and procedures on a consistent and annual basis is the first step in staying compliant with the PCI DSS. Keeping your staff informed with good communications, training them, and keeping your policies and procedures up-to-date will not only help to prevent these common missteps, but also allow you to roll with the changes in newer versions of the PCI DSS and help you protect payment card data.