For many organizations, PCI compliance is a necessary part of doing business.
However, a report on compliance failure could be disastrous for the business and the time and cost of remediation can escalate quickly.
In this video, Mihir Mistry, Senior Security Manager for GRC covers the top three reasons organizations fail a report on compliance including:
- Staffing changes
- Misunderstanding of basic elements of risk management
- Representing a vulnerability assessment as a penetration test
One common theme that we see that results in a failure of a report on compliance is staff changes. So this is an industry where there’s a lot of change right now, so you have a certain staff and now you lose that and they don’t know what the new scope is. Scoping is the core in a PCI engagement. How to you scope your network? How do you scope where your cardholder data resides? And if you don’t scope that properly that is a big factor in failure of PCI compliance.
The other one is just understanding the basic elements of security and risk management. A lot of clients look at this as a compliance thing, it’s a check box approach. But if they truly do not understand the risk of what this means to my organization. ‘If I get breached then what happens to my customers?’ So, the whole risk management approach, if they fail to understand that, that is one of the big elements that also results in failure of PCI compliance.
So this is really basic that we see, but failure of understanding some basic elements like, what does penetration testing mean. We see a lot of times where clients think they have done a penetration test and they will bring it back to us. But when we look at that, it’s basically a scan; it’s not a true penetration test. So again, just basic elements like that. So our advice is always to do something like a readiness assessment first before you jump into a report on compliance. That way a lot of these elements can be addressed first, and you have some room to remediate those efforts and that can result in a positive compliance.