PCI DSS can be a complex beast. Many businesses are not clear whether PCI applies to them or do not have a clear understanding of what they are looking at. Our Principle Security Consultant; Wayne Murphy explains the common misconceptions and problem areas that our Qualified Security Assessors (QSA) encounter.
After working on PCI DSS projects over the past six years, I’ve seen some common misconceptions arise time and time again. I thought it would help those about to go through the process to share some of the most common ones, namely:
- “PCI DSS doesn’t apply to me as I don’t store cardholder data (CHD)”
- “Everything is encrypted; therefore, PCI DSS doesn’t apply”
- Completing the wrong SAQs
- Incorrectly completing SAQs
“PCI DSS doesn’t apply to me as I don’t store CHD”
A prevalent one this, but unfortunately PCI DSS applies to
“Everything is encrypted therefore PCI DSS doesn’t apply"
Clients sometimes believe that encrypted cardholder data is not in scope for PCI DSS. Unfortunately, this is often not the case. PCI DSS still applies to encrypted cardholder data that is being stored or transmitted. The reason for this is that the decryption keys are often held within the environment where the encrypted cardholder data is.
There are some exceptions to this, but these will be because the decryption keys are not accessible by the environment where the encrypted data is being stored or transmitted.
Completing the wrong self-assessment questionnaires (SAQs)
PCI DSS compliance reporting can be achieved using the self-assessment questionnaires. However, it’s vital to use the right one for each payment channel. We sometimes find clients have been incorrectly told which SAQ to complete by their Acquirer or a third-party company acting on the Acquirers behalf or have selected the wrong one on the list (understandable with 9 to choose from!).
Acquirers often use a process by which the correct SAQ is recommended to you, but this is based on a set of questions and incorrect answers to this, often results in the wrong SAQ being identified. The eligibility criteria within the SAQs (apart from SAQ D and SAQ D for Service Providers) provide the requirements which must be met before an SAQ can be used, again see my full blog for more information.
Incorrectly Completing SAQs
Organisations will often complete the self-assessment questionnaires incorrectly. An essential step is to accurately identify the cardholder data environment (CDE) and the scope for PCI DSS assessment activities for the payment channel. Once done, this will help to determine the correct SAQ and to identify which systems are in scope for the assessment activities. Each SAQ contains an “Expected Testing” column describing what actions should be performed to validate each requirement is in place
An example I often give is with anti-virus (AV). Although AV is not necessarily as effective as it once was, AV is still a requirement of PCI DSS and is security 101 for most organisations. For this reason, organisations will make assumptions that the PCI DSS requirement covering AV is in place and will tick “Yes” for Requirement 5 and all its sub-requirements. It is quite common to find issues with AV deployments that are either not working correctly, the service is no longer starting, or signature updates are not working. It is therefore still crucial that the expected testing is carried out to identify where there may be gaps in these PCI DSS controls which can be fixed before selecting the “Yes” response.
To learn more about how to protect your cardholder data and secure your business, check out our latest eBook.