As a veteran PCI QSA with years of experience performing PCI DSS engagements, I've come up with my top ten (10) list of challenges that companies face on a consistent basis regarding compliance with the Payment Card Industry Data Security Standards provisions. This list is a mixture of technical and operational constraints and roadblocks that seem to surface on every on-site assessment I've conducted over the years. With that said, let's take a look at these items along with some general recommendations for removing or mitigating these issues:
1. Provisioning, hardening, securing and locking-down all in-scope "system components"-For Requirement 2, all network devices (i.e., routers, firewalls, switches, etc.), operating systems and other internal supporting hosts (i.e., their respective O/S, applications, databases, etc.) that are considered in-scope must go through a comprehensive process of being securely provisioned and hardened. This requires a substantial amount of work, AND must also be documented accordingly for audit evidence. This can pose significant operational constraints as many of these internal systems have never been adequately hardened in accordance with PCI DSS requirements. My advice? Use best-of-breed hardening standards for all system components and cross-check with the PCI DSS standards for Requirement 2 for ensuring all mandates are met.
2. Anti-virus-Requirement 5 calls for having various anti-virus initiatives in place, thus organizations should either move to a enterprise-wide AV server or put in place protocols whereby every laptop is on the most current, updated version of anti-virus. I've found over the years that many small and medium size businesses seem to ignore the fundamental importance of anti-virus protection, as witnessed by employees using wide variations of products, many which have not been updated to the most current version, and some users not employing any anti-virus software at all. Anti-virus and malware are serious threats to one's organization, so take this requirement to heart and implement a strong and formalized AV platform throughout your network.
3. Two-factor authentication-Requirement 8 mandates that organizations "Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties". Remember, with two-factor authentication, two (2) of the three (3) factors (i.e., 1.Something you know. 2. Something you have. 3. Something you are) must be met. This does not mean (and I'm asked this all the time!): "Is using two different passwords at two different levels two factor authentication?" The answer is NO, that is single-factor done twice and will NOT suffice for PCI DSS compliance. Additionally, I'm often asked what specific employees must use two-factor? This question often arises due to the general vagueness of the requirement itself that is put forth within the PCI DSS standards. With that said, my stance as a PCI QSA is the following: Any user that is remotely (i.e., outside the network) using, interacting with/or relying on a system component that resides within the scope of the cardholder data environment and that system component for which they are using, interacting, or relying on undertakes actions that relate to the processing, storage, or transmission of cardholder data, then these users must invoke two-factor authentication. The point is to cast a wide net on all users that have an actual or even potential possibility of interacting with systems in the cardholder data environment. And lastly, there are a number of reputable vendors that provide two-factor solutions at very reasonable rates. Please email me at firstname.lastname@example.org and I'll be more than happy to share those with you.