PCI compliance is a vital step in creating trust between an organisation and its partners, and success in this realm can really boost customer confidence in a company. However, this can be a particularly tricky road to navigate. According to the 2015 Verizon PCI Compliance Report, only 29% of companies successfully maintained full compliance during their last annual audit.

Businesses need to put in place a third-party assurance programme that outlines clear policies and procedures, to ensure that customer card data and systems are fully protected at all times and in a compliant manner. So what are the challenges facing organisations striving for continued PCI compliance?

Separation of duties 

Complications around PCI compliance can occur if there is some overlap in access between departments within an organisation. Separation of duties (SoD) is a key concept in the protection of payment data, and helps ensure no person acting alone can compromise security controls. For example, just as you wouldn’t want someone being able to request and approve a purchase order, it is important that the individual responsible for designing and implementing security does not have access to the same information as the person responsible for the development, operation and testing of security.

To ensure payment data is being accessed in a compliant manner, an organisation should be regulating who has access to what. Compliance can fail if so called ‘super-users’ have too much access. In the event where an admin account exists that is able to access everything – steps must be taken to ensure you know exactly who has access to it and when, or why, they are using it. 

System access controls

An organisation can be found to be non-compliant if controls around its operating systems aren’t set properly, causing directories of customer payment details to be opened too wide. If a user opens something they aren't supposed to then there are methods you can undertake to figure out who it was and where they are. This requires complete visibility in real-time to see when sensitive files or applications are opened. Separation of Duties (SoD) and role-based access can help organisations to control and prevent excessive access to sensitive information by assigning access to appropriate applications. Where companies have a high volumes of users with varying degrees of access, it’s vital to establish regulatory requirements for access. 

Terminated staff or consultants still have access

Terminated staff can be a predominant issue in many security breaches, and can be a particular pitfall where PCI compliance is concerned. Terminated payment accounts, if not taken care of, can provide an easy access route for keen hackers. During one infamous hack in the US, Walmart was caught out because it wasn’t monitoring for remote access to terminated accounts from abroad, and led to many MoneyCard customers becoming the victim of false payments. Understanding who has access to private financial data, such as card numbers, and managing the timeliness of access termination is critical. 

Security systems and processes not tested frequently enough

Real time visibility into your systems can help you see when things are disrupted in your system, however, it's still not enough. Organisations need to continuously test and audit their systems to confirm that all processes are working correctly and that no malware, bugs, or other vulnerabilities are in existence.