If your website is processing credit card data, you'll need to make PCI DSS v3.2 compliance a top priority. The standard sets out various security related compliance requirements that companies are required to have in place if they are processing credit card data. The standard exists to ensure customers cardholder data remains secure and helps to prevent payment card fraud.
Unfortuntely, statisitcal data shows that almost 80% of the companies seem to fail interim PCI compliance assessments. So, don't contribute to the 80% and take a glance at the 5 common PCI DSS v3.2 mistakes that companies make when attempting to obtain PCI DSS compliance.
1. Not using firewalls
One of the most common mistakes that could be made where PCI DSS 3.2 compliance is concerned is not to using firewalls, or not using firewalls to correctly restrict the CDE (Cardholder Data Environment). A correctly configured firewall is your first line of defense when preventing unauthorized access, a firewall security audit / review can help and a penetration testing will help identify if any services are exposed from an incorrectly configured firewall .
2. Storing cardholder data as plain text
According to essential requirements for PCI compliance, you would find protecting stored cardholder data to be one of them. This means that rather than storing all the data as plain text, it would be a much better idea to encrypt all the stored cardholder data. After all, all the encryption keys should be stored in as few locations as possible. In addition, you should also make sure that you are only storing the data that you require. This is because the less the cardholder data that you would be storing on your database, the less data could be stolen in the event of a breach.
3. Not testing security systems on a regular basis
If you would like to maintain software security and systems, then security systems would need to be tested on a regular basis. This should be done in order to ensure that any development or changes have not introduced new vulnerabilities. This should also be done to keep your systems protected against emerging threats. Other than that, regular testing would also help you to identify any new vulnerabilities before your company would suffer a security breach.
4. Investing effort, time, and money in the wrong place
If you would like to make the best use of your security budget, then you should make sure that your security team are investing their effort and time where it would have the biggest impact on security. So, you should be very careful and oversee all the options before deciding on a particular one. If needed, you could also hire an expert in order to make sure that you would indeed be making the right choice at the end of the day.
5. Not making security a priority across the entire company
Lastly, consistent and strong security governance would be vital for achieving and maintain PCI compliance. This is because if you manage to get the senior executives on board with the best practices of security, it would definitely help to set a positive precedent. Not only that, but it would also help to raise company-wide awareness for the importance of security. As a result, PCI standards would then become integrated with normal business practices.