Skip to content

Payment Card Industry Data Security Standard Audit A Fire Drill?

Each year, companies face a fire drill when completing their Payment Card Industry Data Security Standard (PCI DSS) audit. What is more, companies have to complete the vulnerability scans that are required by PCI DSS.

Why Do Companies Get into a Chaos?

The reasons for a PCI compliance fire drill are as follows:

  • First of all, companies are still manually compiling cyber risk data into lots of spreadsheets.
  • Second, there are companies that do not practice continuous compliance. All this eventually results in a fire drill.

There are tens or even hundreds of legacy systems in large companies. These systems, some of which are used to store the company’s most valuable information, are in scope for PCI DSS compliance. The owners of the systems have their specific experts and administrators.

Enterprise security is called to coordinate all of these parties to provide vulnerability scans, penetration testing, validation, and more. When distancing themselves from the security department, application owners make these efforts complicated.

The issues of payment transaction security are of immense importance for merchants running a business online. To enjoy top protection from fraud and minimize your chargebacks, consider turning to eMerchantBroker. EMB is voted the #1 high risk payment processor in the US and has an A+ rating with the BBB.

Underlying Tracking of the Process

Very often, emails and spreadsheets are being exchanged close to the deadline for reporting. The best case scenario of the exchange process is something like this:

  1. The vulnerability manager requests some time from the application owner for vulnerability scanning and penetration testing.
  2. The application owner provides the manager with the requested time so the latter could schedule scanning and testing.
  3. The scanning and penetration testing teams take the necessary steps and show the results to the vulnerability manager.
  4. The vulnerability manager emails the application owner and technical administrator to inform them about the necessary patches or updates.
  5. Emails on the scheduling of fixes go back and forth
  6. Fixes are implemented
  7. The vulnerability manager gets notified.

According to some recent discussions in the field, security managers can spend 25% – 40% of their time pulling manual reports. Moreover, there are companies that fail to complete the quarterly scanning process on time so they fill in the gaps based on outdated information.