PCI DSS: 15 Common PCI Compliance Gaps

Common PCI compliance gaps?  You bet!  We can identify 15 of them.

The need for enhanced security is becoming more and more obvious every day. As the security landscape changes, the threats to our sensitive data become more serious, and as a result, the controls that we put in place have become stronger. We see a new data breach in the headlines on an increasingly regular basis as lots of criminals often target cardholder data, specifically.

The PCI Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and keep this sensitive data uncompromised. PCI DSS applies to all organizations or merchants that accept, transmit, or store any cardholder data.

Full compliance with the new requirements of the revised standard, PCI DSS v3.0, became effective January 1, 2015. The new version of the standard has a strong focus on greater risk areas in the threat environment, greater understanding of the purpose of each requirement and how to apply these requirements, increased clarity of requirements, and alignment with changes in industry best practices.

As a PCI Qualified Security Assessor, we find that it’s challenging to obtain and maintain a compliant PCI environment. We surveyed our QSA team and the most common PCI gaps reported, by far, were:

  • Poorly managed firewalls
  • Inadequate policies and procedures
  • Lack of documented system configuration standards
  • No penetration testing and/or vulnerability scanning
  • No formal, annual Risk Assessment is performed
  • Inadequate encryption key management
  • Undocumented application development standards
  • No formal Security Awareness Training program
  • Audit and security event logs are not enabled or monitored
  • File integrity monitoring is not performed
  • Background checks are not performed
  • Data flow of sensitive data is not documented
  • Incident response plans are not developed
  • Insecure remote access without two-factor authentication
  • Open wireless networks

Compliance does not guarantee security, but a secure environment is a compliant environment. After you’ve checked for these 15 common PCI gaps, perform a Gap Analysis to determine the steps you need to take in order to reach your information security and compliance goals based on the current state of your organization’s security controls.

For more information about PCI Compliance or for help in performing a Gap Analysis or Self-Assessment, contact me at s.morris@kirkpatrickprice.com.


Sarah Morris is the Managing Editor at KirkpatrickPrice, a valued partner of AIS Network. She is certified in General Information Security Fundamentals (GIAC GISF) and specializes in keeping organizations up to date on information security and regulatory compliance by being a thought leader and developing valuable content that revolves around industry trends and best practices.