While PCI standards are simply worded and provided a good foundation for your governance and risk management strategy, you should be aware of a number of factors that can complicate the road to compliance.
For example, eacy payment card company, while adhering to a core set of standards, has its own particularities in terms of its exact requirements and enforcement mechanisms. These factors must be taken into account as you design your strategy.
To be prepared for the compliance assessment, you must have a certain number of checkpoints in place. You must also be able to demonstrate that you are not keeping data that the PCI standard specifies you are not entitled to keep. For example, full-track data from the magenetic card strip of the card validation number ( CVC, CVV2, CID ) must never be retained.
The requirement to remove data that should not be retained also means wiping inappropriate data from all areas of the data stream. In the United States, using a U.S Department of Defense - approved wiping process satifies this requirement; while in other portions of the world, either the U.S or European Privacy Act wiping process is required. These data stream areas include databases, backup files, transaction logs, application logs, device logs, error logs and reports, network sniffers, and core and memory dumps used for diagnostic purposes.
Avoiding common errors
It can be helpful to know that certain errors are routinely identified in compliance assessments, including the following:
- Storage of prohibited cardholder data
- Use of production careholder data in test environments
- Failure to encrypt the full payment card number
- Lack of network segmentation system that isolates the transaction environment
- Lack of segregation of internal staff duties
- Failure to label cardholder media as confidential