The top mistake made by organisations when implementing the Payment Card Industry Data Security Standard (PCI DSS)...
is poor network segmentation, according to Verizon Business Security Solutions' principal security architect Michael Nott.
Smaller organisations are often unaware processing transactions on their office networks brings the entire LAN under scope for PCI assessment, he says. "In a lot of cases they don't understand that they should be isolating their production environments from their office network," he told SearchSecurity.com.au. "If you can segment your ... corporate office from your production server ... then PCI only applies to your production environment."
Other common problems include some organisations failing to realise they can't store historical information - such as card numbers - in their databases since the PCI standard came into effect. Access control can also be an issue, Nott says. "They need to have lockdown on production systems and the separation of duties so you can't have one person able to maliciously create a piece of code and roll it up into production without someone reviewing it."
In some circumstances, however, it makes sense for organisations to allow their entire office network to be assessed as in-scope. Those logging in to an in-scope environment from an out-of-scope system must use two factor authentication, Nott says, which might not be practical in some environments, like callcentres. "It really is case by case," he added.