PCI's Post-Audit Pain Points

Passed your first PCI compliance audit? You've only just begun! Veterans say ongoing challenges with log management, database encryption and upper management buy-in mean the task is never finished

Those who thought their PCI security challenges would be over after the first passing compliance audit say they continue to be dogged by the same problems that caused pain in the beginning.

For Jennifer Atwell, point-of-sale and communication support manager at Apple Gold Group, log management continues to be a pesky nuisance.

"Log management, while necessary, has turned out to be the biggest issue for us," says Atwell, who is based in North Carolina. "Partnering with a good vendor helps, but when you're starting from scratch, it's a big project."

Legacy applications continue to challenge PCI security at Lifestyle Services Group, according to Jim Griffiths, the company's UK-based information security and compliance chief. And at the National Bank of Kuwait, Information Security Officer Imran Minhas continues to be challenged by the task of database encryption.

"Database encryption is turning out to be a huge project in itself," Minhas says. "A place where no cardholder data is encrypted at all, all of a sudden has to encrypt almost every one of its databases. It's a bit hard to get everyone to prioritize this project to everything else. Upper management is good with it, but it comes down to the people who are going to implement the solutions."

But for the vast majority of security pros surveyed by CSO online in recent weeks, the biggest problem is upper management.

The top brass may be fully supportive during that initial PCI security effort. But once that first audit is complete and the company gets a passing grade, the executives assume the task is done. Instead, security pros have found that the work is never done.

"Everyone, especially senior management, thinks that if we pass a PCI audit then we are safe for a year," says David Glosser, network security administrator for a company in New York City. "There's a perception that PCI-compliant shops are perfect."

The upper management problem

Others polled by CSOonline reported running into the same wall Glosser spoke of. Daniel Blander, a CISM, CISSP and president of Techtonica, says he has seen the problem up close.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags pci standard

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Brenner

Latest Videos

More videos

Blog Posts