The PCI DSS: 5 challenges that merchants face

Even though all merchants and service providers that store, process or transmit cardholder data are required to comply with the Payment Card Industry Data Security Standard (PCI DSS), many do not. There are a number of reasons for this, ranging from a lack of awareness or interest, to the general strain caused by having to comply with a broad range of other standards, laws and regulations.

Still, this doesn’t mean the Standard can simply be ignored – not least because organisations found to be non-compliant could incur heavy fines. To avoid this, organisations need to acknowledge the challenges of complying with the PCI DSS and find a way to overcome them.

With that in mind, we’ve outlined five of the biggest challenges that merchants and service providers face:

  1. Scoping the cardholder data environment correctly

Many merchants lack a definition of the scope of the payment environment for PCI certification. That’s because the range of activities involved in achieving and maintaining compliance with the Standard is so broad. To use PCI compliance as the starting point for a security strategy, it is important to conduct a gap analysis.

  1. Evaluating the extent and complexity of PCI compliance

The Standard has 243 numbered requirements and 330 testing requirements that all merchants must meet. Most organisations that IT Governance supports are categorised as Visa or MasterCard Level 3 or Level 4 for reporting purposes. These organisations typically report their compliance using a self-assessment questionnaire (SAQ).

While the aim of SAQs is to make the process of reporting compliance simpler, we often find that merchants struggle to identify which form to use. They also frequently underestimate which portions of their environment are required to be compliant and how to secure those systems.

    1. Failure to regularly test security systems and processes

Data protection is not just about using encryption, firewalls and antivirus software. It’s also about ongoing scoping, configuration maintenance, identity management, logging, monitoring, scanning and testing.

Many organisations fall out of compliance because they fail to recognise the importance of regular testing. Requirement 11 of the PCI DSS describes the need to carry out regular tests to identify unaddressed security issues and scan for rogue wireless networks.

      1. Logging and auditing system

Requirement 10.6.1, which mandates a daily review of security events and logs (i.e. the accounts of the people and activity associated with an information network), creates several challenges.

Maintaining compliant logging solutions can bring down an organisation’s compliance percentage – whether that’s down to technical, budgetary or human resources restrictions. It also puts additional pressure on those responsible for managing systems that must be logged.

      1. Protecting stored payment card data

Requirement 3 details technical guidelines for protecting stored cardholder data and the requirements for encryption. At a minimum, the Standard requires the primary account number (PAN) to be rendered unreadable anywhere it is stored, including portable digital media, backup media and logs.

However, even with the significant security that encryption provides, it’s not without its technical challenges. Operating system and application vendors haven’t made it easy to implement encryption, especially because of a lack of support for legacy systems.

Manage and reduce your payment card risk

If you would like to learn how to manage and reduce your payment card risk, don’t miss out on our PCI DSS webinar series. This series will help support organisations in their PCI DSS projects.



  1. James 15th November 2017
    • Luke Irwin 16th November 2017
  2. Chris 21st November 2017