Top 9 Vulnerabilities for PCI Compliance

pci compliance vulnerability

There are many vulnerabilities to deal with in most PCI compliance audits, however these top 5 are some of the most common and costly risks to address first.

Storage of full track, CVV2, and PIN block credit card data

You know the little number on the back of your credit card?  We’ll the bad guys would sure like to know.  While a merchant requires your 16 digit credit card number and expiration date to process your purchase  under no circumstance is full track data to be stored.  In many cases this is done accidentally by poorly created, or out of date point of sale software.  Quick Tip:  Audit the credit card data you must store (or better yet, come up with a way to never store this information)

Vendor default accounts and passwords

Hardware and Software typically comes with a default password, the classics include Admin/Password and cisco/cisco.  Audit all of your networking and systems end ensure you have a strong password set at all times.

Insecure remote access by software vendors

While remote access is necessary tool to support and run your IT shop, it can be a common focus of attack for the bad guys.  Ensure you have SSL or other encryption turned on, and set VERY strong passwords for any remote access software.  It would also be helpful if users get locked out for a certain amount of time when several bad password attempts are made.  You don’t want anyone guessing your password, by using a brute force password cracking tool.

Compatibility issues with anti-virus and encryption

Tools like anti-virus and encryption are strong – when they are setup correctly and up to date.  Double check that these tools are working as planned before someone else notices.

Poorly coded web-facing applications prone to SQL injection attacks

Writing software code is tricky business, and developers who are not trained in secure methods can leave rather large holes in your software.  Talk to your team about what training they have gone through and organize lunch and learn events if you have a in-house development team.  If you only use vendor supplied software, ask them to provide evidence they understand secure coding principles and practices.

Ineffective Patch Management

You know why Grandma’s computer runs so slow and has all of those pop-ups and browser plugins?  I’m 99.998% certain it’s because she’s running an old version of Windows that hasn’t been patched…. Ever.  Next time your over for a visit, do her a favor and help her get up to speed.  If you run a IT organization make certain all of your devices have a automated patch management tool in place.  Most operating systems have a way to turn this on, so you don’t have to worry every time a microsoft patch comes out; oh the joys of patch tuesday.

No Security Scanning

The bad guys are always scanning for vulnerabilities in your network and so should you.  There are free tools available from vendors like Qualys and Eeye.

Weak Network Security

When is the last time you did an audit on your external firewall rules?  You should know what ports and applications you allow in, and be sure that there are no any/any rules that render your firewall useless.

Lack of Retal Time Monitoring

Stopping the bad events is the best idea, but don’t you at least want to know what happened, and the extent of the damage if an incident does happen?  Without monitoring tools you can be left with no idea how to fix your problems and how much theft occurred.  If you are on a shoestring budget you can setup syslog to capture log events in a central place, and if you have a moderate budget i’d recommend a fantastic tool called splunk.



Leave A Comment?