Wireless Networks — Many businesses implement wireless technologies as a part of their IT strategy. These technologies range from simple Wi-Fi installations to Global System for Mobile Communications or other cell networks to satellite. Because Wi-Fi vulnerabilities can be used to infiltrate the wired network, Wi-Fi should always be segmented away from wired networks with a firewall, and wireless intrusion detection and prevention systems should be deployed to prevent misuse. All wireless communications should be encrypted, regardless of format. Devices that have wireless capabilities should be appropriately hardened as attacks on endpoints increase. For businesses that are not implementing wireless technology, there is the peril of unauthorized, inexpensive, consumer-grade wireless access points being set up by employees or contractors for their convenience.  These do not support the level of security required for compliance.

Unsecured Physical Assets — Unencrypted and/or prohibited data may be stored on laptops, backup tapes, and other media that are prone to loss or theft.

Point-of-Sale (POS) Application Vulnerabilities — Applications may be creating logs that store card track (full magnetic stripe) data. PCI requirements prohibit the storage of this information under any circumstance. Nefarious individuals who are interested in obtaining track data know which applications store this data and where the information is typically stored.

Card Numbers in Public Systems — Smaller merchants typically have their POS systems remotely accessible and connected to the Internet. This allows attackers to compromise this sensitive data remotely when not properly secured. POS terminals may be storing credit card numbers in the externally facing perimeter network. In some companies, the POS terminal acts as a card-present terminal that sits on the Internet. Because there is no firewall between the system accepting the card-present transaction and the Internet, this arrangement does not comply with PCI requirements (and hackers can easily find credit card data). Frequently, these systems are also storing track data.

Spreadsheets and Microsoft® Office Access™ Databases — Users are likely storing card data in spreadsheets, access databases, flat files, or other formats that are difficult to control as they are transferred to laptops, desktops, and wireless devices. A key source of PCI audit failure is storing unencrypted data in Microsoft Office Excel  spreadsheets and Microsoft Office Access databases.

Poor Identity Management — Users and administrators may not be handling authentication properly. Although password-based authentication is one of the easiest authentication methods to implement, it is also the most prone to compromise, because passwords can be easily shared, stolen, or guessed. Many companies also don’t take advantage of the added security offered by two-factor authentication methods, including tokens or biometrics.

Network Architecture Flaws; Flat Networks — Many businesses did not develop their IT infrastructure with security in mind. They often fail PCI assessment because they have flat (non-partitioned) networks in which credit card systems are not segmented from the rest of the network. The lack of a secure network enclave is a serious issue regardless of PCI implications and can be very difficult to remedy. One of the easiest ways to reduce the impact of PCI to your infrastructure is to segment those systems away from the corporate network with a firewall.

Lack of Log Monitoring and Intrusion Detection System (IDS) Data; Poor Logging Tools — Without log information, it is difficult to determine whether processes and security systems are working as expected. In addition, insufficient data makes it more difficult to investigate compromises that do occur. For example, if there were no record of the timeframe of a compromise, it would be difficult to determine the number of credit cards exposed during the compromise. California Senate Bill 1386 (SB 1386) has led the way for many states to enact similar laws. Under many of these laws, not knowing which data was compromised will force you to notify any customer you have done business with that their information may be compromised. (This is called secondary notification).