1. Not Following Rule Of Least Privilege
According to Leonid Shtilman, CEO of Viewfinity, organizations play fast and loose with their interpretations of PCI 2.2.3, which said they should "Configure system security parameters to prevent misuse." As he put it, organizations have to drill down into user roles in order to ensure that they're following the rule of least privilege wherever PCI regulations apply.
"It is not acceptable to allow any privileged user to have access to all data, rather permissions for server administrators should be granted and/or dropped based upon specific role and responsibility tied directly to the applications and processes for which they require authority in order to fulfill their job requirements," he said. "No more, no less--only the least privileges required."
And yet, that isn't really what's happening at most organizations, said Eric Chiu, president and founder of HyTrust.
"It is not uncommon for many employees at an organization to have access to the data, including those who don't require it to fulfill their job functions," he said.
2. Ignoring Virtualization Compliance
Vidyadhar Phalke, CTO of MetricStream said that many organizations tend to overlook virtualization compliance, a fact that can cause auditors to see red.
"PCI DSS 2.0 mandates that even if one VM deals with cardholder data, your entire virtual infrastructure must comply with the standard. The challenge is--the wording in PCI DSS on virtualization is vague and it all depends on the interpretation of the auditors," he said. "So organizations need to ensure that they comply with this early on and completely understand the risk and controls in place to avoid last-minute surprises."
3. Failing To Change Vendor Default Configurations
Virtualization particularly throws organizations for a loop when it comes to complying to PCI DSS 2.0 Requirement 2.1, which requires that vendor default passwords and configurations are changed.
Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)