Why Companies Fail PCI DSS Assessments and What to Do About It presented at ISSA 2019

by Miguel O. Villegas,

Summary : Having performed hundreds of PCI DSS assessments as a PCI QSA (Qualified Security Assessor) and signed just as many Attestation of Compliance (AOCs), we have identified common reasons why companies fail PCI DSS assessments. Some are technical in nature but a significant number of them is the ever-present question on scope. All of these have ramifications on the effectiveness of controls, but the clock is what is most affected. Every PCI DSS assessment has a deadline and with VISA’s mandate for service providers to have the Report of Compliance (ROC) completed and AOC submitted a month before the due date for listing in the Visa Global Registry of Service Providers, the PCI DSS assessment needs more attention than in the past.This session will cover the top reasons why companies fail PCI DSS assessments. We will cover technical challenges, scope questions, delays in evidence gathering, review of control effectiveness, and AOC submissions. We will also cover a recommended approach to maintain compliance through the next annual PCI DSS assessment. This session will assume participant has a working knowledge of the PCI DSS assessment process.