Firewall PCI – The 5 Reasons Security Teams Fail PCI Audits

Last updated February 15th, 2023 by Maya Malevich

For any business accepting credit or debit card payments from its customers, Payment Card Industry Data Security Standards (PCI DSS) compliance – which offers comprehensive standards to enhance payment card data security – is an absolute must. But for most, ensuring continuous compliance (the ongoing monitoring of rules rather than waiting for audits to show non-compliance) with the vast and ever changing set of rules can be a real drain on resources. Automation is key to resolving the problem, but what challenges does it solve and how can it be implemented effectively?

We recently invited a group of industry professionals to join a live webinar to discuss the challenges of PCI audit compliance and automation. You can watch the full version How to pass your audit but here’s a summary:

During the webinar, we carried out a short survey to find out about our respondents’ plans for continuous compliance in the year ahead. 47 percent confessed they had no plans in place for continuous compliance and only 13% had it in place. That’s a huge number considering the penalties incurred for failing to comply. The other 40 percent expressed an interest in achieving continuous compliance this year.

The 5 ‘C’s

Undoubtedly one or all of the following challenges are getting in the way of successful auditing…the five ‘C’s:

Complexity- enterprises have hundreds of firewalls, routers and switches, all with their own complex configurations and thousands of access rules. All have to be tracked and catalogued which makes it almost impossible to comply with all the PCI DSS rules.
Change- hundreds of changes every week amounts to thousands of changes to track from one audit to the next. The combination of rapid change and time pressures mean mistakes happen which can leave businesses wide open.
Connectivity- configuration errors very easily lead to compliance issues and service downtime. A high number of rule changes can compromise cardholder data, which can leave businesses compromised until their next audit.
Compliance- audits are time intensive and usually changes are unchecked between audits making the process even more laborious. Yet businesses cannot afford to fail an audit.
Communication- poor communication and a siloed culture of app owners and IT security can mean a comprehensive compliance check between audits is extremely complicated and difficult to manage.

Best practice auditing

These challenges make the cost of auditing and compliance extremely high for business owners like those at Monext. This secure, future-proof payment solutions provider guarantees complete IT security to its customers, so PCI compliance is essential. For this reason, the company carries out an internal audit every 45 days, and reports PCI DSS compliance twice a year.

With two large data centers, 40 Check Point firewalls and more than 850 servers, the Montext rule base had grown to over 70,000 unique firewall rules. The company clearly needed an automated system to analyze its firewall policies, clean them up and ensure optimization. And with Tufin SecureTrack, Montext has since cut its 10-day auditing process by 50 percent.

PCI DSS auditing doesn’t always need to be a costly and thankless task. While compliance will always be essential for most enterprises, automation solutions can make it a much more efficient process – by slashing time spent on repetitive, manual work so that security teams can focus on strategic tasks such as security architecture, research and education.