Top Failing SAQ Sections

2023 Top 10 Failing SAQ Sections

We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. Starting with the least adopted requirement, these are the results:

1. Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
2. Requirement 12.10.1: Create an incident response plan to be implemented in the event of a system breach.
3. Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.
4. Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
5. Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
6. Requirement 12.6.a: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
7. Requirement 12.8.4: Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
8. Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
9. Requirement 12.8.2: Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data that they possess or impact the security of the cardholder data environment.
10. Requirement 12.8.3: Verify that the usage policies define all critical devices and personnel authorized to use the devices.

Takeaways

Unfortunately, 2022 showed significant decreases in compliance levels when compared to previous years.

None of the investigated breached organizations in 2022 were found to be compliant with PCI DSS. Furthermore, in nearly every case, the vulnerabilities that attackers leveraged to gain access to merchant systems were covered by specific sections of the PCI DSS.

Had the organization been compliant with those sections of the PCI DSS, the breach likely would not have occurred.

2022 Top 10 Failing SAQ Sections

We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. Starting with the least adopted requirement, these are the results:

1. Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
2. Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
3. Requirement 12.6.a: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
4. Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.
5. Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
6. Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.
7. Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
8. Requirement 9.9.2: Periodically inspect device surfaces to detect tampering (e.g., addition of card skimmers to devices), or substitution (e.g., by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
9. Requirement 12.3.1: Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies.
10. Requirement 12.3.3: Verify that the usage policies define all critical devices and personnel authorized to use the devices.

Download: Top PCI SAQ Failures Infographic

We scanned our merchant database in search of the top 10 areas where SecurityMetrics merchant customers struggle to become compliant. Starting with the least adopted requirement, these are the results:

1. Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
2. Requirement 12.6.a: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
3. Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
4. Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
5. Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.
6. Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.
7. Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
8. Requirement 9.9.2: Periodically inspect device surfaces to detect tampering (e.g., addition of card skimmers to devices), or substitution (e.g., by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
9. Requirement 12.3.1: Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies.
10. Requirement 12.3.3: Verify that the usage policies define all critical devices and personnel authorized to use the devices.

Takeaways

Unfortunately, 2020 showed significant decreases in compliance levels when compared to previous years.

None of the investigated breached organizations in 2020 were found to be compliant with PCI DSS. Furthermore, in nearly every case, the vulnerabilities that attackers leveraged to gain access to merchant systems were covered by specific sections of the PCI DSS.

Had the organization been compliant with those sections of the PCI DSS, the breach likely would not have occurred.

2020 Top 10 Failing SAQ Sections

We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. Starting with the least adopted requirement, these are the results:

1. Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
2. Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.
3. Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.
4. Requirement 12.6.a: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
5. Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
6. Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
7. Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
8. Requirement 12.8.4: Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
9. Requirement 12.3.1: Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies.
10. Requirement 12.3.3: Verify that the usage policies define all critical devices and personnel authorized to use the devices.

2019 Top 10 Failing SAQ Sections

We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. Starting with the least adopted requirement, these are the results:

1. Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
2. Requirement 12.6.1: Educate personnel upon hire and at least annually.
3. Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
4. Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.
5. Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.
6. Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
7. Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
8. Requirement 9.9.2: Periodically inspect device surfaces to detect tampering (e.g., addition of card skimmers to devices), or substitution (e.g., by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
9. Requirement 12.3.5: [Verify that the usage policies define] acceptable uses of the technology.
10. Requirement 12.8.4: Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.

2018 Top 10 Failing SAQ Sections

We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. These are the results:

1. Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.
2. Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
3. Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
4. Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
5. Requirement 12.6: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
6. Requirement 9.9.2.B: Verify that personnel are aware of procedures for inspecting devices and that devices are periodically inspected for evidence of tampering.
7. Requirement 9.9.2.A: Verify that documented processes include procedures for inspecting devices and frequency of inspections.
8. Requirement 12.8.4: Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
9. Requirement 1.2.1: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
10. Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.

2017 Top 10 Failing SAQ Sections

We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. These are the results:

1. Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.
2. Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
3. Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
4. Requirement 12.1: Establish, publish, maintain, and disseminate a security policy
5. Requirement 12.6: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
6. Requirement 9.9.2.B: Verify that personnel are aware of procedures for inspecting devices and that devices are periodically inspected for evidence of tampering.
7. Requirement 9.9.2.A: Verify that documented processes include procedures for inspecting devices and frequency of inspections.
8. Requirement 12.8.4: Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
9. Requirement 1.2.1: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
10. Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
    

2016 Top 10 Failing SAQ Sections

We reviewed our merchant database in search of the top 10 areas where merchants struggle to become compliant. These are the results:

1. Requirement 12.5.3–12.6.A: Establish, document, and distribute security incident response and escalation procedures, administer user accounts, and monitor/control access to data.
2. Requirement 12.10.1.A: Verify incident response plan responsibilities, business recovery procedures, data backup processes, and legal requirements for reporting compromises.
3. Requirement 9.9.2.B: Verify personnel are aware of procedures for inspecting devices and that devices are periodically inspected for evidence of tampering.
4. Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
5. Requirement 1.1.3.A: Establish a current diagram that shows all cardholder data flows across systems and networks.
6. Requirement 9.9.2.A: Verify documented processes include procedures for inspecting devices and frequency of inspections.
7. Requirement 12.3.3: List devices and personnel with access to data.
8. Requirement 12.3.5: List acceptable uses of used technology.
9. Requirement 1.1.1.B: Examine firewall and router configurations to verify inbound and outbound traffic is limited to that which is necessary for the cardholder data environment.
10. Requirement 1.1.3.B: Ensure a process exists to keep the cardholder diagram current.

Download the latest Guide to PCI Compliance