“Did We Fall Out of Compliance?”

February 12, 2015 • Published Categories PCI 101Tags , ,

“Ask the QSA”

Question: We achieved our SAQ-D in August 2014. We just had some quarterly scans executed and need to remediate two vulnerabilities. Are we now not PCI compliant because some vulnerabilities came up and we are resolving them?

Answer: PCI compliance is structured around a series of controls integrated purposely to make compliance a continual process to maintain. If you fail a control during the year between assessments, as long as you detect the vulnerability, respond, and improve processes so that the likelihood of it occurring again is reduced, you are still compliant with PCI requirements. If you do not respond and remediate those vulnerabilities, you would then be in non-compliance with PCI requirements.

In your circumstance, organizations discover failing vulnerabilities quite a lot due to a whole variety of reasons. As long as you identify the vulnerabilities in a timely manner (which you have), remediate the vulnerabilities (which you say you are), and put measures in place to prevent those vulnerabilities from resurfacing (as much as possible), then you are still in compliance with PCI. You will need to perform another scan to ensure the findings have indeed been closed and to use for your 2015 compliance initiative.

Subscribe to this blog for additional payment security tips.

2 thoughts on ““Did We Fall Out of Compliance?””

  1. Hi!
    we have subsidiary company which located deifferent place and seperated networks. Do we have to going through PCI-DSS compliance together? Is it mandatory thing to get together?

  2. If the subsidiary is under the same merchant ID as the primary company, then it would be necessary to include the subsidiary in the overall PCI compliance effort. If it is not, then you can assess and submit evidence of compliance separately; however sometimes it is easier or simpler to assess both at the same time, especially if they share processes, documentation, resources, etc. If you need to use a third-party assessor as well, then they may also provide a cost reduction if you include the subsidiary when they are pricing the work.

Leave a Comment