Scope: The PCI DSS standard defines the scope of the cardholder data environment (CDE) as all of the systems, people, processes and technologies that handle cardholder data; yet, many retailers fail to properly scope their environments, meaning that critical systems, such as domain controllers, key management systems, firewalls and numerous other systems are often left out of the scope. MSSPs can help to inventory those systems and include them in the scope, preventing compliance failures.

Patching: One of the most critical elements for maintaining compliance involves keeping systems in the scope patched. The latest PCI DSS requirement 6 outlines the need to patch systems on a regular basis. Additionally, it specifies that critical security patches must be installed within a month of their release. Here, as part of the scoping process, MSSPs can identify critical systems and take on the role of patch management to ensure that all systems are patched properly.

Access Audits: PCI DSS requirement 8 outlines how to secure access to cardholder data, specifically requiring two-factor authentication for remote access to all in-scope systems. Many organizations fail to audit remote access to verify that the controls are working as expected. Here, MSSPs can head up those audits and validate that the systems are compliant.

Monitor and Review Audit Logs: PCI DSS requirement 10 covers all of the implementation details for logging and log monitoring within the CDE; however, many organizations fail to adhere to the requirement properly, rendering those logs worthless. MSSPs can institute the processes needed to review those logs and automate the analysis to discover errors and anomalies that might signal a threat, before any damage occurs.

Limit Third Party Access: Third-party vendors often request access to the CDE for numerous and legitimate reasons, such as troubleshooting systems and posting updates; however, many retailers often forget to audit and then turn that access off, leaving a potential backdoor into the CDE. MSSPs can institute systems that monitor and limit third-party access to contain those threats.

Change Default Passwords: Many systems within the CDE come predefined with default settings, passwords and so forth; for example, Wi-Fi access points are normally preconfigured and have default authentication turned on. Many retailers forget to change default configurations, leaving the CDE open to threats. MSSPs can locate those systems and ensure that proper passwords and security are enabled.

Storing Sensitive Data: PCI DSS mandates the protection of Sensitive Authentication Data (SAD) which is comprised of full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more. Some retailers falsely believe that they must store all SAD for situations such as recurring billing. SAD is one of the biggest targets for cybercriminals, and MSSPs can help reduce exposure by implementing a third-party credit card vault and tokenization provider, which replaces SAD with a token during billing and payment authorization procedures.