Common Mistakes That Cause Businesses to Fail PCI DSS Certification

The PCI DSS (Payment Card Industry Data Security Standard) is currently a mandatory security standard for all organizations that store, process, or transmit payment card data. However, many businesses in Vietnam and across the region fail their first assessment due to seemingly simple mistakes. Below are the top 10 most common issues that SQC Certification has identified from hundreds of client assessment cases.

---

Trend of Businesses Adopting PCI DSS

In 2025, PCI DSS has become a mandatory standard for all businesses processing payment cards in Vietnam, as card payments now account for 42% of e-commerce transactions. Many organizations are shifting from basic compliance (SAQ) toward full ROC assessments with onsite QSA, following Visa Mandate 6.0.

Fintech companies such as MoMo and VNPAY have integrated PCI DSS into DevSecOps workflows, automating tokenization and CI/CD vulnerability scanning, reducing certification timelines to 4–6 months.

Meanwhile, SMEs are increasingly being required by banks to comply with PCI DSS in order to retain their Merchant ID (MID), leading to a 180% increase in consultation registrations in Q3 2025.

Many companies are also migrating their Cardholder Data Environment (CDE) to certified cloud environments such as AWS, Azure, and Viettel IDC, helping reduce compliance costs by 40–60%.

The PCI DSS 4.0 standard (released in 2024) introduces 64 new requirements, focusing on:

• Multi-Factor Authentication (MFA)
• User behavior monitoring
• Third-party risk management

These changes are reshaping the payment security landscape. Organizations that adopt early, integrate deeply, and automate extensively will not only avoid penalties (which can reach USD 100,000 per month) but also strengthen brand credibility and expand international partnerships.

---

Common Mistakes Businesses Make When Implementing PCI DSS

When organizations begin the PCI DSS certification process, especially in the early stages, many common mistakes can lead to failed certification or remediation requirements. Below are the most frequent issues, categorized according to PCI DSS v4.0 requirement groups.

1. Weak Network and System Management

Organizations often fail to properly maintain firewalls. Firewall rules are not regularly updated, there is no change management policy, or unnecessary traffic is allowed.

Another common issue is the lack of proper network segmentation, where the Cardholder Data Environment (CDE) is not separated from internal corporate networks or guest networks.

In addition:

• Vulnerability scans are not conducted regularly.
• Scans are performed only formally without proper remediation.
• Critical vulnerabilities are not patched in a timely manner.

2. Inadequate Access Control

Poor access control can significantly compromise system security.

For example, shared accounts are still widely used, making it impossible to trace activities to individual users. This greatly increases the risk of card data attacks.

Other common issues include:

• Failure to apply the Least Privilege principle, granting permissions beyond job requirements.
• No implementation of Multi-Factor Authentication (MFA) for sensitive systems.
• Access rights are not revoked when employees leave the company or change roles.

To comply with PCI DSS access control requirements, organizations should:

• Eliminate shared accounts; each user must have an individual account. If unavoidable, manage them through Privileged Access Management (PAM).
• Implement Role-Based Access Control (RBAC) and review permissions periodically.
• Enable MFA for all access to sensitive systems such as VPN, administrative accounts, and the CDE.
• Automatically disable accounts when employees leave and regularly review inactive accounts.

3. Weak Password and Authentication Management

Many organizations fail to change default passwords on systems and devices.

Additionally, password policies often fail to meet PCI DSS requirements regarding:

• Minimum length
• Complexity
• Expiration period

Another common risk is the lack of periodic password audits.

To resolve weak password management issues, organizations should:

• Change all default passwords on devices, applications, and operating systems.
• Implement strong password policies: minimum 12 characters, including uppercase, lowercase, numbers, and special characters, with 90-day expiration.
• Regularly check for weak passwords and require immediate changes when violations are detected.

4. Lack of Security Policies and Procedures

Many organizations lack formal security policies and operational procedures.

Examples include:

• Information security policies that are not updated annually.
• Employees not receiving PCI DSS security training.
• No Incident Response Plan (IRP) or no regular testing of incident response procedures.

To address these issues, organizations should:

• Develop and update information security policies annually.
• Provide security awareness training related to PCI DSS and maintain training records.
• Establish an Incident Response Plan (IRP) and conduct regular drills.

---

5. Ineffective Vulnerability and Patch Management

Many organizations do not implement effective vulnerability management or patch management processes.

Typical problems include:

• Security patches not applied within 30 days of release.
• Internal and external vulnerability scans not conducted quarterly.
• High or Critical vulnerabilities not remediated before the assessment period.

To address this issue:

• Apply patches within 30 days, prioritizing High/Critical vulnerabilities.
• Conduct internal and external vulnerability scans every quarter.
• Remediate critical vulnerabilities before assessments and maintain supporting evidence.

6. Inadequate Monitoring and Logging

Insufficient monitoring and logging can delay PCI DSS implementation and lead to certification failure.

Typical issues include:

• No SIEM (Security Information and Event Management) system deployed to monitor logs.
• Logs not retained for the required 1-year period according to PCI DSS requirements.

To resolve this issue, organizations should:

• Deploy SIEM or similar log monitoring systems.
• Retain logs for at least one year.
• Perform daily log reviews and document remediation actions.

7. Failure to Change Passwords Every 90 Days (Requirement 8.2.4)

Many organizations fail to enforce periodic password changes, typically every 90 days.

Some companies even use shared administrator accounts with the same password for years, which leads to non-compliance with PCI DSS Requirement 8 and can affect the entire compliance report.

Remediation:
Implement Active Directory Group Policy (GPO) or PAM solutions to automatically enforce password rotation every 90 days.

8. Insecure Application Development Systems

During application development, many organizations fail to ensure system security.

Examples include:

• Not following a Secure Software Development Lifecycle (Secure SDLC).
• Not performing source code security testing such as code review, SAST, or DAST.
• Storing cardholder data directly in source code or configuration files.

These issues can lead to PCI DSS certification failure.

To address this problem, organizations should:

• Implement Secure SDLC practices throughout the development lifecycle.
• Conduct regular security testing using code review, SAST, and DAST.
• Avoid storing cardholder data in code or configuration files; instead use tokenization or encryption if storage is required.

Conclusion

Many businesses fail PCI DSS certification due to basic yet critical mistakes, including:

• Shared accounts
• Excessive privilege access
• Lack of MFA
• Weak password management
• Failure to implement secure SDLC
• Poor vulnerability and patch management
• Inadequate monitoring and logging

Additionally, the absence of security policies, operational procedures, and employee training makes it difficult for organizations to meet PCI DSS’s strict requirements.

Identifying and addressing these weaknesses early is essential for achieving compliance and ensuring the secure protection of cardholder data.