PCI DSS QSA assessments reveal patterns in compliance failures. Certain findings appear consistently across organizations, industries, and geographies. Understanding the most common findings — and what prevents them — is the most efficient way to prioritize your compliance program investments.
The 15 Most Common PCI DSS Findings
Finding 1 — Inadequate or Untested Network Segmentation (Req 1)
Organizations claim network segmentation for scope reduction but have not verified it is effective. QSAs test segmentation by attempting to communicate from out-of-scope systems to in-scope CDE systems. Porous segmentation — VLANs without ACLs, security groups with overly broad rules, or management interfaces accessible from non-CDE networks — fails this test. Prevention: Conduct internal segmentation testing before the QSA assessment; use a dedicated test environment to verify isolation.
Finding 2 — Outdated or Undocumented Firewall Rules (Req 1)
Firewall rulesets that have grown over years contain rules that no longer serve a business purpose, have no documented justification, or allow traffic that should be blocked. Prevention: Implement a formal change management process for all firewall rule changes; document business justification at rule creation; conduct the required six-month rule review.
Finding 3 — Systems Not Meeting Hardening Standards (Req 2)
Configuration drift — systems that were initially hardened but have since had unnecessary services re-enabled, software installed, or configurations changed through unmanaged change — is pervasive. Prevention: Use configuration management tools (Ansible, Puppet, Chef) to enforce and verify hardening; conduct regular compliance scanning against CIS Benchmarks.
Finding 4 — PAN Found in Unexpected Locations (Req 3)
PANs appear in log files (debug logging), development databases seeded with production data, spreadsheets on shared drives, email attachments, and backup files. Prevention: Conduct regular data discovery scans searching for PAN patterns in all CDE and adjacent systems.
| KEY IDEA | The most unexpected PAN storage location we consistently find in PCI DSS gap assessments is application log files. A developer enables verbose logging during a production incident and forgets to disable it. The logs capture full request and response bodies — including PANs. Log masking at the application level (ensuring PANs are never written to logs in any format) is a critical preventive control. |
Finding 5 — TLS 1.0 or SSL Enabled on CDE Systems (Req 4)
Legacy applications, monitoring agents, or management interfaces still support deprecated TLS/SSL versions. Prevention: Scan all CDE system ports for TLS/SSL version support using tools like testssl.sh or Qualys SSL Labs; disable TLS 1.0 and SSL at the application and OS layer.
Finding 6 — Missing MFA Coverage (Req 8)
Under v4.0, MFA gaps that were acceptable under v3.2.1 are now findings. Common gaps: MFA for VPN only but not for SSH to CDE servers, MFA not enforced for internal admin access, service accounts without MFA protection. Prevention: Inventory all access paths into the CDE; verify MFA is enforced on every path without exception.
Finding 7 — No Access Review Records (Req 7)
Access reviews are required quarterly but organizations either don't conduct them or don't document the results in a form the QSA can verify. Prevention: Build access review tooling that generates printable/exportable review completion records with manager signatures and dates.
Finding 8 — Failed or Missing ASV Scan History (Req 11)
Organizations that do not have 4 passing ASV scan reports covering the 12-month assessment period cannot demonstrate ongoing compliance with Requirement 11. Prevention: Schedule all 4 quarterly scans at the beginning of each compliance year; do not wait until a scan fails to begin remediation.
Finding 9 — Penetration Test Scope Too Narrow (Req 11)
Penetration tests that cover only external-facing systems, use only automated scanners, or do not include application-layer testing are insufficient. Prevention: Require penetration test RFPs to specify: external network test, internal network test, application layer test, segmentation verification, and manual exploitation attempts.
Finding 10 — Log Review Not Daily (Req 10)
Logs are collected but not reviewed daily. Organizations that have no SIEM or automated alerting rely on manual log reviews that are not actually performed daily. Prevention: Implement SIEM with automated alerting; document daily review with analyst sign-off records.
Finding 11 — Missing Vendor AoCs (Req 12)
Organizations have not verified that their third-party service providers with CDE access are PCI DSS compliant. Prevention: Build an annual vendor compliance verification process; obtain AoC from every TPSP with CDE access; document the review in the vendor management register.
Finding 12 — Policies Approved but Not Communicated (Req 12)
Policies exist on paper but employees have never received them, been trained on them, or acknowledged reading them. Prevention: Include policy distribution and acknowledgment in the annual security training program; track completion with digital records.
Finding 13 — No Incident Response Test (Req 12)
The incident response plan has never been tested. Prevention: Conduct an annual tabletop exercise simulating a card data breach; document the exercise, findings, and any plan updates.
Finding 14 — JavaScript Not Inventoried on Payment Pages (Req 6.4.3 — v4.0)
E-commerce merchants have not inventoried and authorized all scripts loaded on payment pages. Prevention: Conduct a technical review of all scripts (using browser developer tools and subresource inspection) loaded on all payment pages; create an authorized script inventory.
Finding 15 — Targeted Risk Analysis Not Documented (Req 12.3.2 — v4.0)
The 13 sub-requirements requiring a Targeted Risk Analysis have not been addressed. Prevention: Create a TRA template and complete one TRA for each of the 13 applicable sub-requirements; review annually.
Prevention Summary
| Finding Area | Primary Prevention Control | Responsible Team |
|---|---|---|
| Network segmentation | Annual segmentation testing; infrastructure as code | Network / Infrastructure team |
| Firewall rules | Change management process; six-month rule review | Network Security / Security Operations |
| System hardening | Configuration management tooling; drift detection | Systems / DevOps team |
| PAN in unexpected locations | Quarterly data discovery scans | Security / DBA team |
| ASV scan history | Four quarterly scans scheduled at year start | Security / Compliance team |
| Access reviews | Automated tooling; quarterly reminders to managers | IAM / Security team |
| Vendor compliance | Annual vendor AoC collection process | Compliance / Legal team |
| The highest-return prevention investment for most organizations is a pre-assessment readiness review conducted 90 days before QSA fieldwork begins. For organizations conducting their first PCI DSS assessment, Bitlion's readiness reviews consistently identify 10–20 findings — almost all of which can be remediated before fieldwork starts, saving significant assessment rework cost. |