PCI DSS: Practical Scenarios
Practical Scenarios
Scenario 1: E-commerce Checkout Integration
Question: We’re building an e-commerce site. How should we handle card payments?
Analysis:
- Best approach: Use a PCI-compliant payment processor with hosted payment pages or iframes
- Benefit: Card data never touches your servers → dramatically reduces PCI scope
- Still required: SAQ A or SAQ A-EP depending on integration type
- Key point: If the card number never enters your environment, you’re not storing, processing, or transmitting CHD
Recommendation:
- Use redirect-based checkout (Stripe Checkout, PayPal) = SAQ A (simplest)
- Use embedded iframe from processor = SAQ A-EP (more control, more requirements)
- Accept cards directly on your server = Full SAQ D (avoid if possible)
Scenario 2: Storing Cards for Recurring Billing
Question: We need to store cards for subscription billing. What’s required?
Analysis:
-
Option 1: Use payment processor’s vault (recommended)
- Processor stores full PAN
- You receive a token
- Token is not considered cardholder data
- Minimal PCI scope
-
Option 2: Store cards yourself (not recommended)
- Full PCI DSS compliance required
- Encryption with strong cryptography (AES-256)
- Key management procedures
- Access controls
- Regular vulnerability scans
Key requirement: Never store CVV/CVC regardless of approach. CVV cannot be stored after authorization, period.
Scenario 3: Call Center Taking Card Payments
Question: Our support team takes card payments over the phone. What do we need?
Analysis:
- Scope: Call center systems and personnel are in PCI scope
- Key requirements:
- Train all staff on secure handling procedures
- No recording of CVV (pause recording during payment)
- Secure workstations (firewalls, anti-malware)
- No writing down card numbers
- Clean desk policies
Technical controls:
- Use a hosted payment page even for phone orders (agent reads URL to customer)
- Or use DTMF (phone keypad) capture to keep cards off agent systems
- Implement call recording masking for payment portions
Scenario 4: Vulnerability Scan Failures
Question: Our quarterly ASV scan failed. What do we do?
Analysis:
- Step 1: Review scan report for vulnerabilities scored CVSS 4.0+
- Step 2: Prioritize by severity (critical/high first)
- Step 3: Remediate vulnerabilities (patch, configure, remove)
- Step 4: Request rescan from ASV
- Step 5: Repeat until passing
Key points:
- External scans must be performed by PCI SSC Approved Scanning Vendor
- Internal scans can be performed by qualified internal staff
- Both are required quarterly AND after significant changes
- A “passing” scan has no vulnerabilities rated CVSS 4.0 or higher
Scenario 5: Third-Party Service Provider Compliance
Question: We use AWS/Stripe/payment gateway. How do we verify their compliance?
Analysis:
- Step 1: Request their Attestation of Compliance (AOC)
- Step 2: Verify it’s current (within last year)
- Step 3: Review which PCI DSS requirements they cover
- Step 4: Document in responsibility matrix
Requirements:
- Maintain list of all service providers with CHD access
- Written agreement acknowledging their responsibility
- Annual review of their compliance status
- Clear responsibility matrix showing who handles what
Note: Their compliance doesn’t transfer to you. You’re responsible for requirements they don’t cover.
Scenario 6: Incident Response — Suspected Breach
Question: We suspect cardholder data may have been compromised. What do we do?
Immediate actions:
- Contain — Isolate affected systems without destroying evidence
- Preserve — Secure logs and forensic evidence
- Assess — Determine scope and data affected
- Notify:
- Internal incident response team
- Payment brands (Visa, Mastercard have specific procedures)
- Acquirer/payment processor
- Legal counsel
- Law enforcement if required
- Affected individuals per applicable laws
Key requirement: You must have an incident response plan tested annually. Don’t wait for an incident to create one.
Scenario 7: Remote Worker Access to CDE
Question: Employees need to access payment systems from home. What’s required?
Analysis:
- MFA required: All remote access to CDE must use multi-factor authentication
- Personal firewall: Required on all remote devices
- Cannot be disabled: Firewall must be active and users can’t turn it off
- Strong authentication: 12+ character passwords (or 8+ with MFA)
Additional controls:
- VPN or secure remote access solution
- Session timeout (15 minutes idle)
- No split tunneling if possible
- Monitor and log all remote access
- Ensure personal devices meet security requirements
Scenario 8: Penetration Testing Requirements
Question: What penetration testing do we need for PCI compliance?
Analysis:
| Test Type | Frequency | Who Performs |
|---|---|---|
| External penetration test | Annually + after changes | Qualified internal or external |
| Internal penetration test | Annually + after changes | Qualified internal or external |
| Segmentation validation | Annually (6 months for SPs) | Penetration tester |
Methodology requirements:
- Follow industry-accepted methodology (PTES, OWASP, NIST)
- Test network layer AND application layer
- Document all findings
- Remediate discovered vulnerabilities
- Retest after remediation
Service providers: Segmentation testing every 6 months, not annually.
Scenario 9: Log Retention and Review
Question: How long do we need to keep security logs and how often to review them?
Analysis:
Retention:
| Period | Requirement |
|---|---|
| Online/immediately available | At least 3 months |
| Total retention | At least 12 months |
| Retrievable for analysis | Within reasonable timeframe |
Review:
| Log Type | Review Frequency |
|---|---|
| Security events | Daily |
| Critical system logs | Daily |
| All other logs | Periodically based on risk |
| Anomalies | Follow up immediately |
What must be logged:
- All user access to cardholder data
- All admin actions
- Access to audit logs
- Invalid authentication attempts
- Changes to user accounts
- Initialization/stopping of audit logs
Scenario 10: Wireless Network in Payment Environment
Question: We want to use WiFi in our store where we process payments. What’s required?
Analysis:
- Strong encryption required: WPA2/WPA3 Enterprise (no WEP, no WPA1)
- Change all defaults: SSID, keys, admin passwords
- Quarterly scans: Detect unauthorized wireless access points
- Segment: Wireless network should be segmented from CDE if possible
Key requirements:
| Control | Requirement |
|---|---|
| Encryption | WPA2 or WPA3 Enterprise |
| Authentication | 802.1X or strong pre-shared key |
| Default passwords | Changed |
| Default SSID | Changed |
| Rogue AP detection | Quarterly scans minimum |
Recommendation: Keep payment terminals on wired connections where possible. If wireless is required, use dedicated, segmented wireless network for payment devices only.
Scenario Summary Table
| Scenario | Key Requirement | Risk Level |
|---|---|---|
| E-commerce integration | Use hosted payments to minimize scope | Medium |
| Recurring billing | Use processor vault, never store CVV | High |
| Call center payments | Train staff, mask recordings | Medium |
| Failed ASV scan | Remediate and rescan until passing | High |
| Third-party providers | Verify AOC, document responsibility | Medium |
| Suspected breach | Follow incident response plan | Critical |
| Remote worker access | MFA required, personal firewalls | High |
| Penetration testing | Annual (6 months for SP segmentation) | Medium |
| Log retention | 12 months total, 3 months online | Medium |
| Wireless networks | WPA2/3 Enterprise, quarterly scans | High |