Last week, I was finalizing my information governance presentation for the upcoming IBM Impact 2010 conference. I have this excellent slide that shows the relationship of the entire content lifecycle with the different stakeholders in the organization – Privacy Officer, Security Officer, legal counsel, and of course IT. When I usually present this slide I give specific examples related to HIPPA, Sarbanes Oxley, and DOD 5015.2. One example I sometimes leave out is the Payment Card Industry Data Security Standard (PCI DSS).
PCI applies to all organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. A simpler way of saying this – if any customer of that organization ever pays the merchant directly using a credit card or even with a debit card, then the PCI DSS requirements apply.
PCI is designed to prevent hackers and criminals for targeting credit card theft and its subsequent fraudulent use of customer data. The intent of PCI is to make it much harder to obtain credit cardholder data due to the more robust and standardized approach to data security. Unfortunately, as I have seen, many companies are still struggling to demonstrate PCI compliance. The costs and effort associated with meeting PCI requirements can sometimes be daunting. However, so can the fines. Fines can amount from $5,000 to $100,000 per month for PCI compliance violations. How about brand reputation and stock price?
Some of the requirements for PCI include building and preserving a secure network while maintaining a vulnerability management program. Also included is to implement strong access control which includes protecting and encrypting cardholder data. This includes new data being generated as well as content stored for years and years.
The PCI Security Standard Council published a new version (1.2) of the PCI DSS in October 1st 2008, which includes 12 major requirements. The Lifecycle Process for changes to PCI DSS is currently in stage 3; stage 5 is expected to end by September 30th 2010 with the publication of a new version.
When defining and planning a PCI program scope, one of the first action items is to know what is in and what is out of scope - including systems, content repositories, storage platforms, networks, people, and processes. As I have said many times before, measure your risk but don't ignore it.