Home > Authentication, Compliance, Identity & Access Management, Identity Theft, Trends > PCI Security Standard Ain’t Just For IT Geeks

PCI Security Standard Ain’t Just For IT Geeks

Last year we were all concerned about Sarbanes Oxley.  This year it’s PCI.  PCI is shorthand for the Payment Card Industry security standards that apply to any company engaged in processing credit card information. The VISA Cardholder Information Security Program (CISP) is one specific standard in this category.  Compliance to these PCI standards is driving all manner of corporate risk management in tens of thousands of US businesses – from online customer-based transactions, to data storage, to document retention.

My buddy, Ben Rothke, just wrote a very intelligent article on the topic in CIO Magazine.   The only thing I’d add is that PCI is commonly thought of as an "information" security problem when in fact it has a heavy physical security slant.

There are over twenty specific statements in the PCI requirements that pertain to physical security.  For example, you should have video surveillance around sensitive systems and areas where credit card data is handled, physically restrict access to those areas, escort visitors and require rigorous access control, shred hard copies of documents with that data and protect against dumpster diving, etc.

A security executive from a Fortune 1000 company and another from a Fortune 100 told me separately recently over lunches that PCI is touching every aspect of their respective security operations – IT security, physical security, privacy, and business continuity.  Both executives have found that promoting collaboration between those groups has been the key to meeting PCI requirements.  PCI is just one more reason to promote a collaborative convergence attitude in your organization’s security program.

  1. August 6, 2007 at 9:17 pm

    I haven’t read the standards, but if Ben’s overview is correct – I must be missing something. Nothing about those standards seems to be the least bit out of the ordinary.
    OTOH – after years of working in IT, it seems to be a feature of the business that people tend to make things far far far more complicated than they should be. That might be what’s happening here. Also, there is the fact that Sarbanes-Oxley has made many people gun-shy, worried about not being compliant enough no matter how hard they try. I know there must be a carry over effect.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: