PCI Security Standard Ain’t Just For IT Geeks
Last year we were all concerned about Sarbanes Oxley. This year it’s PCI. PCI is shorthand for the Payment Card Industry security standards that apply to any company engaged in processing credit card information. The VISA Cardholder Information Security Program (CISP) is one specific standard in this category. Compliance to these PCI standards is driving all manner of corporate risk management in tens of thousands of US businesses – from online customer-based transactions, to data storage, to document retention.
My buddy, Ben Rothke, just wrote a very intelligent article on the topic in CIO Magazine. The only thing I’d add is that PCI is commonly thought of as an "information" security problem when in fact it has a heavy physical security slant.
There are over twenty specific statements in the PCI requirements that pertain to physical security. For example, you should have video surveillance around sensitive systems and areas where credit card data is handled, physically restrict access to those areas, escort visitors and require rigorous access control, shred hard copies of documents with that data and protect against dumpster diving, etc.
A security executive from a Fortune 1000 company and another from a Fortune 100 told me separately recently over lunches that PCI is touching every aspect of their respective security operations – IT security, physical security, privacy, and business continuity. Both executives have found that promoting collaboration between those groups has been the key to meeting PCI requirements. PCI is just one more reason to promote a collaborative convergence attitude in your organization’s security program.