Risk Management with Stuart King and Duncan Hart

Sep 12 2008   8:30AM GMT

PCI Compliance – dispelling some common myths

sking2 Profile: sking2

Tags:
Compliance
Network security
Security management

I was supposed to be in Paris today, auditing various PCI related things. Unfortunately, the fire in the Channel Tunnel has put paid to those particular plans. Not that I’m too upset – I’m rather reluctant to travel too far right now because my wife is heavily pregnant and it’ll be sods law that she’ll go into labour the moment I’m more than a couple of hours away from home.

I’ve recently been putting a lot of energy into dispelling within the organisation one or two myths about PCI compliance. The most common that I come across being:

1) We’re alright if we can pass most of the criteria.

The pass mark is 100%. The standard is supposed to represent a minimum baseline for protecting data, so if you can’t meet all the criteria then you’ve still got work to do.

2) We don’t do any eCommerce so the standard doesn’t apply.
PCI applies to any company within which card data is stored, processed, or transmitted by any means. So, for  example, if you have a shelf full of paperwork that contains customer credit card details then that’s still cardholder data and the standards still apply.

3) We only do a handful of credit card transactions so PCI is not applicable
It doesn’t matter if you are doing 10 or 10,000 transactions, the standards are set to protect all credit card data regardless of the scale of the business.

I consider PCI compliance to be a business-as-usual activity. We’re taking credit card payments so we need to putting the right controls around it. We shouldn’t need regulation to tell us how, we should just be doing it.

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Andrea Simmons
    Here, here! Having just spent a day sanity checking a clients PCI approach, I couldn't agree more - very well put Stuart :) And good luck with the impending patter of tiny feet! KR Andrea
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: