Joel Dubin, CISSP, Contributor
03.03.2008
Any company that accepts credit cards for its business is subject to the Payment Card Industry Data Security Standard (PCI DSS). As it is with other regulations, such as the Sarbanes-Oxley Act,the biggest component of being compliant is proving you’re compliant.
Though PCI is an industry standard — not a government regulation — it can still be enforced with equal weight as a regulation by the credit card industry. The PCI Security Standards Council LLC is governed by the five largest credit card companies: Visa International, MasterCard International Inc., American Express Co., Discover Financial Services LLC and JCB Co. While it’s unlikely a credit card company would make the effort to catch a midmarket company in the act, it can cut a business off at the knees for noncompliance. A business can be fined, or worse — cut off completely from being able to process credit cards. Better to have and not need, than to need and not have. A PCI audit is something you can do without hiring an outside consultant. Your secret weapon: Documentation. Auditors have a mystical attachment to paperwork, and if it isn’t in writing in front of them, they won’t see it. The only way to prove to an auditor that your company is compliant with PCI is to document every control required by the standard. In the eyes of the auditor, if a control isn’t documented, it isn’t compliant. First, appoint someone to be the contact person for PCI auditors. This isn’t a full-time job and doesn’t necessarily even have to be someone from the IT department. The important thing is that this person has a sufficient background in IT and understands the technical terminology in the standard.
|
||||||
