A Risk Based perspective on PCI-DSS Compliance

Compliance regimes usually make us do a lot of work towards demonstrating effectiveness of controls without justifying the risk perspective of such activities. As risk based approaches to cyber security management have gained favour over a compliance based approach in this next phase of Information (or Cyber) Security maturity, we need to look at a risk based approach even for implementing compliance frameworks. This essay is about a risk based approach for PCI compliance.

PCI-DSS is a framework espoused by the PCI industry body to help processors of credit card data adopt equivalent control implementation to safeguard secure storage and transmission of such data.
about  have recently engaged a company called to assist us with a review of our use of credit cards across the company and determination of our compliance with PCI standards. PCI = payment card industry and are standards required to be followed when a company uses credit cards. These include things like segregation and storage of credit card numbers for example.

--has worked through a review of our systems and is now looking at unstructured data (i.e. mail, over the phone, online, etc) where credit card information may have been captured. I have identified you as business SME’s that may know how and where credits cards are processed. Below are the processes areas that I have identified. This list is by no means complete and -- is working to develop a complete list.

Over the next couple weeks, -- will be reaching out to each of you to set up a quick meeting to discuss. Please share with him any information you have on the use of credit cards so that he can appropriately capture and investigate this for the Group of companies (this includes what systems they are processed into so that -- can cross reference back to the work he has already performed).