PCI Standard Drives Some CISO's Work This Year

Some companies find they must pour money and time into complying with payment card data security requirements.
The payment card industry's Data Security Standard, created by Visa and MasterCard, is the focus of a lot of IT work--and spending--as companies seek to comply with its requirements for better protection of customer credit and debit card data. Two chief information security officers from Fortune 50 retailers, participating in an online discussion with Merrill Lynch that was open to the public, made this clear.

The CISOs, identified only by their first names so they could address sensitive security issues, agree that PCI compliance will be the biggest driver of security spending over the next year. "The money we spent on remediating for PCI is considerably larger than what we've spent on remediating for Sarbanes-Oxley, " Mark says. The other CISO, Tony, says security is typically less than 1% his company's IT budget, but this year it's doubled because of PCI.

In effect since December 2004 and updated in September, PCI requires firewalls, the encryption of cardholder and other sensitive data sent across public networks, and restrictions on physical access to cardholder data. Merchants not in compliance can't process Visa or MasterCard payments.

It's a "great commonsense approach to how security should be implemented," Tony says. "Unfortunately, a large company like the one that I work for just didn't take it very seriously three years ago," when the standard was being proposed. A lot has changed since then, he says, and PCI is now the main driver behind his company's security initiatives, accelerating its use of data encryption. It's preparing to encrypt all data brought into the company's IT systems "so that everybody can reduce the risk further," he says.

Piling PCI on top of all the other regulations to which companies must comply isn't easy, but there's little choice when CISOs consider what's at stake.

Return to the story:
Cigna's Craig Shumard: One Man's Security Mission

Continue to the sidebars:
PayPal's CISO's Psychological Warfare
Mozilla's Window Snyder: A CISO With A Different Agenda

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing