PCI DSS Standards and Other IT Governance Rules
THE PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) is an information security best practice as well as an industry required standard for the many enterprises that handle cardholder information for the major debit, credit, automatic payment (ATM), and retail point-of-sale (POS) cards. Defined by the PCI Data Security Standards Council, PCI DSS was created to increase controls around cardholder data to reduce credit card fraud through a series of recommended best practices. With our worldwide reliance on payment cards for all forms of business, enterprises that accept credit cards for business operations at any level must comply with PCI DSS. An understanding of PCI DSS and its compliance requirements is an important element of IT governance for many senior business managers today.
This chapter will introduce PCI DSS and discuss its control objectives to help build and maintain a secure IT network. We will discuss the compliance requirements that fall under these rules, with both the processes for qualified security assessments for larger enterprises as well as the voluntary use of the PCI DSS Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes. PCI DSS rules cover much more than consumer credit card transactions, and compliance here is an important part of IT governance.
This chapter also briefly introduces two other U.S. laws that have an impact on IT governance: the Gramm-Leach-Bliley ...