How to develop a PCI compliance program and take a step in the IG career path.

• Author: Altepeter, Andrew

[ILLUSTRATION OMITTED]

Any organization that processes customer payment cards must comply with the Payment Card Industry's Data Security Standard or face possible fines and a great potential for this sensitive information to be compromised. Leading the PCI compliance program's development is a prudent way for a RIM professional to raise awareness of information governance (IG) priorities and, perhaps, take a step toward a broader IG career.

Information governance (IG) and records and information management (RIM) professionals will readily agree that protecting sensitive information is a top job priority and that it has become more difficult and risky because of the explosion of electronic information. Its importance has been underscored by privacy legislation, such as the Fair and Accurate Credit Transactions Act (FACTA), the Health Insurance Portability and Accountability Act (HIPAA), and European Union privacy directives.

As seen by the constant media stories about data breaches and their negative impact on even the most established and respected merchants, handling sensitive information properly is necessary not only to meet business and customer needs, but to prevent severe business disruptions, damaged customer relations, and negative public perceptions that can occur when it is compromised.

ARMA International recognized this important priority in creating the Principle of Protection as one of its eight Generally Accepted Recordkeeping Principles[R] (Principles). It codified this principle as the need to "ensure a reasonable level of protection for records and information that are private, confidential, privileged, secret, classified, or essential to business continuity."

This emphasizes the imperative for RIM professionals to be involved in the creation and maintenance of policies, processes, and procedures that protect sensitive information. As a bonus, building a compliance program of this type provides an opportunity to expand their skills beyond traditional RIM roles and advance along an IG career path.

PCI DSS: Mitigating the Risk

For organizations that process customer payment cards (either debit or credit), this is one of their most critical types of information to protect, and the risks surrounding it have grown steadily over the last few decades because of the growing use of e-commerce and volume of electronic payment processing.

In 2003, the U.S government responded by passing FACTA, which includes requirements for free annual credit reports, fraud alerts, truncation of payment card numbers, and certain protections for victims of identity theft. However, it lacks specific measures for organizations to strengthen security and prevent breaches.

In 2006, the major payment card companies (Visa, MasterCard, American Express, Discover, and JCB, which is a Japan-based payment card allied with Discover in the United States) formed the Payment Card Industry Security Standards Council (PCI SSC), with requirements for merchants--which it defines as "any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC."

The primary objective of this...