Is PCI compliance IT's job, or everyone's?

A look at how national retailer Woolworths tackled Payment Cards Industry (PCI) compliance.
Written by Tim Lohman, Contributor

Payment Cards Industry (PCI) compliance is the responsibility of every member of your organisation, not just IT's. That's the message of Woolworths' group information risk manager, Peter Cooper.

Cooper, speaking at the CeBIT Future of Payments conference in Sydney, said that many organisations laboured under a number of misconceptions about what PCI compliance was, and how it affected them. Chief among these is that PCI is the responsibility of the IT department.

"One of the misconceptions about PCI compliance is that [Woolworths] thinks that it is my job. PCI compliance is everybody's job," he said.

"Not only am I responsible for delivery of PCI compliance at the company, but all of the people in the company can damage our level of compliance if they are not careful about what they are doing.

"It is a state of mind about everybody acting in a compliant fashion."

Cooper, who also spent 10 years as a senior manager of systems security at the Reserve Bank of Australia before joining Woolworths in 2007, said organisations also inaccurately perceived PCI compliance to be just about privacy.

"People think about PCI as solving privacy issues; it is not," he said. "PCI is kind of a subset of privacy, but is actually very different to privacy in the requirements you have to satisfy,  in terms of the approach, and how you risk asses — very different."

Further misconceptions were that PCI compliance was a project with a clear start and end, and that PCI compliance was equal to immunity from a data breach.  

"PCI delivers a level of compliance that needs to be maintained – there are daily, weekly, monthly, quarterly and annual tasks and everything that you do has to be done through a lense of PCI compliance," he said.

"PCI is about reducing the opportunity for data breaches, but at the end of the day, even good companies get breached, so a big part of PCI is building really good incidence response plans on how to act when the inevitable breach does happen."  

Cooper stressed a number of tools and techniques which organisations could use to enhance their compliance and security around payment card data. These included: a discovery phase to find all instances of card data; a shrinking of card databases to place data in one place making it easier to manage; and the tokenisation of credit card numbers to make them more secure.

In addition, Cooper recommended the use of network segmentation; security event management tools – in particularly those with an automated log review function; file integrity management tools to help identify intrusions and file tampering to create trapdoors; intrusion detection systems; and web allocated firewalls.  

Commenting on how he had worked to gain management and wider organisational buy-in to PCI compliance, Cooper said he had relied on two key factors.

"Every one of our staff members are also our customers — in the main — so when I pitch to people about them having a responsibility to treat credit card data with due respect, I tell them that chances are, it might be your data as well. That's a really powerful message," he said.

"The other thing that keeps people honest is scoring. We have divisional score cards for their level of compliance to show the level of progress, and the level of compliance. I don't own the delivery of every single compliant thing within Woolworths, but I certainly own the raising of the visibility of its status."

Editorial standards