Elizabeth Bowles at Aristotle.Net gave a session on e-Commerce that included some PCI DSS stuff. PCI DSS is like HIPAA in a lot of ways: buzz but no one has a handle on it. There's more myth than fact, but who is going to sift through the hundreds of pages of law?
In most of these laws (HIPAA, PCI, SOX) it is a matter of securing data. Not encrypting it, but securing it - even in the physical form like file folders and paper. For example, if someone walks away with my yellow file folder filled with patient info is that any different that someone walking away with a PC (or server or laptop) with patient records or a DVD back-up copy? Not really. And we have had some doozy events lately including TJ Maxx, Sweetbay Supermarkets, and AT&T laptops.
PCI DSS - Payment Card Industry Data Security Standard - is a compromise by VISA, MC, AmEx, DiscoverCard, and JCB Int'l to standardize the disparate security requirements. It is "intended to provide a baseline for best practices in card security". That's the best way to describe it really. MasterCard has the SDA - "Site Data Protection" Program and VISA has its CISP - "Cardholder Information Security Program".
Typically, e-Commerce merchants do not sell more than $1M per year, which makes them a Level3 CC Merchant. Bowles states, "Although Level 3 merchants and service providers do not yet have to be PCI DSS compliant, there are other requirements: Level 3 merchants must fill out an annual PCI Self-Assessment Questionnaire and Level 3 service providers must have a quarterly network scan performed by an Approved Scanning Vendor (ASV) .... 56% of Level 3 merchants are PCI DSS compliant."
Firewall, software patching, and password security are three main ways to stay on top of this. CIO.com has a series of articles to help you get up to speed, since the PCI Compliance deadline just passed. VISA has 12 Steps to Compliance on its site.
I'd like to hear your thoughts on PCI and other Compliance issues. It seems like a lot of this is due to lack of common sense and policy management. When I was working in CHI, there was a department in charge of information security that had final say on many issues including data security and compliance. Who is in charge of that at your company? Or will someone be reading your medical history or your salary and raise info on the web soon?