StorefrontBacktalk

PCI: Maybe It’s Not Just For Card Data Any More

Written by Evan Schuman

November 12th, 2009

With all of the recent fuss about PCI requirements and how to protect payment cards, many companies have opted to take a far too narrow view of data protection. The PCI rules are absolutely designed to only apply to payment cards. But the same common-sense security guidelines will also dramatically help the security of CRM databases, personnel files, E-mail servers, payroll details and even the full contents of your Web site.

In this week’s Guest Column on the new McAfee security blog, a reader describes a run-in with a nervous customer who had lost a ton of data because he hadn’t been doing a backup. Why? It didn’t include payment data, so he ignored all of the PCI guidelines he was following elsewhere in the system. So what was so important about this non-PCI-oriented data? “It’s the flight maintenance records for our entire fleet of aircraft.”

Posted in IT Strategy/Industry, Payment Systems, Security/Fraud

2 Comments | Read PCI: Maybe It’s Not Just For Card Data Any More

Cranston Snoard Says:
November 13th, 2009 at 4:48 pm
Oh, please — PCI to protect flight maintenance records??? The aviation industry and aviation operations already have requirements for ensuring information is retained, reviewed, signed off, auditable, etc.

And there are far better guidelines for protection of sensitive information than PCI. Let’s not start the propaganda that PCI is some grand, all encompassing process that can now cross into other areas of data protection It isn’t — at best it is a simplistic (in the worst sense of the word), crude, immature hodge-podge of marginally effective controls.

There are far better standards and practices to follow for sensitive and critical information than PCI.
Evan Schuman Says:
November 13th, 2009 at 5:01 pm
I hate to admit, Cranston, but you’re absolutely right. The intent–although it wasn’t stated–is that proper security procedures should apply to all content and not merely payment data. The reason the piece spoke of PCI is that this particular IT manager used PCI extensively and happened to be talking with a PCI assessor and that was the context of the conversation.
So, our theory went, as flawed as PCI might be (please don’t me started), if he at least treated his other data as though it was PCI-protected data, he’d be in a much better place. But that wasn’t stated in the piece, so your comments are entirely warranted.

Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.

Weekly, Monthly Newsletters

Quickly catch-up on the latest in E-Commerce and Retail Tech with our free weekly report, with urgent bulletins as news merits—along with our monthlies on Mobile, Security, In-Store, E-Commerce and CRM.

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.