Monday, March 31, 2008

Implementing new technology can make compliant companies non-compliant

Storefront Backtalk has a nice article by David Taylor of PCIAlliance.org which, while focusing on the technology of computer virtualization, is equally applicable to folks installing remotely managed digital signage systems in places where credit card transactions are processed (think retail stores, gas stations, travel hubs, hotels, and basically anywhere else).

The crux of the story revolves around PCI compliance -- the relatively new set of rules and regulations that Visa and others are requiring before they'll accept credit card transactions from a given merchant. Most of the rules have to do with data security and the handling of non-public personal information (NPPI), the storage of said data, and who inside of your organization should be allowed to access it. Companies spend thousands and sometimes even millions of dollars making sure that their computers, networks, software and systems meet the spec (to avoid costly fines and processing delays), but now they're facing an even bigger challenge: making sure that new tech investments don't take them back out of compliance.

While I can only think of two cases in recent memory where my company had to demonstrate PCI compliance to retail IT folk who would have otherwise prevented the deployment of digital signs -- which don't have anything to do with payment processing, of course -- I can only expect that this kind of behavior will become more common, especially if Visa continues to bear down on their merchants or some new legislation to penalize data security breaches ever comes to light. While getting into (and staying in) compliance is an added cost for tech vendors to manage, insecure devices inside networks that handle NPPI may be a favorite vector for data thieves today (some believe an insecure kiosk may helped the perpetrators in the TJX break-in), so a few extra precautions are probably worth it.

Tags: , ,

No comments: