Sunday | 21 March, 2010
CSO
International Challenges in PCI Security
Bill Brenner 20/11/2008 09:15:00
Tags: pci standard
Page:

In a country that's seen many regulatory compliance challenges this decade, the headaches of PCI security tend to be analyzed from a largely American perspective.

In the process, companies tend to forget that PCI compliance has been a recipe for international indigestion.

"Remember that credit cards are used abroad, and many American companies have personnel handling credit card transactions in offices all over the world," says Bruce Larson, security director at American Water, a major water utility that employs more than 10,000 people. "If you have a multinational organization, your data is not just sitting in the US."

There may be some irony in hearing that from someone whose concerns are mostly based on security threats inside the US. Larsen has to worry about everything from cyberattacks targeting computerized water filtration systems to terrorists who might try to bomb pipelines or poison the water supply. He also loses sleep whenever there's the chance of a natural disaster.

The inconvenience of online, global commerce

But more people are using credit cards to pay the water bill online, and he knows the credit card data is floating around in databases outside the US. Losing any of that data could be a body blow in terms of public confidence. Then there's the fact that American Water does business with vendors across the globe.

"I have a very geographically distributed network -- more than 1,500 locations where humans work, 150-200 of those are critical operations facilities," Larson told attendees during a PCI security seminar in September.

For Harshul Joshi, director of IT-risk and advisory services at CBIZ and Mayer Hoffman McCann P.C. (MHM), a professional business services company, doing business internationally can make for a lot of confusion regarding the PCI security ground rules.

"When we deal with non-US companies, there is often confusion over what PCI security requires," Joshi says. "We work with one of the largest magazine publishers with operations around the globe and if you dial an 800 number, chances are you'll be talking to someone in a call center in Vietnam. You give your credit card number and it is recorded somewhere outside the US."

On the outside looking in

If a company is based outside the US -- in Sweden or Ukraine, for example -- the problem is usually a lack of communication and money regarding PCI security needs.

Page:

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Enter the fully qualified URL, eg. http://www.example.com/
Users posting comments agree to the CSO Online comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Add to Google
More about pci standard
More about pci standard >
Additional Resources
Newsletter Subscription
Sign up for our CSO Online newsletters!
RSS Feeds
Syndicate content Syndicate content
 
Get a job Careerone
Whitepaper


Read Whitepaper

Making the move to Ethernet | A DECISION GUIDE

While enterprises today need higher bandwidth, there is increasing demand for solutions that can provide scalability, performance, simplicity and control at lower costs. Get the best of both worlds - read about Ethernet adoption today.

Sponsored Links