There’s much controversy surrounding the Payment Card Industry Data Security Standard (DSS) mandates these days. With huge breaches of private data, like that experienced by Heartland Payment Systems (which potentially could have affected some 100 million credit cards), some are wondering just how effective PCI requirements are. Ask many experts, however, and they’ll say that being compliant with PCI DSS doesn’t mean your company’s infrastructure is secure.
We recently talked to Steve Peltzman, CIO of the Museum of Modern Art (MoMA) in New York, who is keynoting Tuesday’s SC eConference and Expo: PCI Compliance, to find out his thoughts on PCI.
SC Magazine: What is the one area of PCI compliance that you and your peers seem to have had the most trouble with?
Steve Peltzman: I’ve yet to talk to anyone who has a firm handle on what precisely PCI means to their organization, how exactly it should be approached, and how much effort should be put towards it. It’s still something we’re all figuring out for ourselves, not to mention how to communicate its impact to the rest of the company or institution. At a time when budgets have never been tighter and security never tougher, no one wants to handle PCI too lightly or go overboard with it.
SC: As a professional whose company is affected by PCI mandates, in what ways do you think the PCI Security Standards Council could improve the requirements and/or guidance?
Peltzman: I think PCI needs a marketing plan, frankly. IT and non-IT executives alike need to know exactly where the single source for PCI DSS information is. At companies and institutions all over the country, IT executives are trying to explain PCI to their management and the message is certainly not consistent, and sometimes might not even be right. The PCI Council needs to help us get that word out correctly and effectively to maximize its effect.
SC: Given how far MoMA has come in continually coming into line with PCI, what would be your top piece of advice that you’d give to others who are still trying to get compliant?
Peltzman: Like anything else in IT, you need solid executive backing to succeed with PCI. Technology executives can’t hope to succeed if they’re the only ones who understand it and care about it. In lieu of the PCI Council marketing it to your company’s executives, carry that flag yourself and make sure everyone knows what it is, why it came about, and why it’s as much of an opportunity for your company as it is a challenge.
To learn more ins and outs of PCI Compliance from Peltzman and other experts, register for free for the SC eConference and Expo: PCI Compliance, which is set for Tuesday from 9 a.m. to 6 p.m. EST. Just click here. There you’ll find a complete agenda and other information about the day’s online event.