PCI: A Vital Standard for Government
My colleague Linda McGlasson, managing editor of our sister site BankInfoSecurity.com, is reporting this week from the PCI Security Standards Council community meeting in Las Vegas. Though Linda is focused on the financial industry, her reports are important to those in government charged with securing IT assets. After all, government is among the biggest sectors accepting credit card payments, and payment card industry standards are important to not only safeguarding government payment systems but protecting the privacy of citizen and contractor data as well.
That's especially among state and local governments, where PCI stands out as one of the principal IT security standards followed.
When I spoke with Seattle Deputy Chief Information Security Officer Dave Matthews recently, for one of our podcast interviews, I noted that the federal government has the Federal Information Security Management Act, Office of Management and Budget directives and National Institute of Standards and Technology guidance. What do you have in Seattle? I asked. He replied:
"There really aren't a great deal of requirements of that kind of things for the city for local government. However, we do have to follow PCI rules, the PCI data security standards because we do take credit cards. That's probably the main regulation that we fall under."
In another another podcast interview, when I asked Charlotte CISO Randy Moulton what was the primary IT security challenge the North Carolina city government face, PCI played into his answer:
"When I first came to work for the city, we didn't have any regulatory requirements, where we had to do things to meet the standards of outside entities. In the last three years, that has come about. Every year, we've had a couple of new ones added. It initially started with having to do the Payment Card Industry requirement. The city uses a credit card as a payment medium for a number of the services that they offer; we have 11 merchants. We had to go through and get 11 merchant PCI requirements. That was a big cultural shift for the city because you typically didn't have that type of thing that you had to do, particularly in information security."
Later, Moulton explained that one catalyst behind his development of a city cybersecurity policy was PCI. "Having an information security policy was a requirement for a PCI," he said.
Here are some stories Linda has filed on the PCI conference:
Please check them out.