The State of PCI Compliance
As Director of Security for Evangelyze Communications my primary focus is on the security implications of VoIP and unified communications and helping our customers to understand the risks and implement effective security controls to protect their unified communications infrastructure. Another aspect of that security however is the issue of compliance. Organizations fall under a variety of regulatory mandates and industry guidelines and those compliance requirements often overlap into monitoring and retaining communications data.
Organizations need to be familiar with the mandates they are obligated to follow, whether it is SOX (Sarbanes-Oxley), HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act), PCI DSS (Payment Card Industry Data Security Standard), or others. Some organizations must comply with two or more of these depending on the industry they are in and the types of business they engage in. To achieve and maintain compliance, organizations need to understand what the requirements are for compliance regarding their communications. As it relates to unified communications, organizations have to grasp the implications of the converged communications channels. With instant messaging conversations archived in Outlook, and voicemail messages sent as file attachments via email, and email being able to be read over the phone by Microsoft Exchange using Outlook Voice Access, the lines are blurred between the types of communication and organizations have to be aware of this and put the appropriate controls in place to be compliant.
PCI Compliance has been a particular focus of mine. I was the lead author and tech editor of PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance published by Syngress in 2007. Dr. Anton Chuvakin and I are co-authoring a 2nd edition of the book to be published later this year which will contain updated information related to revisions in the PCI DSS guidelines themselves as well as reflecting new information regarding the various breaches and issues that have occurred over the past couple of years. It will also have more real-world case studies and how-to guidance to provide more actionable material for the reader rather than just a theoretical description of the PCI DSS guidelines.
This week I was the guest on a podcast recorded for BankInfoSecurity.com titled 'The State of PCI Compliance'. You can listen to the streaming audio by clicking here.