PCI Compliance Also Requires Partnership Between IT, Legal

Lora Bentley

Though the overlapping of legal and IT roles in compliance tech decision-making may have been precipitated by amendments to the Federal Rules of Civil Procedure to address discovery of electronically stored information, it happens in other areas as well. One that Gabe Fineman knows well is Payment Card Industry Data Security Standard (PCI DSS) compliance.


Fineman serves as in-house counsel for Advanced Solutions International, or ASI. The company provides association and fundraising management software to non-profit organizations like state bar associations, medical research foundations and others that rely on membership dues or donations to operate. Since many of them collect those dues and donations online using credit cards, they must be PCI DSS-compliant. And since ASI hosts about 10 percent of its customers in the U.S., UK, Australia and New Zealand, the company has to assure its customers that it's not preventing them from being PCI-compliant.


"That's where you need a lawyer, quite frankly," Fineman says."If you sit down and try to read this PCI questionnaire, it really helps to be a lawyer." The questions are very techincal, he says, and on first reading, some appear to require much more than they actually do. ASI's IT person wrestled with how to answer the questions, Fineman says, and they went back and forth on the phone and in e-mail to answer them.


And that's the advantage of a small company. "There's only one person in the law department. That's me," he says. "And I'm here to help people." IT and representatives from various customers have no problem picking up the phone or shooting him an e-mail when they have a problem or a question. There's no perception at ASI that legal is something to be avoided.

Add Comment      Leave a comment on this blog post
Jan 29, 2009 9:56 AM Travis Travis  says:

A lot of the governance, risk, and compliance is overstuffed with legal jargon.  Try reading the Sarbanes-Oxley details and you will be wishing you had a lawyer handy.  Ask any IT person if they want to be a lawyer and they will crawl under a desk and hide.  Ask a lawyer if he wants to be an IT guy and he will ramble on about future technology.  Solutions need to understand this limitation and help merge the two departments together. 

Oct 22, 2009 1:55 AM Steven Mills, CISA Steven Mills, CISA  says:

In resolving many of todays legal and compliance related mandates, its best to understand that there is a single source to which these requirements stem. At the heart is global commerce (niether good nor bad), whether EU, APEC, WTO, or Safe Harbor many countries have agreed to establish their own national laws for the protection of intellectual property, personal privacy, and trade secrets. This requires on an agreed base standard which today is ISO 27000. PCI, Privacy, SOX, the New HIPAA updates and many others have incorporated this standard into their particualr requirements. IT and a companies legal resources must be lock step. The idea of creating an informaiton management structure that is appropriate to manage all compliance and yet meet the Federal Rules of Civel Procedures is not new, simply to those who have not applied these MIS best practices leads to much confusion and at times overkill.

At the heart of compliance is risk assesment and appropriateness. I have seen overkill from the perspective of legal council as well as IT personnel. Following the best practices of ISO 27002:2005 can go a long way in assuring a businesses senior management staff that what is being developed will have a ROI through better management of what most companies feel is their second most valued assets, corporate information and take serious the protection of their number one valued assets - their customers, vendors, and employees personal private information .


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.