PCI Compliance Also Requires Partnership Between IT, Legal


Though the overlapping of legal and IT roles in compliance tech decision-making may have been precipitated by amendments to the Federal Rules of Civil Procedure to address discovery of electronically stored information, it happens in other areas as well. One that Gabe Fineman knows well is Payment Card Industry Data Security Standard (PCI DSS) compliance.


Fineman serves as in-house counsel for Advanced Solutions International, or ASI. The company provides association and fundraising management software to non-profit organizations like state bar associations, medical research foundations and others that rely on membership dues or donations to operate. Since many of them collect those dues and donations online using credit cards, they must be PCI DSS-compliant. And since ASI hosts about 10 percent of its customers in the U.S., UK, Australia and New Zealand, the company has to assure its customers that it's not preventing them from being PCI-compliant.


"That's where you need a lawyer, quite frankly," Fineman says."If you sit down and try to read this PCI questionnaire, it really helps to be a lawyer." The questions are very techincal, he says, and on first reading, some appear to require much more than they actually do. ASI's IT person wrestled with how to answer the questions, Fineman says, and they went back and forth on the phone and in e-mail to answer them.


And that's the advantage of a small company. "There's only one person in the law department. That's me," he says. "And I'm here to help people." IT and representatives from various customers have no problem picking up the phone or shooting him an e-mail when they have a problem or a question. There's no perception at ASI that legal is something to be avoided.