Industry Compliance

Organizations must not only be aware of state and federal laws related to the security of proper handling of electronic data—they may also have one or more industry-related compliance requirements or standards to satisfy.

Industry compliance violations may result in an ability to conduct operations as opposed to the issuance of a warrant to seize evidence. One such example of industry compliance standard is the Payment Card Industry-Data Security Standard (PCI-DSS). 

While this standard or something similar to it has influenced some state and federal laws, the standard is not law. The standard is intended to protect credit card information and the personal information associated with credit card data. The standard details security practices and operations to keep credit data safe when in transit over a network and when stored. Organizations must implement secure networks, secure software, and appropriate security operations. Licensed PCI auditors are required to conduct periodic PCI audits. Failure to conduct audits or continued critical failures during audits can result in credit card processing services being revoked or suspended.

Other examples of industry compliance or standards include those developed by the National Institute of Standards and Technology and the Department of Defense. 

Check Your Knowledge

Choose the best answer to each question:
Question 1
PCI-DSS applies to any organization that __________.
stores health care-related records
stores or processes credit card data
is a publicly traded corporation
provides digital forensics services
Question 2
In many circumstances, an organization may conduct a PCI audit with internal employees as opposed to hiring a certified PCI auditor.
True
False
Question 3
If all vendors that an organization does business with are PCI-compliant, then the organization is also PCI-compliant.
True
False