The standards covered by the PCI Council can be used to help build or augment the security policies and structure for the enterprise, data centres and your customers. This comprehensive set of requirements for security management, policies, procedures, network architecture, software design and other critical protective measures will be used by the wise as a best practices guide to implement and follow.

Although the PCI Council manages the underlying security standards, compliance is set independently by the individual brands. Each brand has its own set of financial penalties per incident, with additional penalties ranging from restrictions to outright loss of use.

A common misconception is that this is an IT issue and best left solely to the technical departments to resolve. In fact, most companies find that this is a multi-discipline exercise best co-ordinated by a risk and compliance function who can then co-ordinate any IT requirements and engagement; governance for policy writing or amendment; operations for current practices and training; HR for new hires security checks; as well as providing feedback to the audit function for reporting to senior management.

In the latest release of PCI DSS is the requirement that all Web-facing applications be protected against known attacks. Also, further consideration is paid to the vulnerability of the application if someone does get access: How much damage can they do? Historically hosting companies over the years have become very good at protecting the networks and the operating systems from attacks, while the applications themselves have been left vulnerable.