What are the PCI rules when it comes to data management and information handling of CC/personal data?
The one thing that worries me is you can lock down your database and environment, but sometimes there are genuine reasons for employees to take hard copy extracts of certain data out of a system – for work purposes. Plus many ERP systems have “export” features, or “report” features whereby you can essentially extract sensitive data and save it where-ever you like.
So what are the rules on PCI or any compliance standard which handles sensitive data (i.e. is it HIPPA that handles medical records?).
• About extracting data from information systems via export facilities or reports and saving extracts locally/to servers etc
• Printing data/reports directly from the system
• Taking hard-copy of data/reports from the system offsite
Have I missed any information handling type issue, and if so what are the rules there? I know they’ll need to be policy but what needs to go in that policy for these kind of issues, and what business rules need to be enforced to comply with PCI?