We notice you are visiting from a U.S. Internet provider. 
15/03/2010 -
Protecting a company's sensitive information, such as payment processing data, goes far beyond PCI compliance audits - establishing a company's security requires the establishment of internal policies regarding access restriction, employee monitoring and data handling, reported Inc. magazine."These days, every business that keeps sensitive data - whether about customers or employees or the company - need[s] to have written data handling policies," said the magazine. "These policies should spell out who has access to vital information, passwords, account numbers, databases, etc."
The magazine also noted that there should be a section in these policies about document retention, preferably with a mandatory schedule of shredding sensitive documents.
Considering the high proportion of fraud that stems from employees themselves, Inc. advised companies to utilize background checks - especially for those whose position grants them access to payment processing data - and to encourage employee tips and reporting, potentially though the use of an anonymous tip box.
Furthermore, businesses should not just rely on external PCI audits - it is wise to create a schedule of internal audits and to also conduct surprise audits, to ensure that the same level of security is maintained all year long.
Payment processing security experts note that year-round security should be the top priority of organizations that handle cardholder information, instead of simply PCI compliance.
