A risk assessment must be applied to identify vulnerabilities and threats, usage policies for critical technologies have to be developed and all personnel security duties needs to be defined A 2012 scenario involving Utah restaurateurs Stephen and Cissy McComb introduced a lot of the murky environment of PCI DSS fines https://www.nyflashnews.com/nathan-labs-expands-cyber-security-services-in-saudi-arabia