Developing controls is one thing. Compliance is another matter. I recently read an AOC Solutions’ blog post about the Verizon 2014 PCI Compliance Report. It cites that nearly 60% of companies do not regularly test their data security systems and processes, even though this is a requirement of the Payment Card Industry Data Security Standard (PCI DSS). Does your P-Card program suffer from similar low compliance in one or more areas? What do your compliance metrics show?

I previously wrote about declined transactions and delinquent cardholders, but there are more potential issues; for example:

• incidents of personal use of a Commercial Card
• purchasing prohibited goods/services
• improper card storage (e.g., cardholders leaving cards on their desks when they are not there)
• improper disposal of cards or documentation reflecting card account information
• sharing system login IDs and passwords or posting the information next to a computer
• cardholders allowing someone else to use their card
• suppliers who are not PCI-compliant (the Verizon report will make you think twice about what your suppliers are doing) 

A good auditing program is critical to catching and resolving compliance problems, but prevention is equally important. Do your policies and procedures (P&P) address the bullet points listed above? For tips on what P-Card P&P should include, purchase the related guide for $29.99. What about your training program? P-Card training should complement other organization training, such as training focused on ethics and information security. If your organization could use help with any of these efforts, contact Recharged Education.