Compliance with PCI DSS can be an issue for SharePoint sites to the extent that content and information stored in SharePoint fits the criteria for "cardholder data" as defined by the PCI Security Standards Council. For organizations that process credit card transactions, compliance with the 12 high level requirements contained in the PCI DSS are mandatory.

Three common SharePoint use cases can result in SharePoint sites being judged a part of the cardholder data environment, and thus in scope for PCI compliance. These are:

1. SharePoint sites which are public facing sites, and which process credit card transactions and orders.
2. SharePoint sites which are used as team sites or intranet sites, and which have files stored in them containing cardholder data.
3. Document management systems are frequently used to capture and store documents related to credit card applications and usage. To the extent that these systems capture cardholder data and process it or store it in SharePoint, they too are a part of the cardholder data envrionment.

Failing to provide adequate controls including encryption for cardholder data can have extremely negative impacts on organizations, including falied security assessments, loss of ability to process credit cards, and brand damage in the event of breaches involving credit card data.

To help SharePoint users to understand their compliance obligations for PCI DSS, CipherPoint has created a solution brief, PCI DSS Compliance and SharePoint.