Organizations that process credit card information are confronted with the issue of PCI DSS "scope", which refers to all components of a computing network that directly or indirectly handle card data. These network components are a primary focus of PCI DSS regulation, compliance, and assessment.

Businesses today are under increased pressure to cut costs, optimize performance, and reduce risk. The need to meet these challenges is particularly apparent in the area of regulatory compliance. Historically, businesses responded to emerging regulatory requirements by assigning a dedicated team to handle every new mandate, each with its own specific team, mission, and project scope. But as regulations continue to proliferate and evolve, this approach is directly at odds with business requirements to improve performance, reduce costs, and more effectively manage risk. But what is the alternative, given the amount of effort required to manage compliance in a rapidly changing and increasingly complex regulatory landscape?

Regulatory compliance is dynamic, costly, and checking the box is no longer an option. Compliance mandates are global and require exposure by law when breaches do occur. However, many organizations do not tie risk management and compliance together. In fact, every day organizations make countless business decisions aimed to boost organizational performance. Unfortunately, most of these decisions are made without knowing the real tradeoffs against risk exposure.

As computer software has become the backbone of modern civilization, organized cyber criminals, state sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to generate revenue and carry out criminal activities. The growing number of cyber attacks has become one of the most serious economic and national security threats our nation faces.

As the number and complexity of security threats continue to grow exponentially and the strike time continue to shorten, security organizations find themselves unable to scale their response using existing resources, processes, and tools. To overcome the challenges, the Chief Information Security Office (CISO) is adopting a "risk-based approach to security".

In one of the most controversial cybercrime cases in recent years, Gary McKinnon, a UK based systems administrator, was accused by the US government of hacking into dozens of US military and NASA computers between February 2001 and March 2002. Dozens of critical systems were rendered inoperable, US Naval Air Station files were altered and deleted, and an entire network of 2,000 US Army computers was brought down.

In 2005, an American broadband and telecommunications company faced a major service outage in Los Angeles, California. A computer system's problem led to the corruption of the company's main software services environment. Over 150,000 customers lost land-line, Internet and some mobile phone and 911 services.