The credit card is the undisputed king of retail. According to the British Retail Consortium\u2019s 2013 Payments Survey, card payments accounted for 71 percent of retail sales value in the UK last year. Estimated fraud losses on UK cards (excluding online) totalled about \u00a3345 million for the same period, according to Financial Fraud Action UK (FFA UK). Retailers must comply with the card industry\u2019s PCI DSS standards, and simply being PCI DSS compliant (or thinking you are) is probably not enough.\nConsider a department store that has updated its transaction processing applications to comply with PCI DSS requirements. All transactions \u2013 new and older \u2013 are secure and compliant, but, certain merchandise returns stored as digital images of the original receipt could include the credit card that was used, and the customer\u2019s driver\u2019s license or other ID. These digital \u201cphotocopies\u201d are likely stored in folders on a server and in a running spreadsheet.\nIn a PCI audit, the store can show that data for new transactions is secure, but can\u2019t prove that all PCI-relevant data is equally secure. As a result, the company must either shut down the server, or manually review its entire contents and implement appropriate controls.\nThe fundamental aspects of compliance are the same regardless of industry or industry-specific regulations \u2013 enforcing compliance on unstructured data (documents, PDFs, spreadsheets, etc.) stored on SharePoint sites, NAS devices, file servers, etc., through access control, the separation of duties, and the ability to audit. Different industries might use different terminology, but all regulations require these three things:\n1. Access control \u2013 ensuring that access is given only to those who are supposed to have it. Employees who store unstructured data on sites like SharePoint and Dropbox can accidentally create sensitive content outside of the business systems when they merge data from different departments on these sites.\n2. Separation of duties \u2013 ensuring there are no conflicts of interest, or too much power and knowledge in any one party\u2019s hands. This is very similar to access control, but is more about who should be able to access what types of data.\n3. Audit \u2013 proving that access control and separation of duties are in place and rules are followed. Perhaps the biggest challenge to data governance is finding all the data that actually needs to be governed. If you don\u2019t know what data is out there, which of it needs to be secured and how vulnerable you are to risk, you can\u2019t prove compliance to an auditor.\nWhat could the department store above have done differently? Solutions are available that help discover and classify data, evaluate the associated risk and point out where sensitive information is inadequately secured. The store also could proactively establish the correct rights for users, and restrict access in the same processes that grant rights across all other systems.\nAn IT department must combat myriad threats to the company data, and meet multiple compliance regulations and internal policies, as well. The right technology choices will provide much needed data governance.