According to Lewis, this is because after going through PCI compliance procedures, company executives learn that it is ???not just an IT problem??? and it is unfair to burden the IT department with compliance implementation.???There is a large part of the PCI standards which relate to securing systems and infrastructure but there are a lot of other policies and processes related to human resources