News Stay informed about the latest enterprise technology news and product updates.

Is meeting PCI DSS standards enough to protect customer data?

In the wake of several high-profile data breaches, #GRCchat participants discuss whether meeting PCI DSS standards is an effective step toward better customer data protection.

Another week, another credit card breach? It's seemed that way lately with the recent string of big-name companies like JPMorgan Chase, Home Depot, Kmart and now potentially Staples falling prey to cybertheft. One question on many IT professionals' minds: Is compliance with PCI DSS standards enough to protect our data?

The Payment Card Industry Data Security Standard (PCI DSS) was introduced as set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders' personal information. It's become clear, however, that PCI DSS standards don't represent a catch-all system for keeping payment information safe. In SearchCompliance's recent #GRCchat, site editors and fellow tweeters discussed the effectiveness of PCI DSS compliance regulations and proposed improvements that might better secure credit card data.

Do the stipulations outlined in PCI DSS compliance requirements represent sound customer data protection strategy? Why or why not?

Participants, including SearchCompliance Site Editor Ben Cole, agreed that meeting PCI DSS standards is a solid foundation for companies, but it's not enough to totally assure data protection. In other words, PCI compliance doesn't mean you can "set it and forget it" when it comes to protecting payment information:

One participant pointed to risk management and cost control as important considerations for companies looking to go above and beyond the PCI DSS standards, touching off a dialogue on security and customer convenience in retail companies.

What are some specific instances in which PCI DSS compliance processes are lacking from a customer data protection standpoint?

When discussing the challenges around PCI DSS compliance, participants noted that unnecessary complexities can distract organizations from their larger security goals. Streamlining the process can allow organizations to spend more time and energy monitoring data flow:

Another participant called attention to a lack of proper patch management -- particularly surrounding point of sale (POS) devices -- as potential downfalls in securing customer payment data. Regularly installed patches ensure the highest possible level of vulnerability management, he said, and companies need to do a better job of monitoring overall system health to help prevent vulnerabilities:

Can better PCI DSS audit processes determine where data security is most vulnerable and helped prevent recent high-profile breaches?

Compliance enforcement and assessment measures, such as audits, are good tools in confirming that security measures and processes are in place, are functioning properly and are kept up-do-date. But legal accordance doesn't necessarily mean better security, according to some participants, who debated the importance of an improved audit process in pinpointing security flaws:

Do you think adherence to PCI DSS standards is enough to protect your company's consumer data? What more should be done? Please sound off in the comments section below.

Dig Deeper on PCI compliance

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Does compliance with PCI DSS standards alone give you confidence in your cybersecurity strategy? Why or why not?