PCI is Not Enough

by Paul French
VP, Product & Solutions Marketing
Axway

If you Google “Heartland Payment Systems CEO auditor,” you’ll find a recent interview with said CEO, Robert Carr. Heartland is a credit card processor, and they recently got dinged because a whole lot of credit card numbers got stolen. And the CEO’s position was that the company was PCI compliant, they did everything right and the auditors were the ones who screwed up. Now, he wasn’t completely passing the buck (maybe a little bit) but he was trying to make the point to all who would hear it, and that’s this: PCI is not enough.

PCI is just one part of many complex and comprehensive data privacy standards that need to be evaluated and supported.

PCI is just one part of many complex and comprehensive data privacy standards that need to be evaluated and supported.

And I completely agree. PCI is just one part of many complex and comprehensive data privacy standards that need to be evaluated and supported, but it’s not enough to treat it like a box of soap (e.g., “Big Name Bank—Now with PCI compliance!”).

There was a time in the recent past when that was enough to get you off the hook. But that’s not going to help Heartland. It didn’t help a company called Hannaford Brothers, which had a data leak problem and was also PCI compliant.

It’s important to actually think about compliance as a modular effort. You have a certain set of tools and policies that evolve to satisfy the external regulatory bodies you’re forced to comply with. And that’s great. But it’s absolutely critical to go above and beyond the call of compliance so that legislative, regulatory, customer, partner and contractual requirements aren’t summarily forced upon you. Everyone will believe that you have what’s necessary to be secure, and rightly so.

You shouldn’t buy one solution that only addresses PCI any more than you should buy one car that only takes you to the office, one car that only takes you to the grocery store, one car that only takes you to the theater, and one car that only takes you to the football game. You should buy one car that takes you everywhere you need to go, and you should buy a comprehensive data security and compliance solution that will account for all the different needs of all the different venues, jurisdictions and industries that you participate in.

(Photo by djlicious: http://www.flickr.com/photos/djlicious/ / CC BY 2.0)

Leave a comment

No comments yet.

Comments RSS TrackBack Identifier URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s