You passed your PCI audit after months of preparation and monumental costs, and achieved a certification that validates the same, but does a certificate actually mean that you’re secure?
There’s a lack of clarity between PCI Compliance and a compliant system or network being secure.Being PCI compliant means you have hired a third party QSA and worked through the PCI Report on Compliance checklist of questions and requirements designed to ensure that any credit card information in your possession is being handled, stored and destroyed within a ‘safe’ environment, but PCI only covers payment and credit card data. What about other sensitive data like bank account numbers or personally identifiable information (PII) such as Social Security or SIN numbers, full names, addresses, etc.
Security goes well beyond compliance and PCI is an effective baseline security standard for safe-handling of payment card data, and does nothing to secure an organization's infrastructure from other, peripheral vulnerabilities or threats. The PCI Security Standards Council is straightforward about the distinction between compliance and security stating in early versions of PCI DSS that: “PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data”. PCI compliance does exactly just that… it helps protect cardholder data.
The council can not address every single risk that exists as a business can have unique infrastructure and security profiles which need to be addressed independently, and in concert with compliance. Data Security is a broad spectrum of technologies and techniques that are critical to data integrity regardless of whether a business is considered vulnerable or secure.
Thinking about tokenization, de-identification, masking or encryption?