The Payment Card Industry Data Security Standard — PCI DSS — has been around for a few years and has seemingly done a good job of keeping credit card data safe.
No, it’s not a binding regulation, and there’s not a lot of official enforcement. But PCI DSS compliance has worked well for those who adhere to it — so much so that some PCI experts are calling for PCI to be used in other areas of risk management. After all, data privacy is data privacy, right?
That was the contention of some who congregated at the PCI Security Standards Council (PCI SSC) European Community Meeting in London recently, according to SearchSecurity.co.uk.
SearchCompliance.com contributor Kevin Beaver, of Principle Logic LCC, a noted expert in PCI DSS compliance, thinks this is a good idea.
“Many organizations would benefit from implementing PCI-type controls across other areas of the enterprise,” Beaver wrote in an email. “One of the things I see people struggling with is where to start with managing enterprise information risks. In particular, people get caught up in NIST for this, HIPAA for that and ISO/IEC for everything else. This approach can create unnecessary complexity which, as we’re all learning, is the enemy of security. In the end, all of these regulations, standards and frameworks address the same fundamental issues. It’s merely a matter of deciding on what’s best for your systems in the context of your business. The important thing is to not let apathy set in — just do something.”
I agree. There are plenty of areas where a bottom-up approach to data privacy is needed, and if PCI DSS compliance works and is widely accepted, you should do it. But remember, you are not necessarily secure just by being compliant with some standard framework. However, if you practice good security, with up-to-date hardware, software and policies, you likely will be in compliance with some standard. Find one that works for you.