Is PCI Compliance Enough Security?
So, I get asked quite a bit whether PCI compliance is enough security for small businesses.
First, let us define PCI compliance. PCI stands for Payment Card Industry Data Security Standards. The full term is PCI DSS.
What is important to realize here is that PCI compliance has a very specific goal in mind. That is protecting credit cards and payment data. In most instances, your payment processor will require you to certify that you have met the standards for protecting such data. They may go as far as scanning your network and ask you to make security changes to tighten overall network security.
At first glance, this may appear to be enough to handle your cybersecurity overall. And, while it is a great start, it is simply not enough.
You see, because the goal of being PCI compliant focuses on credit card and payment data, it misses several other essential components of a complete security solution. It does not, for example, address vulnerabilities in email or web browsing. It does not involve training staff beyond how to handle payment card data.
Further, depending on the payment processor, the requirements for your network may be relatively minimal. If you are using a processor that assumes a chunk of the responsibility, this is especially the case. Or if you use one that does not store any of the data on your network.
PCI compliance may be a good start because it will look at tightening up security as it relates to blocking unwanted traffic from the Internet. It ensures that your hardware is secure, such as routers, firewalls, and wireless access points. You may even be required to add secondary public Wi-Fi to segregate any credit card processing devices from your current network.
While these are all good things, they still leave several gaps in the overall security policy.