Evan Schuman (Storefront Backtalk) wrote on Valentine’s Day that PCI is not just for payments anymore. Hate it or love it, PCI is a great standard for a baseline of security. You can replace Cardholder Data with just about any type of data you want to protect, and you can establish a minimum baseline that will do a reasonable job of keeping that data protected. Security consultants have been pointing this out for a while.

I think the part of this that is the most telling is that the security and IT programs in some companies are so bad and so far gone, that PCI is what is standing it up. Again, I still believe that the PCI-DSS is a good baseline for companies to start with, but PCI is tailored to the protection of cardholder data (duh). Companies should be taking a broader look at their security and IT postures, extending beyond PCI.

PCI can also be an excellent poster child for building a security program. If you can get it right with PCI first, you can use your experience to extend that program into other areas of the company (take it up a level).

This post originally appeared on BrandenWilliams.com.