Clement James writes about a security expert that slams PCI, stating that the breach in the news “was almost certainly the work of hackers exploiting a single code flaw on internal systems.” The expert goes on to say that “PCI takes a relaxed attitude towards internal machines.”

While I agree that there is room for improvement on internal controls for PCI, remember, it’s not designed to protect your entire enterprise. It is a basline, and you should layer security on top.

The challenge is this: not until the end of last year did we see a compliance validation rate exceeding 60% among Level 1 merchants. If you make the standard too hard, you will have little or no adoption. You have to wait until you have enough momentum to add more security into it, but you will always have stragglers. The adoption rate would be easily less than 25% if there were more standards on internal encryption or device security.

This post originally appeared on