Going through some email over here and looked through the recent edition of The Aegis from the Society of Payment Security Professionals, and found a great little snippet from Chris Mark entitled “Wear Your Seatbelt…and Maybe a Helmet.” In it, he pulls a quote from the PCI SSC that seems directed at detractors of the PCI DSS. They state:

“The PCI SSC believes that the best way to protect cardholder data that is stored, transmitted, and processed is by implementing the PCI DSS and remaining in full compliance.”

Chris points out that this seems to imply that PCI DSS is the high water mark, not the baseline from which you should build a program. It may just be that a technical writer may need to get in there (as a recent press release demonstrates) and add a few words, or it could be positioning on the part of the council. What Chris and many of us are trying to say is the quote should probably read something like this:

“The PCI SSC believes that the best way to protect cardholder data that is stored, transmitted, and processed is by implementing the PCI DSS, remaining in full compliance, and customizing additional security measures to build upon the base requirements of PCI as appropriate for their business.”

Not all companies should consider end-to-end encryption for every single transaction they process, but then again, some should. Not all merchants should eliminate all paper records from their store locations, but then again, some should.

PCI is, and always will be, a baseline. It is based an good (note, NOT best) security practices, and is designed to be a catch-all for everything that touches cardholder data. There are obvious limitations to the catch-all, which is well addressed in the Self Assessment Questionnaire model that was released just over one year ago.

Just because we have not seen a fully compliant company breached doesn’t mean that it is not possible. It just means that the bad guys don’t need to poke holes in the standard yet because not all companies take it seriously.

This post originally appeared on BrandenWilliams.com.