PCI DSS Compliance and Security: Harmony or Discord? - 2 September 2010

The Payment Card Industry Data Security Standard (PCI DSS) provides data protection requirements for organizations that process card payments. These requirements evolve over time and have even become adopted by some US states, including Minnesota, Nevada, and Washington. While organizations that fully comply with PCI DSS are considered secure credit-card processors, compliance and security are not one in the same. An organization can be compliant and still experience a security breach – look no further than Heartland Payment Systems and RBS WorldPay. Both had achieved PCI DSS compliance at one point, only to suffer massive data breaches that cost tens of millions of dollars. So what good is compliance? What is the difference between compliance and security? And how can organizations effectively move beyond PCI DSS compliance to ensure the security of all their critical information?