Data Security: Why PCI DSS Alone Doesn’t Cut It

A few months ago, Daniela Hagen, the Compliance Director at cleverbridge, shared some of her expertise with Software Advice, an IT security research firm, in their post on 6 Popular Ecommerce PCI DSS Myths Explained. In that article, we learned that even if you outsource your ecommerce capabilities, you should still know and understand what it means to comply with the ever-important requirements of PCI DSS (which stands for payment card industry data security standards) for your business. For example, if your payment processing is outsourced to a third-party provider, but you are accepting customer payments over the phone, then your VoIP phone solution is subject to PCI compliance standards.

This type of information is extremely important for independent software vendors. In our Safety First: Security Standards for Ecommerce post, Hagen noted that your, “Customers are increasingly aware of the need to guard their personal information and demand a high level of data security around any electronic transaction they make.” Furthermore, “PCI DSS compliance allows organizations to stay ahead of security vulnerabilities, prevent fines, and increase overall security levels; this not only allows them to be compliant but also makes them more trustworthy and competitive.”

Suffice to say, data security has a significant impact on your bottom line: not just in terms of the costs of compliance, but also in terms of the revenue that customers provide your business.

The difference between PCI compliance and PCI certification

PCI compliance simply means that merchants and service providers who process or store credit card information must adhere to the standards set forth in the 112 pages of the current Requirements and Security Assessment Procedures produced by the PCI SSC (security standards council).

PCI certification, on the other hand, is required for those merchants who reach a certain threshold of processed transactions; something like six million per year. According to the PCI SSC, that volume of activity places those companies in a different category than those who process a smaller amount of transactions, because of the former’s greater level of risk.

Companies who process the lesser amount of transactions still require PCI compliance, but compliance in this case is achieved primarily through self-assessment. This self-assessment is less rigorous than acquiring certification, as it does not require an external audit and its veracity is rarely investigated. The effectiveness of the assessment can also be undermined when it is performed by an internal security expert. This is problematic because those experts are employees of the companies they are assessing. They are often beholden to the company’s business processes, or the executive team’s opinions, which can trump actual security requirements. However, as we mentioned above, PCI certification is much more rigorous, and requires an outside audit from a qualified security assessor.

Now, even if you are certified PCI compliant by an external assessor, does it mean that your business is completely secure? Nope. Rippleshot’s Evaluating PCI Standards in the Wake of High-Profile Security Breaches blog post concludes that, “Even if a retailer is PCI compliant, said retailer can still fall victim to a data breach.” With all the brouhaha surrounding PCI compliance we’ll need to understand why it isn’t enough to protect your entire business, and what you can do to strengthen your information security.

We all remember what happened when companies like Home Depot and Target suffered data breaches. They were PCI compliant, but it didn’t protect them from a massive security breach. They relied on the minimum amount of requirements instead of making an effort to plug every hole, so to speak. What went wrong?

The fact is that PCI DSS requirements are much too limited in scope to protect your entire business according to Hagen. Think about all the other payment methods your customers use to complete their orders through your online shopping cart. If you want to see success in today’s global ecommerce market, it’s not enough to rely entirely on credit card payments. Many regional preferences for payments, like direct debit in Germany, Konbini in Japan or Boleto in Brazil, are not taken into account when it comes to protecting your data and securing your customers’ trust.

So, the first rule of ecommerce is be PCI compliant.

Rule number two is broaden your horizons; widen your scope.

International Organization for Standardization (ISO)

The ISO predates PCI and covers a wider range of issues. For example, the standards of quality assurance for products is defined by ISO standards in the 9000 category; food safety: 2200. The body of standards for information technology falls under the rubric of ISO 27001. As their website notes, “Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory. Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. ISO does not perform certification.”

In the ISO scope, each company defines its own assets and assigns each asset a value which results in a hierarchy of importance for all of your company’s assets. Assets include not only credit card information but all your other payment data. Additionally, your assets include data related to “intellectual property, employee details or information entrusted to you by third parties.” Each asset is then assessed for risks that determine what kind of loss would ensue if these assets became threatened by hackers? Implementing security requirements to counter those risks is then determined through the lens of the ISO 27001 standards.

The PCI SSC essentially took the ISO procedures and framed them exclusively around credit card information. Hagen, therefore, recommends that when you’re trying to determine your information security requirements you should not limit your scope to PCI standards; rather, you should incorporate those from ISO as well.

Protect yourself, but be prepared

The only 100 percent, surefire way to protect your customer data is to stop processing payments completely – but then you won’t have a business. And still, even with all the compliance standards in place, a savvy hacker may one day infiltrate the bunker that stores your data. You need to have a strategy in place for this event. The last thing you need is to be caught off guard by a security breach. Now is the time to decide what information you need to communicate, to whom you need to communicate it to, and how you are going to communicate it.

An information security breach will be painful no matter how much you prepare; your strategy should be to minimize the consequences as much as possible. Explain what happened, and how you are fixing it. The main thing is to not run around like a chicken with its head cut off.


PCI DSS compliance helps protect your business, but your data security vulnerabilities are not limited to the credit card payment information stored on your servers. Ensure that you are protecting all your business assets, and establish procedures for limiting the fallout of a data breach .