Is PCI-DSS enough to ensure security of personnel data. Is it the minimum required to protect user information. But the way the standard has been prescribed, it looks more like a system designed to transfer the incidence from the card issuing organization to the organization handling information for the card issuers. If the controls are adequate, why are there breaches. Is the system designed to protect the end user sufficient and complete enough to warrant a certification. What does the certification achieve. If you look at the issues in hand, it is clear that the problem is not with the organization handling the data but the protection afforded by such systems to personnel information. Is it not that the card industry to protect itself have an publicly available standard that has gone through peer reviews and public scrutiny imposed on organizations which process credit/debit card information inadequate? The balance between what is prescribed in the standard and what is required
Ramble on everything and anything that fancies my imagination