Though data-security standards are in place to help merchants, processors and others in the payments industry to protect data, businesses should do more to outpace criminals, note industry insiders. "More needs to be done than simply undergoing an annual assessment and keeping up to date with security fixes and patches" for the standards, says a spokesperson for Princeton, N.J.-based processor Heartland Payment Systems Inc. Moreover, the Payment Card Industry data-security standards "are not meant to be exhaustive," Ellen Richey, chief enterprise risk officer at Visa Inc., stated at the Visa Security Summit in Washington, D.C., in March. "The standards provide a strong foundation, and the best strategies build on that foundation to create a multilayered and evolving defense." Nick Holland, senior analyst at the Boston-based research and advisory firm Aite Group LLC, agrees: "Raising the bar" on security above the provisions outlined in the PCI standards and adding additional security measures, such as complete encryption, can help the industry increase safety, he says. With complete encryption, sensitive cardholder information is encrypted along the entire transaction process and is unusable if stolen by thieves.