Unless *all* datafiles on your client's system are encrypted, also, and I don't think even that's enough.
ObDisclosure: I worked for about 4 months on a contract at Trustwave, a root CA.
Leaving that huge hole in your defenses... I suggest you look, if you don't already know, at .
From the 1.2 std: "Firewalls are a key protection mechanism for any computer network. Other system components may provide Firewall functionality, provided they meet the minimum requirements for Firewalls as provided in Requirement"
Even all data between two systems *MUST* be encrypted, for full compliance, if you're doing your own.
So, what this vendor is doing... I'd say you and your client need to reread the contract *VERY* closely, and if they say they're adhering to stds, they're in violation of the contract.