It's fair to say that organizations have had ample time to achieve an acceptable level of compliance to the Payment Card Industry Data Security Standard (PCI DSS), but what we often see is pushback from the board level when it asks for clear-cut justification for PCI investment. Other times, the pushback comes from within the IT department, which is seeking to avoid the perceived disruption that implementing PCI will cause.
Add to this scenario the anecdotal feedback that while acquiring banks promote the need for PCI, they seldom have the focus and continual drive to monitor the status of compliance, making it all too easy for merchants to carry on just as they are.
Regardless of where the resistance or inertia comes from, the consensus is that adopting PCI DSS is a sensible thing to do from a security perspective. But like so many things in life, the common-sense view is outweighed by the perceived pain of achieving it. With PCI, there is no denying that it is complex and is likely to cause disruption, but the benefits ultimately outweigh the pitfalls.
With PCI being such a comprehensive framework, big thinkers argue that the requirements should be leveraged to provide security for company information as a whole and to protect against the ever-growing mainstream issue of identity theft. Losing cardholder data is one thing, but risking your customers' personal information is potentially far more damaging.
Fifty years ago, the state of Wisconsin introduced legislation requiring seat belts in cars, but few people used them because they were uncomfortable. So it was only in 1984, when the first state (New York) made the wearing of a seatbelt compulsory that the real benefits were realized. Only then did common sense become standard practice. Maybe personal information protection needs the same treatment.
