The simple answer is because the PCI and PA -DSS programs that piloted in 2001 with Visa Inc. (Thats ten years ago people) and are supposedly mandatory for all merchants and service providers processing, storing or transmitting cardholder data are not being aggressively enforced by every "ENFORCER"! The Enforcers being those that created the program and are responsible for assuring that all merchants and service providers are annually assessed and validated.
The Generals of Enforcement are the Card Brands: Visa, MasterCard, Amex, Diners and JCB et al. They hand off the actually enforcing to their Captains the Acquiring Institutions, who are responsible for issuing merchant accounts to merchants to be able to process, store, and/or transmit cardholder transactions for payment of goods and have those revenues settled into the merchants bank account.
Does anyone out there find it odd that the Card Brands and Acquirers that are being paid by the merchants and service providers for the priviledge of having a merchant account to take payment by credit cards, and are supposed to be assessed annually for compliance of their security methodologies through PCI and PA-DSS programs, are the actual Enforcers???
Do you wonder why businesses and charities are having trouble maintaining compliance or even achieving it all after a decade of introducing PCI in its first incarnation as AIS/CIPS/SDP through Visa and MasterCard! I find it not only odd but an interesting conflict of interest!
How can the companies (Card brands and Acquirers) who are paid by their merchants and service providers (those that are supposed to mandatorily comply annually to PCI and PA-DSS) be expected to enforce their own clients objectively??? These enforcers have to maintain their own business bottom lines through revenues generated by their clients(the merchants and SP's supposed to be compliant annually) and then they are responsible for reporting these revenues to board directors/shareholders regarding their revenue and profit (gotta pay those bonuses and dividends people, gotta keep that share price up) whether you are a public or a private company???
So what are you going to do if you as the enforcer have clients that push back on being PCI or PA compliant and believe me most of them do...are you,( because you need that revenue stream to help pay your payroll, admin costs, year-end bonus), going to tell your client to go elsewhere, pull their merchant account thus losing that revenue stream, or are you going to go...oh...Ah, well... there was a deadline but lets extend it???
Hey did you all know that the first MANDATORY deadline for PCI compliance was December 31, 2005!!! I have peers that achieved their first compliance in 2002 and we came in 2003! Boy were we stupid to spend all that money year in and year out (and yup we are still spending it annually to show our compliance) when the majority of service providers are still not compliant or better yet don't have to validate with a QSA as we do!
LOL...its now almost December 2011 and we aren't even close to getting all merchants and service providers annually assessed so that we can all get on the same page to begin a PROACTIVE assault on the criminal activity that wreaks havoc on our financial systems, steals our identities and our money!!
Never mind the threat to all of our national and global security with such a lackadaisical approach to enforcing the only so-called mandatory security requirements we have in our industry.
This isn't Rocket Science folks. Its a straight forward approach that is required utilizing the trained security professionals we have available to us. We need an independent group of security professionals assigned to ENFORCE a great security program so that every merchant and service provider has their security policies, procedures and methodologies validated by a Qualified Security Professional!!
Providing SECURITY EDUCATION AND TRAINING to every organization from the smallest to the largest, IS THE KEY INGREDIENT, until security becomes as ingrained in our consciousness as is the ease of sliding our debit and credit cards into slots to pay for our goods and services!!!
And guess what...then that security KNOWLEDGE AND TRAINING comes home so that everyone will be better able to maintain their home computers, tablets and mobile devices(Okay I am pushing it with mobile devices at the moment) - but if we don't get on this soon - the criminals will wreak even more havoc than they do now because its way way too easy for them to get what they want whenever they want!!! 10 card numbers here, 100 over there...75 at another spot and so on and so on!
So Stay tuned - my rant has just begun because this lackadaisical approach to attaining and maintaining so called mandatory security requirements is creating irreparable financial harm for our companies and most likely for some of our peers in the industry!
I am not happy about this believe me as there is no reasonable excuse after almost a decade of AIS/CISP/SDP/PCI's inception. And some of the things I heard at the PCI conference in Phoenix curled my hair - and just when I thought it couldn't get any curlier!!!