Why are Businesses Failing to Comply with PCI DSS?

Oct 11, 2011

The simple answer is because the PCI and PA -DSS programs that piloted in 2001 with Visa Inc. (Thats ten years ago people) and are supposedly mandatory for all merchants and service providers processing, storing or transmitting cardholder data are not being aggressively enforced by every "ENFORCER"! The Enforcers being those that created the program and are responsible for assuring that all merchants and service providers are annually assessed and validated.

The Generals of Enforcement are the Card Brands: Visa, MasterCard, Amex, Diners and JCB et al. They hand off the actually enforcing to their Captains the Acquiring Institutions, who are responsible for issuing merchant accounts to merchants to be able to process, store, and/or transmit cardholder transactions for payment of goods and have those revenues settled into the merchants bank account.

Does anyone out there find it odd that the Card Brands and Acquirers that are being paid by the merchants and service providers for the priviledge of having a merchant account to take payment by credit cards, and are supposed to be assessed annually for compliance of their security methodologies through PCI and PA-DSS programs, are the actual Enforcers???

Do you wonder why businesses and charities are having trouble maintaining compliance or even achieving it all after a decade of introducing PCI in its first incarnation as AIS/CIPS/SDP through Visa and MasterCard! I find it not only odd but an interesting conflict of interest!

How can the companies (Card brands and Acquirers) who are paid by their merchants and service providers (those that are supposed to mandatorily comply annually to PCI and PA-DSS) be expected to enforce their own clients objectively??? These enforcers have to maintain their own business bottom lines through revenues generated by their clients(the merchants and SP's supposed to be compliant annually) and then they are responsible for reporting these revenues to board directors/shareholders regarding their revenue and profit (gotta pay those bonuses and dividends people, gotta keep that share price up) whether you are a public or a private company???

So what are you going to do if you as the enforcer have clients that push back on being PCI or PA compliant and believe me most of them do...are you,( because you need that revenue stream to help pay your payroll, admin costs, year-end bonus), going to tell your client to go elsewhere, pull their merchant account thus losing that revenue stream, or are you going to go...oh...Ah, well... there was a deadline but lets extend it???


Hey did you all know that the first MANDATORY deadline for PCI compliance was December 31, 2005!!! I have peers that achieved their first compliance in 2002 and we came in 2003! Boy were we stupid to spend all that money year in and year out (and yup we are still spending it annually to show our compliance) when the majority of service providers are still not compliant or better yet don't have to validate with a QSA as we do!

LOL...its now almost December 2011 and we aren't even close to getting all merchants and service providers annually assessed so that we can all get on the same page to begin a PROACTIVE assault on the criminal activity that wreaks havoc on our financial systems, steals our identities and our money!!

Never mind the threat to all of our national and global security with such a lackadaisical approach to enforcing the only so-called mandatory security requirements we have in our industry.

This isn't Rocket Science folks. Its a straight forward approach that is required utilizing the trained security professionals we have available to us. We need an independent group of security professionals assigned to ENFORCE a great security program so that every merchant and service provider has their security policies, procedures and methodologies validated by a Qualified Security Professional!!

Providing SECURITY EDUCATION AND TRAINING to every organization from the smallest to the largest, IS THE KEY INGREDIENT, until security becomes as ingrained in our consciousness as is the ease of sliding our debit and credit cards into slots to pay for our goods and services!!!

And guess what...then that security KNOWLEDGE AND TRAINING comes home so that everyone will be better able to maintain their home computers, tablets and mobile devices(Okay I am pushing it with mobile devices at the moment) - but if we don't get on this soon - the criminals will wreak even more havoc than they do now because its way way too easy for them to get what they want whenever they want!!! 10 card numbers here, 100 over there...75 at another spot and so on and so on!

So Stay tuned - my rant has just begun because this lackadaisical approach to attaining and maintaining so called mandatory security requirements is creating irreparable financial harm for our companies and most likely for some of our peers in the industry!
I am not happy about this believe me as there is no reasonable excuse after almost a decade of AIS/CISP/SDP/PCI's inception. And some of the things I heard at the PCI conference in Phoenix curled my hair - and just when I thought it couldn't get any curlier!!!

Jun 07.11 | Insider's view into Web application abuse: 5 phases of an attack

Insider's view into Web application abuse: 5 phases of an attack read more

Mar 15.11 | Japan Hit by huge Quake and Tsunami Donate: and

Japan devastated by huge Quake and Tsunami Donate: and read more

Oct 26.10 | TJX, Heartland Hacker Convicted and gets 20 Years!

Hacker Sentenced to 20 Years for Breach of Credit Card Processor

By Kim Zetter
Source: read more

Oct 08.10 | Visa and MasterCard delay chip rollout until March 31,2011! Source: CBC News

Visa and MasterCard delay chip rollout until March 31,2011! read more

Sep 16.09 | Hacker charged with Heartland, other breaches Robert Lemos, SecurityFocus 2009-08-18

read more

Jul 02.09 | RBS WorldPay and Heartland back on the validated Visa PCI DSS compliant list

RBS WorldPay regains spot on Visa's PCI compliance list
read more

Apr 20.09 | PCI DSS is not design to be attained like your Girl or Boy Scout Badge

read more

Sep 30.08 | Second Annual Payment Card Industry Community Meeting - Oh What a Difference A Year Makes!

read more