Merchants Challenged to Comply with PCI Standards

As a follow up to the prior blog post, recent reports from VISA USA illustrate the Faustian choice many merchants are faced with when considering what to do about the requirements for PCI -DSS compliance. Former Level 4 merchants had until September 30, 2007 to demonstrate compliance, with non-compliance carrying stiff penalties. However, the complexity of the standards and the expense of overhauling IT practices have caused many merchants to decide to accept the fines rather than to incur the expense. This is an unfortunate development for the cause of privacy professionals and others who have been advocating tighter security standards as the best preventive steps against data security breaches. The President and CEO of VISA, Philip Coghlin, recently indicated that only 20% of VISA merchants are PCI-DSS compliant. But he also indicated that the industry was advocating even tighter security standards. Such an approach ignores the potential merchant noncompliance with the security standards may have on consumer trust of e-commerce. If the standards are difficult to comply with so that compliance is lagging, consumer confidence in the electronic delivery system could erode. article