There’s always been a discrepancy between banks in their approach to getting their merchants and service providers PCI DSS compliant.
Some have had a very strong focus on PCI DSS compliance while others have been relatively quiet. In theory, there should not have been such a discrepancy. Merchants and service providers should always have had a consistent message so that changing banks to defer PCI DSS compliance was never an option. Was it? Did many or any do it? For some, it definitely would have bought them time in my opinion.
It’s interesting that in 2010 – after deadline after deadline for compliance has passed, that there are so many organisations out there where PCI DSS compliance is just not a priority, (but where you know it should have been – a long time ago). Where you have to further question things is why a company down the road, in the same industry, about the same size, but with a different bank, has been investing heavily and working hard on compliance for 2 years with constant pressure on them from their bank?
To paraphrase a contact of mine in an aforementioned organisation where their bank is doing little; “We know that we should be PCI compliant. We were prepared for some pain a couple of years ago, but it never came. It’s gone cold now. No one’s chasing us and for most parts, it’s been forgotten. It may come back but I can’t see it in the short term”.
Where is the consistency that will bring the greater credibility? It’s only fair that some will question the overall program. How hard are the Card Brands fighting to maintain an interest from the banks?