PCI DSS and Regulatory Compliance Blog

Procrastination of compliance

January 22nd, 2007 Posted in Compliance, Merchant

procrastination.jpgWhat troubles me most about PCI compliance is how loosely it is addressed. Compliance should be viewed as a no-brainer along with corporate insurance or SOX compliance, but instead it is pushed off and off as long as humanly possible. It is as if companies are in a state of eternal procrastination. The trouble with this is that compliance is not something that can be crammed.

Students in school will many times delay studying for an exam or delay working on a project because they do not want to deal with it. I feel that companies today are dealing with PCI compliance in the same manner. Some are working towards it while other are still putting it off. Although, 50% of Visa Level 1 merchants are compliant there are a number of companies still non-compliant after 2.5 years of warnings (since Sept. 30, 2004.)

Many of these companies are merchants, like TJX, who have a number of retail locations. These companies are looking at potential “forklift” upgrades to their infrastructure in order to bring them into compliance with the PCI requirements. This huge capital cost has kept many companies from dealing with the problem, but procrastination is no longer an option. Starting in March and again in September (and December), companies will begin to see non-compliance fines for having delayed compliance with PCI.

Retail merchants who need to upgrade their store infrastructure in order to comply are looking at remediation timelines of 2-3 years. Had they started their remediation in late 2004, when the original deadlines for compliance were enforced, they would be finishing those projects today. Instead they are looking at rising costs due to fines and run a higher risk of compromise.

PCI is one of the few industry standards with actual teeth (aside from GLBA, SOX and arguably HIPAA), but many companies have ignored it saying that, “they only fine if you are compromised.” This is like saying, “I don’t own auto insurance because you only use it when you get in an accident.” Now the tables have changed and many companies are in for a rude awakening as they receive non-compliance penalties in the absence of a compromise.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 1 Trackback(s)

  2. Mar 18, 2007: ROI of PCI compliance at PCI Compliance Demystified

Post a Comment