41 of 74 respondents to
a poll on Anton Chuvakin's
Security Warrior blog put PCIDSS top of their list of concerns. Alright it was a leading question and unscientific, but I'm pleased to see such interest anyway. Maybe this reflects the looming
Level 1 deadline for full compliance and regular audits. Maybe it's the fact that the PCI are now
collecting fines at an alarming rate. Whatever, up to now we've seen a very slow uptake for a mandatory standard with tough penalties and this is good news. I guess the standard's arrival during a recession has caused a bit of a "wait and see" attitude in the boardroom. But this is risky. PCIDSS is not just another regulation. If you're not compliant, you're at risk of serious fraud, data loss and reputational damage.
You shouldn't comply with PCIDSS to get a tick in the box and a certificate for the lobby. You should do it to preserve your business.