Improving general system security, particularly with respect to SQL injection attacks, will also help to reduce the incidence of breaches.
The payment card industry threatens non-compliant organisations with financial penalties, but it is reluctant to use these powers, and proof of liability for a specific card breach is difficult to assign to a particular player. If the industry wanted to force all players into compliance then it would have to threaten to withdraw the card-handling franchise from the non-compliant merchant. It seems unwilling to go this far. Even if it did do so, vulnerabilities resulting from the limitations in the standard would remain, along with the limitation that PCI compliance is based on a point-in-time inspection.
A more palatable way forward would be to issue compliant organisations with a logo that they could display in their premises and on their websites so long as they remained compliant. This would give customers confidence in the same way as the SSL certificates on websites, and would embarrass non-compliant card handlers into rectifying their omissions.
Better still, the payment card industry should use its influence to encourage card handlers to enhance their overall security practices.
Sign up for Computerworld eNewsletters.