I'm actually OK with the former companies (that are doing their best) getting reasonable extensions and then being held accountable to make the agreed-upon progress. Getting PCI DSS compliant is a reasonably long and fairly hard struggle for a corporation that hasn't done much relative to security.
The other type of company should be drawn and quartered (and fined) and made to understand how important it is to safeguard customer data. But that is likely a losing battle.
In terms of why the banks would offer these extensions, it's a basic risk management decision. They assess the track record of the retailer and try to figure out how exposed they are to fraud. Then they decide if it's a good idea to issue the extension versus saying no and risking that the retailer will take its business elsewhere. Remember, merchant banking is a competitive business, and some banks will relax general risk standards if they think it's a good business decision.
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.