EXPERT RESPONSE
Most of the extensions issued by banks have been kept relatively hush-hush. Obviously they don't want retailers to think they can put off doing the right stuff to get compliant. To specifically answer the first part of your question, there are basically two types of companies out there: those that are trying to do the right thing for their customers by getting compliant, and those that aren't as interested because they don't think a breach will happen to them. Thus they do the bare minimum at all times, such as putting off fixing things until the auditor shows up and forces the issue. I'm not sure why any self-respecting security professional would work in an environment like this.
I'm actually OK with the former companies (that are doing their best) getting reasonable extensions and then being held accountable to make the agreed-upon progress. Getting PCI DSS compliant is a reasonably long and fairly hard struggle for a corporation that hasn't done much relative to security.
The other type of company should be drawn and quartered (and fined) and made to understand how important it is to safeguard customer data. But that is likely a losing battle.
In terms of why the banks would offer these extensions, it's a basic risk management decision. They assess the track record of the retailer and try to figure out how exposed they are to fraud. Then they decide if it's a good idea to issue the extension versus saying no and risking that the retailer will take its business elsewhere. Remember, merchant banking is a competitive business, and some banks will relax general risk standards if they think it's a good business decision.
More information:
|
