Problem solve Get help with specific problems with your technologies, process and projects.

How are the PCI DSS deadline extensions affecting corporations' desire to become compliant?

Becoming PCI DSS compliant is hard work for financial institutions, but will deadline extensions help?

How are the PCI DSS deadline extensions affecting corporations' desire to become compliant? Why do you think banks and credit card companies are issuing these extensions?
Most of the extensions issued by banks have been kept relatively hush-hush. Obviously they don't want retailers to think they can put off doing the right stuff to get compliant. To specifically answer the first part of your question, there are basically two types of companies out there: those that are trying to do the right thing for their customers by getting compliant, and those that aren't as interested because they don't think a breach will happen to them. Thus they do the bare minimum at all times, such as putting off fixing things until the auditor shows up and forces the issue. I'm not sure why any self-respecting security professional would work in an environment like this.

I'm actually OK with the former companies (that are doing their best) getting reasonable extensions and then being held accountable to make the agreed-upon progress. Getting PCI DSS compliant is a reasonably long and fairly hard struggle for a corporation that hasn't done much relative to security.

The other type of company should be drawn and quartered (and fined) and made to understand how important it is to safeguard customer data. But that is likely a losing battle.

In terms of why the banks would offer these extensions, it's a basic risk management decision. They assess the track record of the retailer and try to figure out how exposed they are to fraud. Then they decide if it's a good idea to issue the extension versus saying no and risking that the retailer will take its business elsewhere. Remember, merchant banking is a competitive business, and some banks will relax general risk standards if they think it's a good business decision.

More information:

This was last published in January 2008

Dig Deeper on PCI Data Security Standard

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.