Starting last Monday, large retailers that accept payment via credit cards begin facing fines ranging from $5,000 to $25,000 per month if they aren't in compliance with the Payment Card Industry (PCI) data security standards. Unfortunately, according to news reports, at least half won't meet the standard.
Why? Cost of course.
It is expensive to implement the PCI standards if you haven't been too diligent about implementing IT security in the past, and just as expensive to prove that you are now in compliance. The public companies who have had to comply with Sarbanes-Oxley can regal you for hours about the difficulties (and costs) associated with proving compliance with an enterprise-wide standard.
Also, these non-PCI compliant retailers may be looking at the massive data breach and its aftermath at TJX and reason that non-compliance is worth the risk and the fine. TJX's stock hasn't tanked, its 2007 revenue is up, and customers seem to have forgotten about the incident. Yes, there was some short term financial loss and bad PR, but overall, non-compliance might have been an acceptable cost of business decision for TJX even in retrospect.
Of course, as a customer, I wouldn't agree, but currently the incentives for PCI compliance or disincentives for non-compliance are not great enough to get corporate behavior to change.
And since they won't change, they won't be able to get their suppliers to change their IT security behavior either. Hence, expect more stories like the one where a supplier to clothing retailer Gap loses a laptop with 800,000 job applicants' information in it. Gap said the supplier did not encrypt the information, which was against corporate policy. Surprise, surprise.
