How to sell compliance

Visa finally figured something out toward the end of 2006 -- most companies don't feel enough pain to go through the efforts and cost to become PCI compliant. This is no shocker as PCI readiness can cost companies tens of millions of dollars in infrastructure and information system upgrades. I have long been a believer that until some real serious pain is felt -- and I'm talking someone dying (literally) or a company being sued for hundreds of millions of dollars -- we won't see sweeping change or progress in compliance to information security standards or identity theft.

Well, in December, Visa may have taken the first step at proving me wrong. And they're doing it with the oldest trick in the book -- they're buying people off. And I say good for them!!

See this story by Evan Schuman for background, but the basic deal is that Visa will pay retailers to become PCI compliant by August 31, 2007.  If you can't beat them into submission with fines (Visa handed out $4.6 million in PCI fines in 2006) then pay them to comply. 

It is pretty pathetic that less than 40% of Level 1 merchants are PCI compliant, and less than 20% of Level 2 merchants. These are the companies that process more than 1,000,000 Visa transactions per year. Which means that YOUR credit card probably passes through a non-compliant clearinghouse.

The only catch to the program is that Visa will actually pay the dough to the bank that acquires and processes the credit card information and they, in turn, will pay the retailers. A good pyramid-scheme strategy taken by Visa here, too. Get the retailers wanting cash rewards and they will pressure their card processing banks to join the compliance love fest. Brilliant.

Kudos to Visa -- yet another positive step to constructively encouraging more secure information systems.  Gee, I wonder if the TJX incident had anything to do with this.... ~;^)

Copyright © 2007 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)