(Look out, the cynical bus is driving by!)
The big elephant in the PCI room is simply how fucking expensive truly meeting the requirements is (for SMBs and others). Between capital costs and process changes and slowing down business and staff knowledge/training and manhours…it’s not nearly as small a pill to swallow as ya might think. And even if you get it done, the people behind it have a few more grey hairs, have burned plenty of political credit, and have new drinking problems! (Or you work in a large enterprise so it’s slightly easier to swallow.) More than likely they also now have dire staffing issues.
Mike Richardson has a great blog post about implementing PCI DSS standards in a web hosting environment. The end result? It’s dishearteningly expensive and not in demand.
What really sucks about admitting PCI is expensive? I’m also saying *security* is expensive. And it is! Then again, pressing 150lbs is tough, too, but you’ll get there if you start at 75lbs and work at it. (Don’t mock me in regards to my analogy!)
Compliance is still just part of what I call the big gamble in security (and enterprises). You know you should do more, you know you should look at that log today, you know your staff should be properly checking their controls, you know you’re not allowing your QSA to see the whole picture…but you gamble that things will be fine and continue on as you otherwise do, following the path of least resistance that you can get away with. Entire organizations operate that way, let alone executives, managers, and employees.