The PCI DSS program has been in place in its original incarnation as AIS/CISP since 2001! Why is it then that so few organizations world wide are not compliant? Why is it then that so many service providers are still doing business "flying under the radar screen"??? Could it be that the Card Association isn't serious about security? Or could it be because politics and people in decision making power positions lack the real hands on knowledge and expertise regarding online payment systems and applications to make this well intended and very necessary, supposedly mandatory, security program move forward quickly and effectively? It has been 6 years since the program began its pilot as AIS/CISP!
Gartner analysis suggests that PCI audit program has been “shallow, random, & incomplete”
Gartner believes program needs to be updated with more practical implications
Some requirements impractical to implement such as card level encryption, require support of POS manufacturers
Visa & MasterCard may not be able to effectively support the program apparently unable to answer program questions especially in the area of mitigating controls.