We are hearing more and more rumblings these days about making PCI the default standard for infosec, and a lot more legal rumblings of making their standards enforceable as state laws. Already Minnesota has passed the standards into law and Texas seems to be next.
While I see the PCI standards as a step forward for credit card companies, I am not so sure that enforcing it as law is a good thing. Over legislation has done little to secure the Internet thus far (remember the “Can Spam Act”) and in some cases has caused so much legal confusion that small rebellions have broken out (See the DMCA for this one!). I am not sure that organizations will become compliant just because it is law, as opposed to just being a rule from their card processors. After all, does the amount of “large fines and penalties” really matter? Does it really change behavior? I just don’t believe it does.
Nonetheless, PCI has certainly gained momentum and public recognition. Many of our clients who don’t even process credit cards have begun asking about it, siting it as a standard and asking for gap analysis between their processes and the DSS standards. Many of them believe that in the not too distant future, courts may see PCI DSS as the defacto security baseline that helps them determine the difference between liability and negligence for just about all organizations, not just credit card dependant ones. One thing is certain, now would likely be a good time to become familiar with the PCI rules because your management may be asking you sooner rather than later.