I've written about this before. According to the Verizon survey of 2015, 80% of companies are not compliant with the Payment Card Industry Data Security Standard (PCI DSS).
That's massive. It means that only a 20% minority of companies that take credit card data, have security that's up to the level that Visa, Mastercard and the others, require.
Well, I might have just found out why. I've always known that staying compliant is a major pain in the arse. Each year (in my case, since 2008), you have to fill in a checklist of questions (over 300 this year), and it keeps growing,. The first time I did it, it was version 1.0, then 1.1, 1.2, 2.0 and now 3.0.
Also, each month, my secure systems are scanned for vulnerabilities, and every other month, a new vulnerability is discovered in the software that everyone uses, that means that I have to update the server software, in order to remain compliant. These updates have become so common, that I've actually written myself a recipe to follow, so that I can do it without having to work out how from scratch each time.
So why, you might ask, do I stay PCI DSS compliant, other than a sense of responsibility towards the people who entrust me with their card data? Why indeed. What's the downside?
Well, let me quote from a letter I just got from Worldpay, formerly known to me as the "Natwest credit card people". You can also find this information on the web. Note that it's in the Google cache. You'll also find it on the Streamline web site, if you look carefully.
If you're not PCI DSS compliant, it will cost you £9.99 per month.
If you're not PCI DSS compliant for more than 12 months, that goes up to £21.99 per month.
To any moderate sized company, £22/month is peanuts.
If that's the apparent cost of not being compliant, it's not too surprising that 80% of companies don't bother.