Friday 11 December 2015

The cost of PCI DSS non-compliance

I just got a letter from Worldpay (they used to be Natwest).

"we're removing the monthly additional PCI DSS service charge fee for customers who have been non-compliant for a period of 12 months or more".

So what is the incentive to jump through the hoops to become PCI DSS compliant?

As of 2014, 80% of companies fail their PCI DSS compliance. And that's a *minimum* standard.

In the last 10 years, not a single payment card breach was with a company that is compliant. That's mostly because as recently as 2012, 92.5% of companies were non-compliant.

I've been compliant since 2008. I assumed, back then, that everyone would be compliant within a year or so. I was wrong. I'm *still* in a minority.

The users don't care, the companies taking credit cards don't care, the banks that accept these billings don't care and even Visa and Mastercard don't care. The credit card system is insecure because there's no-one who has an incentive to make it secure.

And my letter from Worldpay just made that worse.


  1. Ok Doc, I will pay you £1.50 for each set of details for credit cards going forward. That way you will fit into the majority and make money from it too :)

  2. According to the information I've read, you can buy credit card details for $25 to $40 each. But I don't know where.