I just got a letter from Worldpay (they used to be Natwest).
"we're removing the monthly additional PCI DSS service charge fee for customers who have been non-compliant for a period of 12 months or more".
So what is the incentive to jump through the hoops to become PCI DSS compliant?
As of 2014, 80% of companies fail their PCI DSS compliance. And that's a *minimum* standard.
In the last 10 years, not a single payment card breach was with a company that is compliant. That's mostly because as recently as 2012, 92.5% of companies were non-compliant.
I've been compliant since 2008. I assumed, back then, that everyone would be compliant within a year or so. I was wrong. I'm *still* in a minority.
The users don't care, the companies taking credit cards don't care, the banks that accept these billings don't care and even Visa and Mastercard don't care. The credit card system is insecure because there's no-one who has an incentive to make it secure.
And my letter from Worldpay just made that worse.