That outreach, and the move to include even the smallest merchants under the PCI DSS drew compliments from Joram Borenstein, vice president, NICE Actimize, who said while it is not perfect, "the council is quite logically attempting to level the so-called playing field by reaching out to smaller merchants with dedicated resources and options for those merchants."
Shier, in his "Why it works" blog post also praised the council for demanding the same security practices from small merchants as it does from large ones, and for providing help to those small companies in the form of a, "handy PDF guide aimed at smaller businesses," and lower-cost alternatives for getting compliance certification.
Even with that help, however, compliance will not be easy or cheap for smaller companies. Hardly any of them have the expertise to implement everything required for compliance without the help of a Qualified Security Assessor (QSA). Shier noted that while the standard allows smaller companies to do their own assessments, that would, "make as much sense as performing your own dental surgery.
"The PCI DSS contains over 200 sub-requirements," he wrote. "Each must be fully understood and correctly implemented in order to stay compliant."
Strand said the demands on smaller merchants are generally not as complex as they are for larger ones. But he said the expanded scope of requirements will have an impact.
One new element is that, "vendors must consider integrated systems and other connections into their credit card data environment that weren't traditionally considered in scope for PCI," he said. "This will probably create more confusion in interpreting the requirements of the standard."
And Rich Mogull, analyst and CEO at Securosis, who has been critical in the past of the standard, arguing that it is aimed more at protecting the credit card companies than merchants and customers, said he doubts the new standard will change things much, given the complexity and cost of compliance.
"There is more of a move to continuous compliance, but really that's not something most organizations are ready for," he said. "It will be interesting to see if anything changes."
If things do change, it may be at least in part because of increased awareness of the damage that a high-profile breach can cause.
"Data security has become a board-level topic of discussion," Borenstein said. "Executives recognize that the impact of a serious card loss breach can have a significant impact on customer perception, stock price, and more."
Russo said he hopes that fear will motivate companies to improve their security. "There are ways to prevent these things," he said. "When details of breaches come out, they show that most of them were caused by very simple mistakes, like default passwords."