"Why does Visa USA offer merchants a $20 million bonus to become compliant and not other regions?" he asked. He suspects it's because e-commerce is more popular and profitable in the US. In the bigger picture, he says, it can be harder for foreign companies to come up with the cash needed to achieve compliance.
No financial incentives were mentioned in a recent statement from Visa announcing new global PCI compliance deadlines. Under the deadlines, announced last week, global merchants and service providers must show by September 30, 2009 that they are not storing full magnetic stripe data (track data), security codes or PIN data after a transaction is approved. Sept. 30, 2010, is the deadline for all service providers and Level 1 merchants to file compliance reports.
David Taylor, founder of the PCI Knowledge Base, agrees companies outside the US don't enjoy the same degree of financial support. "There really are no global incentives, just a marketing pitch in the Visa Global PCI Deadlines announcement last week to service providers," he says.
Visa spokesperson Rosetta Jones confirmed Monday that the company does not currently offer any financial incentives for merchants outside the US.
"While Visa USA did offer some monetary incentives for US merchants for a short period of time, the major motivator for merchants to achieve compliance has been their desire to properly protect cardholder data and to prevent being the target of a data compromise," she says.
Keep the global perspective
Regardless, security experts agree companies must look at PCI security as a global mandate and ensure that the same controls used in the US are being used elsewhere. There's a danger of that not happening when companies find themselves deep in the weeds trying to get their arms around the sheer scope of the standard, says Daniel Blander, a CISM, CISSP and president of Techtonica.