First, the company says, "We have been hacked, so this will never happen again for 10 years. Statistically, we can spend zero on security for the next 10 years." They also try to make the incident as silent as possible, or if it is finally passed to the media, they try to minimize the impact: "All your credit cards were stolen, but don't worry, nothing bad happened."
The only way to make them take it seriously would be to have them hacked every six months, with a story on the front page of every leading newspaper.
The problem now is that companies only do what they are obliged to do. Poor countries like Ukraine, Poland when Visa comes knocking on their door and says, "We'll stop all your transactions if you are not PCI compliant in the next six months," they simply say, "OK, we'll close everything and switch to MasterCard and we'll have two years to become compliant."
Visa, of course, says, "We're sorry, take your time." With MasterCard, it's exactly the same.
Another problem is that PCI has different levels for compliance depending on how many cards you process. So we saw that large banks in some countries created five or ten smaller companies, so legally they're not obliged to have the higher level of compliance as an entity that processes 1 million cards they can look as if each company is only processing 100,000 cards.
There's even a problem with PCI itself. In 2012 I reported to PCI that their own website had a critical SQL injection vulnerability that would compromise their own web site. They never even responded to me. So I'm quite skeptical of them.
If we really want to change something, government should establish minimum standards for companies of various sizes for types of software and encryption things like that.
And the punishment for companies that will not respect the regulations should be much higher than the investment they would have to make to comply. If it's about the same, people will not care, but if it costs 10 times more, we can be almost 100% sure that companies will finally start complying.
Sign up for Computerworld eNewsletters.