In my current $employer$ (we are a level 2 merchant) we did the whole "just pay the fine" thing, because the business case for actually getting compliant wasn't there. The fines did escalate for a couple of years, but the costs for the PCI implementation were way more than the escalated fines, so we kept putting it off. Just recently our clearing house and one of the big three CC companies informed us that we *will* be fully compliant by 01/01/2010, or we get to go the level 1 audit route, which we have investigated and no one wants to go through if we can avoid it.
Now we are in the midst of lots of planning and implementation work for PCI that would normally be done over a year or so that is now going to be completed start to finish in six months. I would very highly suggest starting down the compliance path now, even if the decision is made to pay the fines in the short term. --------------------------------------------------- Alan S. Epps [email protected]
_______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
