A bit of good news for PCI compliance – but only in Washington

One of my big problems with PCI compliance is that it means nothing. The card brands will come in after the fact and find something, anything, to claim that the merchant wasn’t compliant when the breach occurred. That puts everything on the merchant. As always, the merchant is the low man on the hill, and we all know which way on the hill the stuff runs. If you don’t believe me, ask any PCI compliant merchant that was breached. That’s why the brands claim that no PCI compliant merchant was ever breached. They find something.

The fact is that a merchant can spend huge sums of money to become PCI compliant but it doesn’t give them safe harbor. Until now. But only in the State of Washington.

A new law signed by Washington’s Gov. Chris Gregoire finally gives a break to the State’s merchants. If they are compliant, they are protected from the card brands. The Washington law mandates that if a merchant is certified as PCI compliant by an annual assessment, that compliance is non-revocable for a year. The processors and issuing banks cannot go after the merchant for losses.

The law isn’t perfect, of course. They seldom are. There is no mention of consumer losses. We know that consumers suffer no direct monetary losses from credit card breaches but they do suffer lost time and aggravation in trying to get things straightened out. We can assume the merchant won’t have protection from them.

Still, the Washington law is pro merchant and a big step in the right direction. If nothing else, it gives the merchant some justification for the resources expended in getting compliant.

Now can Federal lawmakers get on board?

Similar Posts:

• PCI Compliance Flaw
• Genesco suffers breach – Not PCI compliant?
• Card Breach Victim Gets Twenty Years ‘Probation’
• PCI squeezing the merchants?
• Fraud Spree points to merchant security