When the time comes to sit back and review PCI DSS there will be a couple of comments that can be used to sum up the way the credit card data compliance guidelines were introduced.
One of them will be about the way the staggered deadlines were used to try and get merchants signed up. What they seem to have done is to add to the confusion, provide spikes for the security channel to sell solutions, and keep coming just making it harder for customers to know what they should be doing.
The latest is the idea that those retailers using chip based point of sale systems will be able to cut down the need for annual PCi audits if 75% of their business goes through what Visa believes is a secure shopping route. From 31 March this year that particular addition to the PCI story comes into force.
But the other comment that will be made is around the lack of threat for those that fail too meet PCI DSS requirements. Unlike the Information Commissioner's Office, which has already issued four fines this year, no one high profile has really hit the headlines for falling foul of Visa and Mastercard.
That seems even more unlikely given the way the goalposts are continually moving. If those responsible for PCI DSS don't want the history of the compliance standard to be a story of confusion and constant changes then they need to apply themselves now to getting some consistency and making things easier to follow for retailers.
No one argues against the need to protect user credit card data it's just the methods of securing that which is where the debate is still active.