Large UK retailers, such as John Lewis and Tesco, have shown a relaxed, in control, strategic approach to meeting the Payment Card Industry Data Security Standard.
Smaller retailers are, however, struggling to meet the payment card industry's pressing demands to secure customer data.
We report this week that retailers have been afforded some breathing space by two of the companies behind the rules. Rather than insisting on immediate compliance with every part of the standard by the 30 June deadline, Visa and MasterCard are advising firms to prioritise securing the sensitive customer data on their IT infrastructure.
This pragmatism is to be welcomed. Most UK retailers only became aware of the PCI DSS recently, and it will take them two or more years to catch up.
Nevertheless, there surely has to be a lesson here about the need to spread the strategic knowledge, in this case around compliance, embedded in blue chip firms more widely. Information security is a social good more than it is a weapon of competitive advantage.
Comment on this story: email@example.com