And many smaller organizations are only dimly aware of PCI DSS or not at all. Troy Leach, CTO of the PCI SSC (Security Standards Council) told Politico last fall that regional resellers of Point of Sale (PoS) systems that have suffered multiple breaches, "when asked about PCI compliance, have never heard of the organization."
Where the fault lies for the lack of compliance is a matter of some dispute. Mogull, who has been scathing in his criticism of PCI DSS in the past, calls the framework, "a way for the card brands to push risk onto the merchants and payment processors.
"Small businesses shouldn't have to understand it," he said, "especially since most of them totally outsource their payment systems. Those providers are the ones that matter and need to know about it."
But others argue that credit card providers are only one player in the system, and improving security requires an investment from everybody, at all levels.
"Many merchants want the card companies to 'fix the system,' whatever that means," said Anton Chuvakin, research director, security and risk management at Gartner for Technical Professionals. "So my question is: 'OK, will you, merchants, be willing to chip in? After all, you are as much of a stakeholder in this.' Until now, the answer was 'no,' in my experience."
Julie Conroy, analyst with Aite Group, said the frustration with compliance is understandable. "It's expensive, unsexy, and produces no revenue," she said. "On the business side, many still consider security considerations a tiresome obstacle to quick time to market."
But she added that while merchants don't like the blame being placed on them for breaches, "the reality is that the merchant is where the data resides in the current model, and where the compromises are taking place."
She and others also say the headaches of compliance are minor compared with those that would be caused by a major breach. She offers an example from one of the biggest players in the business -- Apple.
"I've spoken with banks whose security guys were not brought into the discussion about the Apple Pay launch until the 11th hour. The result: fraud rates that are nearly 80 times the industry average," she said.
Or, all one needs to do is look at the headlines. In January, Anthem Inc., the nation's second-largest health insurer, discovered a breach that reportedly affected the health records of 78.8 million people. Just this past week, Premera Blue Cross, a major provider of health care services in the West, announced that an intrusion into its networks may have compromised the financial and medical records of 11 million customers. The breaches are more evidence that health records are now considered more valuable than credit card information.
Sign up for CIO Asia eNewsletters.