Rob -
While I agree that the awareness of PCI DSS in Europe is low, I must disagree that PCI has no teeth in Europe. The teeth that PCI exhibits in the US is not due to disclosure laws (or any other laws). The standard is enforced by the credit card companies. The greatest potential penalty is not fines or being front page news; it's having your ability to take or process credit card payments revoked and the potential liability associated with a breach.
As good examples, consider CardSystems or TJX. In CardSystems' case, their loss of credit card data resulted in Visa and American Express revoking their privileges to process their payments. This resulted in total business failure for CardSystems.
In the TJX case, the loss of data has resulted in massive lawsuits by credit card issuers (banks). Per latest reports, those suits could cost TJX tens or hundreds of millions of dollars.
Interestingly, there are at least 4 states in the US that are in the process of making PCI DSS law. So in the US, PCI DSS may actually get some regulatory teeth. But it does not take the law to compel companies to comply. It's simply a business mandate.
Todd Tucker, CISSP
NetIQ Corporation
I think it's a good point for debate. Looking forward to it.
Commenting by HaloScan
