In another example, the director of IT at Virgin Entertainment Group told Computerworld that while much of the PCI standard includes good, solid network and security policies, some of it is “over the top” and can be confusing. For someone smart enough to be the director of IT for a leading-edge company like Virgin Entertainment, which places significant importance on IT, it is difficult to understand how he could find PCI confusing.

He also contends that the costs of meeting the requirements do nothing to boost a retail company’s bottom line, with no direct return on investment. Recent events demonstrate otherwise. Had TJX Companies better developed its security posture, it would likely not be facing myriad law suits. TJX violated some of the basic tenets of the PCI DSS, and its insecurity has had a direct negative financial effect. The company announced that in the most recent quarter, it took a $12 million loss, equal to 3 cents per share, because of the loss of more than 40 million credit and debit card numbers stolen from its systems over an 18-month period—one of the largest customer data breaches to date.

The $12 million in losses was for costs incurred to investigate and contain the intrusion, improve computer security and systems and communicate with customers, as well as for technical, legal and other fees. The company also reported that it expects that it will continue to incur these types of costs related to the intrusion in the second quarter and it estimates that those costs will total 2 cents to 3 cents per share.

Besides facing numerous other federal and state lawsuits, the Massachusetts Bankers Association, which represents 207 financial institutions, filed suit against TJX in federal court in Boston in April 2007. In addition, the Securities and Exchange Commission said that complaints seeking class-action designation on behalf of customers were filed in April and May in the federal courts of five additional states: Illinois, Michigan, Missouri, Ohio and Texas.

Such breaches are precisely what PCI comes to prevent. Had TJX followed the principles of PCI and properly secured its systems, it would have had a positive return on the investment, and saved the organization millions of dollars, in addition to significant negative publicity. Absolutely nothing complex about that.

Dave Taylor, president and CEO of the Payment Card Industry Security Vendor Alliance, notes that “the PCI DSS demonstrably benefits card holders, the payment card industry as a whole and individual businesses—it's a comprehensive, sensible security standard built on the shared knowledge of industry leaders and security experts.”