I have downloaded the PCI DSS docs, they are more than fit for purpose and I know from personal experience (former Head of Communications Infrastructure at BACS) just how rigorous the “official” members of the value chain (payment processors) must be.

However, there are far more “provos” out there, processing card payment details through self-constructed e-business sites who haven’t really got anywhere near the same level of risk awareness. For too many “payment handlers” it’s all about getting the cash into PayPal (or other such service) and hoping none of the punters’ details fall off the edge of the transactions.

Some of my direct observations of very poor payment practice would curdle minds against ever transacting online again, should they ever be published. I know this sounds sensationalist but I simply cannot even think about naming and shaming, which in some ways is a shame (sic).

these are very sound guidelines but many organizations will claim that they already follow this approach. And yet we still see [too regularly] incidents of massive data leakages.

I believe that this is because most organizations may well have ticked all the boxes but still have a ticking timebomb because they depend more or less exclusively on technology for security – please see: http://tinyurl.com/adx6xf

Likewise stakeholder confidence could be helped by the implementation of an information security capability model (as described in my paper at: http://tinyurl.com/d47kcq )

Please note these links are genuinely offered to help people understand and avoid data leakage, which is a very real risk that I think is growing, despite massive investment in so-called data security.

The effective response to a complex threat/ risk will naturally be a complex/ holistic approach, rather than simply more technology gee-wizardry!