There is no shortage of opinions within the payments industry regarding PCI-DSS (Payment Card Industry Data Security Standards), and these opinions are largely driven by perspective. Issuers support PCI-DSS and demand improved compliance since they are the ones that absorb the brunt of fraud losses and operational damage control in the wake of data compromises. Merchants and acquirers appear less supportive of the standards and continue to assert concerns about complex requirements and costly compliance.

Visa and MasterCard are in the awkward position of trying to enforce compliance while straddling a two-sided business model that requires serving both merchants and issuers. Furthermore, other issues the card companies are juggling, like interchange rates, create a greater divide between these two groups and crowd out constructive discussion and real progress on PCI-DSS.

The end result of this is that there is a significant amount of work remaining to be done. Visa has introduced merchant incentives for PCI-DSS compliance, and recently announced that 96% of its largest merchants have confirmed that they are not storing magnetic stripe data. Magnetic stripe data is a key element in a counterfeiter's ability to commit fraud. Additionally, "Card Not Present" fraud, which is growing faster than counterfeit, is still in play for non-compliant, compromised merchants. Visa's efforts benefit all issuers, but non-storage of magnetic stripe data does not equal PCI-DSS compliance. Less than half of the largest merchants have validated PCI-DSS compliance. To be fair, a large portion of this group of merchants is in remediation–close but they are not there yet.