In reading this article from Dark Reading, which quotes a recent RSA survey about PCI compliance, I'm struck by what seems like a missing component. The basic gist of the survey results is that while more than 50% of merchants haven't complied with PCI, the majority of them are smaller, level 4, merchants. There are other interesting bits of data in there too, but the whole article makes a tacit assumption: the goal of PCI is that merchants comply.

I think that really is the goal for larger merchants, but I'm not so sure about the smaller one's. I can't help thinking that for a smaller merchant, the cost of compliance would often exceed the cost of simply outsourcing the card processing such that PCI no longer applies. To be fair, I haven't done the serious research to determine whether that's true, but given the implementation time lines referenced in the article, it seems plausible. It's also possible that there aren't outsourcing services that really meet the needs of smaller merchants.

Either way, if PCI doesn't start "motivating" the smaller merchants, then compliance will continue to lag. The numbers are skewed, however. Perhaps it would be better for RSA to measure the percentage of PCI compliant transactions instead.