One of the arguments for becoming PCI compliant is to keep this an industry regulated certification, versus having to deal with a federal mandate like Sarbanes-Oxley. People often ask me if I think PCI will become a federal mandate. I don’t think it is possible.

Most federal mandates are designed to protect their citizens (I said MOST… ok?). The electronic payment system already has mandates to protect the citizens. For example, did you know that the Fair Credit Billing Act limits your liability to $50 for unauthorized charges? Personal experience says $0 liability if the physical card is still in your possession.

PCI is designed to minimize losses to issuers and the brands caused by a credit card breach and instill confidence in the payment system. As an important side effect, it promotes information security inside retailers and reduces the losses that would be associated with a breach of their systems (potential brand damage, fines, and consulting fees).

Since the citizens are already protected, and breaches do not directly affect the money system (they affect companies), I don’t believe the federal government will get involved. We’ve seen a state governments pass legislation, but it is still untested in the courts and I have doubts on its ability to be enforced. Keep in mind, credit card fraud is not the same as identity theft, and I believe we will see much more legislation on that in the future.

This post originally appeared on