I am not a fan of ambulance chasers but the class action suit filed against MasterCard, Visa, and Card Systems Solutions on June 30th raises the bar for compliance. On the one hand those that manage credit card information have to disclose material breaches. On the other hand the disclosure gives the trial lawyers everything they need to file suit.
So, back to my previous post on Risk Management. For a merchant or credit card processor include the scenario:
A breach or loss of data requires the disclosure to thousands of customers.
Risk: Direct costs of notification. ($10/instance?) Loss of standing of brand Legal fees to fight spurious law suits.
It would be my argument that taking some rudimentary precautions against data loss or theft would be far less expensive than the risk.