Living in Israel is like living in a Jewish shtetl (small village) in Eastern Europe.
Everybody knows whos sleeping with everybody else, people are afraid (yet despise and collect rent for) the local Polish landowner, the men (as Yuri Slezkine defines it) belong to a social and anthropological category known as "service nomads," an outsider group specializing in the delivery of goods and services. It is a question of survival - "Is the latest edict Good for the Jews"?
Its the same in the information security industry - everybody wants to believe that regulation is good for the industry and whenever one of the movers and shakers (like Basel-2 or Visa) wiggle people start getting all shivery and excited.
A goyishe system engineer who works for one of my clients recently sent me an email how Visa is now using financial incentives to get merchants, acquirers and card issuers to be PCI-compliant. So big deal, now Visa is using a carrot in addition to a stick. He implied that it would be good for business for his company who are in the extrusion prevention space.
Unfortunately for all you security technology vendors out there; merchants, acquirers and issuers can be self-compliant by filling out a checklist. If they want a higher level of compliance they can throw some money at a GRC consultant like KPMG. If they want ongoing monitoring on their ecommerce sites - they can pay a Visa-authorized vendor $50/month to scan their web site for vulnerabilities and be PCI compliant.
See PCI Compliance Scanning of Websites
Until the card associations tell issuers and acquirers and merchants over a certain volume of transactions that a content monitoring system is mandatory - PCI's relevance to network security vendors will tenuous and limited to prose in their marketing collateral.
For now, PCI is a checklist item for the data asset prevention vendors, it is not a sales driver.
