A post relating to this item from Finextra:
12 January, 2012
PCI security standards in the dock
A legal challenge to the payment card industry's PCI security standards is brewing in the US, as a Utah-based restaurant chain cries foul over the apparently "arbitrary" nature of the system and the level of fines imposed by Visa and MasterCard following an alleged breach of security.
Despite all the bleating about PCI over the years, I found it to be too weak.
With all the focus on Cardholder Data - as being that on the Mag Stripe - namely Cardnumber, Cardholder Name, Expiry Date and Security Code - I found many Merchants & Service Providers treated it as a 'max' rather than 'min' level of security.
I performed due diligences on places where lots of other personal data such as Mothers Maiden Name, Cardholder Address, Phone Number, e-mail address, Date of Birth, Passport Number, Gender, Religion, etc etc was never encrypted, simply because PCI itself
didn't tell them to do so.