> Compare this with PCI compliance (which is about CC data protection) and it's very clear if you're compliant and if you are not and what to do
As someone with an interest in this space, I can say that the PCI DSS is not as clear as you say - there is plenty that is ambiguous and open to interpretation, and often a pass/fail for each requirement hinges on your QSA's interpretation.
As someone with an interest in this space, I can say that the PCI DSS is not as clear as you say - there is plenty that is ambiguous and open to interpretation, and often a pass/fail for each requirement hinges on your QSA's interpretation.