Not to disagree with you as I agree with the sentiment, but as a counter data point, I've seen a number of quite serious beaches in the past where PCI/DSS clearly wasn't being followed, as CVV2 was compromised along with payment details. Often the merchants were too naive to even understand what was going on.
Clearly having straightforward gateways to handle payments can help retailers and raise the bar, but I never cease to be amazed at how many sites run third party scripts on pages processing sensitive information! Bonus marks for using third parties that let other third parties place code on the page!
I think we have 2 orthogonal aspects here - the presence or absence of a straightforward commodity solution, versus the presence of clear security guidelines. The former seems to be what drives better practices, whereas the latter is more guidance people ignore, due to lack of personnel and skills.
Clearly having straightforward gateways to handle payments can help retailers and raise the bar, but I never cease to be amazed at how many sites run third party scripts on pages processing sensitive information! Bonus marks for using third parties that let other third parties place code on the page!
I think we have 2 orthogonal aspects here - the presence or absence of a straightforward commodity solution, versus the presence of clear security guidelines. The former seems to be what drives better practices, whereas the latter is more guidance people ignore, due to lack of personnel and skills.