To many times security is not prioritized high enough. Website owners mainly concentrate on functionalities instead of security. Be honest, do you test your website with an ‘acceptance test’ on functionality AND security?
You must already implement security because of privacy reasons. Don’t wait for Visa and MasterCard to come with their PCI-compliance program. Based on national and international laws, website owners already should secure and protect any privacy related information “the best they reasonable can”.
By using McAfee SECURE and/or becoming PCI-certified, you create a stronger legal position, known as “exoneration condition”. This means a contractual condition in which an entity claims to be totally or partially free in cases the contractual or outside-contractual liability is in need.
On the basis of the principles of will autonomy and contract liberty exoneration is fundamentally possible both concerning contractual liability and outside-contractual liability. Naturally proof must provided so the exoneration is going to be accepted.
Directive 95/46/EC of the European Parliament: “(46) Whereas the protection of the rights and freedoms of data subjects with regard to the processing of personal data requires that appropriate technical and organizational measures be taken, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorized processing; whereas it is incumbent on the Member States to ensure that controllers comply with these measures; whereas these measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected"
“Security Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.”
The European Commission’s Directive on Data Protection went into effect in October of 1998, and would prohibit the transfer of personal data to non-European Union nations that do not meet the European “adequacy” standard for privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union. In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a "Safe Harbor" framework and this website to provide the information an organization should need to evaluate – and then join – the Safe Harbor. Information security is also part of the Safe Harbor legislation.