The credit card industry is working hard to evangelize the PCI standard for card security. However, as with any compliance initiative, organizations are slow to adopt and enforce standards until real “teeth” are in place (think HIPAA). As Charles Ross mentioned in his blog post, PCI-compliance alone doesn’t guarantee security.

Wal-Mart recently announced an expansion plan to bring on 1,000 “Money Centers” by 2009. The goal of these centers is to provide lower-income consumers with the convenience of a bank. Unfortunately, with this convenience comes more risk and customers may have to deal with issues such as identity theft and data loss. While most of the transactions will be fueled by refillable money cards, customers will be required to provide basic information and will be targeted to purchase additional products and services requiring even more information to be collected and stored.

The privatization of banking isn’t going to slow down as retailers seek to capitalize on this very profitable trend. The Wal-Mart expansion plans were announced one month after the U.S. House of Representatives passed legislation to block non-financial firms from operating banks.

One piece of California legislation, would prevent individuals and organizations that accept credit card and debit card payments from storing sensitive information, including the data track from the magnetic strip on the back of the card, PIN or encrypted PIN block and the card verification code. Its sponsor? The California Credit Union League. It seems that the credit unions, which are non-profits, are tired of holding the bag for costs such as card replacement and notification services after merchants suffer a breach.

The combination of legislative action and mandatory PCI compliance will hopefully get merchants to take the protection of customer privacy and data security more seriously than they have in the past. Protecting consumers’ private information is vital. The problem with retailers housing the personal information of consumers is that often these retailers rarely have conducted the due diligence and deep analysis of how to best identify and protect assets prior to suffering a major breach. Legislation will force retailers to take a deep look at their own data security practices, or suffer the legal consequences.