Smaller merchants also lack the resources or technical expertise to understand and implement all of the required controls in the PCI standard, according to the director of corporate security at a Midwest bank who requested anonymity.

The slow adoption to date also reflects the lack of enforcement teeth behind the standard, according to several participants in a PCI roundtable discussion at the CSO Interchange Forum, which was held in conjunction with the RSA conference.

Unless there is visible and stringent enforcement of PCI, it is unlikely to get widespread traction, roundtable participants said.

At the same time, others see PCI as the payment industry's best hope for staving off federal intervention amid growing consumer and congressional concerns about ID theft and fraud resulting from retail security breaches. They also argue that telling IT shops exactly what controls need to be implemented is the only way of ensuring that all companies covered by the rules understand them.

PCI "is definitely not easy to do, and it's very time consuming," said Deven Bhatt, director of corporate security at Airline Reporting Corp., an Arlington, Va.-based company that provides ticket distribution and settlement services to more than 145 air and rail carriers. Some of the criticism of PCI stems from the perception that it tells companies how to run their businesses, Bhatt added.