One auditor's advice

During the PCI security event, Atlanta-based auditor James DeLuccia sat on the panel alongside Duran. He acknowledged that a lot of companies run into the difficulties Duran described. Among other things, he agreed there are probably auditors out there who go too far in pushing certain vendors on merchants as a condition for a passing grade.

However, he said, merchants have a better chance of getting a fair shake these days because there's a larger pool of auditors to choose from.

"At the beginning there were far fewer companies capable of performing a PCI security audit, but in the last couple years Visa and have authorized a lot more," he said. "The bigger the pool of auditors, the more likely you will see transparency."

His parting advice to merchants facing an audit: Don't stick with the same auditors for too long.