Audits and compliance only take you so far. If your actual motivations are to truly improve security, perhaps offering code samples, libraries and reference architectures would be more helpful. Throwing compliance requirements at a technical team is an excellent way to distract them away from a truly secure architecture.
That said, there are a lot of actors out there who need babysitting and absolutely should not be allowed to participate in payment networks without some sort of initial & ongoing due diligence.
This whole thing is a delicate balancing act, but in my experience dealing with PCI-DSS, its currently an extremely heavy-handed approach. I cannot help but wonder if the primary intent of this sort of standard isn't to just keep competitors out.
That said, there are a lot of actors out there who need babysitting and absolutely should not be allowed to participate in payment networks without some sort of initial & ongoing due diligence.
This whole thing is a delicate balancing act, but in my experience dealing with PCI-DSS, its currently an extremely heavy-handed approach. I cannot help but wonder if the primary intent of this sort of standard isn't to just keep competitors out.