Re: internal verification code
Or is the % they pay you worth more than the cost to you and cardholders?
PCI Security Standards Council set the rules, but is anybody responsible for the retroactive enforcement of PCI DSS? And have that body ever barred a major corporation?
Realistically, although the industry should issue Hyatt with a ban, I don't believe they've got the will to do that. Even if they did, it would be tantamount to putting Hyatt out of business if the ban were for more than a few weeks, and I'm sure the owners and managers of Hyatt would be shielded by the US authorities stopping such a move.
For all the brave words, I can't think of any jurisdiction that takes data security seriously. Even the likely scale of GDPR fines will be trivial compared to the typical clean up costs of a data breach, so the new rules are concentrating minds briefly, but come next May, I'm not sure we'll see any slowdown in reported breaches.