PCI Data Security Standard has been around for more than 11 years already. Then, why do organisations still find it too difficult to comply with and struggle with protecting their cardholder data environment? Often, key management requirements become the hardest to implement, but why?