Some critical compliance issues will be prominent in 2012, most notably the Payment Card Industry Data Security Standard 2.0. The update kicks in in 2012 and most merchants are not quite prepared to deal with it, industry observers say. In addition, the European Union is expected to tighten its Privacy and Electronic Communications Directive, which will have a big impact on Web user privacy. Globally, lawmakers will shove companies toward compliance with regulations by increasing penalties for data breaches and holding businesses more accountable for consumer data. While such government action can improve some areas of security, companies tend to focus on meeting lawmakers' checklist of regulations, overlooking some basic information technology security controls. For example, most regulations miss a wide range of best-practice controls, such as up-to-date anti-virus software, according to risk consulting firm Kroll. "As more breaches occur as a result of security gaps, we should expect to see governing agencies offer specific guidance on risk assessment and standard IT security controls," Kroll says.