

So What Is PCI Really About? - ilamont
http://www.csoonline.com/article/527813/So_What_Is_PCI_Really_About_

======
tbgvi
PCI is a half-baked "solution" to protecting cardholders, and in the end it's
just an excuse to charge merchants more fees.

The card brands (Visa, Mastercard, etc..) work closely with acquiring banks,
merchant service providers, security vendors, and everyone else thats getting
a piece of the action. Every time one of these companies speaks to a merchant
the PCI boogie man is brought up, and it results in higher costs for
merchants.

In the end its about shifting blame, and of course making more money. That
being said it's a good thing there are security standards for cardholder data
to prevent and lessen the impact of a breach. I just wish an independent group
was overseeing it.

------
bediger
He's correct: PCI is about Visa, MasterCard, Discover and Amex covering
themselves, and shifting the blame (and penalties) to merchants.

Sure, PCI is written in a way that when you read it you think "random
collection of best practices from places that got hacked and learned something
from it", but the definition of "compliance" is such that a merchant just
can't stay in "compliance". It's impossible.

So, this leads us to two inescapable conclusions: 1\. "Best practices" are
just CYA. 2\. Any time someone in power says "compliance" keep your hand on
your wallet and start edging towards the door.

~~~
0wned
Speaking as someone who deals with this on a daily basis, I say not true. PCI
is common sense written down into an "industry standard". You don't have to do
it, it's not a law. But if you want to continue to accept CCs, then you should
comply. Compliance is as easy as redirecting all of your CC work to a
processor that is PCI compliant. So long as _you_ _yourself_ do not store,
transmit or process the card data, you can worry about your business and
forget about PCI and it won't cost any more money.

~~~
anamax
> But if you want to continue to accept CCs, then you should comply.
> Compliance is as easy as redirecting all of your CC work to a processor that
> is PCI compliant. So long as you yourself do not store, transmit or process
> the card data, you can worry about your business and forget about PCI and it
> won't cost any more money.

Hmm. Is it that the PCI doesn't cost the processor anything or that the
processor eats the costs?

~~~
0wned
If the processors are responsible, then they were doing it right before the
acronym PCI ever existed. To become compliant costs money (audits, quarterly
scans, self-assessments, etc.) but it's not that expensive _and_ it's what
they are in business to do. If the processor is not compliant, no one will do
business with them ("Hey, look, we store your clients' CC numbers in an
unencrypted DB... come do business with us!"). The cost, you as a merchant
pays, is based on risk and volume. Online (non person to person) transactions
are the most risky, so percentage-wise they'll always cost more... PCI or no
PCI.

