PCI is a half-baked "solution" to protecting cardholders, and in the end it's just an excuse to charge merchants more fees.
The card brands (Visa, Mastercard, etc..) work closely with acquiring banks, merchant service providers, security vendors, and everyone else thats getting a piece of the action. Every time one of these companies speaks to a merchant the PCI boogie man is brought up, and it results in higher costs for merchants.
In the end its about shifting blame, and of course making more money. That being said it's a good thing there are security standards for cardholder data to prevent and lessen the impact of a breach. I just wish an independent group was overseeing it.
He's correct: PCI is about Visa, MasterCard, Discover and Amex covering themselves, and shifting the blame (and penalties) to merchants.
Sure, PCI is written in a way that when you read it you think "random collection of best practices from places that got hacked and learned something from it", but the definition of "compliance" is such that a merchant just can't stay in "compliance". It's impossible.
So, this leads us to two inescapable conclusions:
1. "Best practices" are just CYA.
2. Any time someone in power says "compliance" keep your hand on your wallet and start edging towards the door.
Speaking as someone who deals with this on a daily basis, I say not true. PCI is common sense written down into an "industry standard". You don't have to do it, it's not a law. But if you want to continue to accept CCs, then you should comply. Compliance is as easy as redirecting all of your CC work to a processor that is PCI compliant. So long as youyourself do not store, transmit or process the card data, you can worry about your business and forget about PCI and it won't cost any more money.
> But if you want to continue to accept CCs, then you should comply. Compliance is as easy as redirecting all of your CC work to a processor that is PCI compliant. So long as you yourself do not store, transmit or process the card data, you can worry about your business and forget about PCI and it won't cost any more money.
Hmm. Is it that the PCI doesn't cost the processor anything or that the processor eats the costs?
If the processors are responsible, then they were doing it right before the acronym PCI ever existed. To become compliant costs money (audits, quarterly scans, self-assessments, etc.) but it's not that expensive and it's what they are in business to do. If the processor is not compliant, no one will do business with them ("Hey, look, we store your clients' CC numbers in an unencrypted DB... come do business with us!"). The cost, you as a merchant pays, is based on risk and volume. Online (non person to person) transactions are the most risky, so percentage-wise they'll always cost more... PCI or no PCI.
The card brands (Visa, Mastercard, etc..) work closely with acquiring banks, merchant service providers, security vendors, and everyone else thats getting a piece of the action. Every time one of these companies speaks to a merchant the PCI boogie man is brought up, and it results in higher costs for merchants.
In the end its about shifting blame, and of course making more money. That being said it's a good thing there are security standards for cardholder data to prevent and lessen the impact of a breach. I just wish an independent group was overseeing it.