From tomorrow small businesses that take credit card payments will be obliged to enrol in the credit card industry's Payment Card Industry Data Security Standard (PCI DSS) compliance programme. From 1 July small and medium enterprises using electronic point of sale terminals and e-commerce systems need to reach basic compliance …
The headline is a bit misleading...
It's not just Visa, surely?
Bang go the Olympic jokes then...
More costs for small business
Whilst having secure payments systems is obviously a good thing, the banks are shamelessly cashing in on this by insisting on performing expensive audits before they'll talk to you. This, of course, leads on to the bank hooking you into using their costly systems because you fail their audit.
"Through adoption of a best practice approach, companies can actually save themselves money in the longer term, and may even avoid the need to hire an expensive consultant who may not actually tell their board anything extra that their IT department doesn't know already,"
Sums up the "big guy" mentality at work here. For many thousands of small Internet shops, the I.T. department in question is probably the wife or brother in-law who won't know already. High short term costs can kill these kind of businesses.
Don't process card payments
The easy answer is not to process card payments yourself but to use a third-party payment provider. That way you are not handling the card details at all. Problem solved!
The banks aren't the PCI, banks have to go through the PCI DSS as well.
It's so easy to complain that "they" are gunning for small business, isn't it? Too bad it's not true.
From the article:
"Compliance is achieved by self-assessment for mom and pop shops processing less than 20,000 e-commerce transactions a year and compulsory external audits for e-commerce heavyweights."
So, no. The compulsory external audits are for larger organizations. I think 20,000 transactions per year is a good rule-of-thumb. If you're under that, you're likely not much of an attractive target for hackers. If you're over that and your IT department is "the wife or brother-in-law who won't know already" then you're being criminally negligent with a lot of customers' information.
Treat credit card data as you treat cash
I'm one of the "expensive consultants" you refer to in your post. To play Devil's advocate on a couple of your points:
1) Banks only insist on "expensive audits" for those companies handling the most credit card data or for those that have been compromised. Small business, while required to comply with the same standard, is only required to validate (report) their compliance status by completing an annual questionairre and some vulnerability scans (if you're internet facing).
2) The banks don't make any money from "expensive audits", only the consulting companies do. In fact they hate this stuff because it creates a bad relationship between the bank and their client. If they are unreasonable enough the banks are afraid you as a merchant will take your business elsewhere. They want this to be as little a headache to you as possible, but they also need to ensure you are protecting your acquirers reputation.
3) The reason the banks want "and expensive consultant" involved in the first place is because banks aren't security experts, and neither is the merchant. Someone knowledgeable needs to attest to the status of the environment handling the data.
4) "the bank hooking you into their costly systems" - I think a key thing PCI DSS is trying to acheive is to send the message to small business that handling credit card data, while only appearing as a bunch of 1's and 0's on your systems, needs to be handled responsibly, just like you handle cash. You don't just leave your cash sitting out in the open do you? You don't send it to the bank in the post either do you? You pay banks and security companies to protect it for you. Small business has failed to see the comparison. The "expensive systems" the banks and payment service providers are trying to "hook you into" is a way of allowing you to outsource the bulk of the security controls that need to be in place if you're going to handle credit card data. It's taking risk away from you as a merchant and for your acquirer. In the long run it's a cheaper option for you and spreads the cost over each transaction rather than requiring you to spend a lot of money on becoming a security and IT expert; something your wife or brother probably is not. You can't have your cake and eat it too.
In your defence however it's also worth pointing out that the entire reason PCI DSS exists and you as a merchant are being forced to comply with all of these controls is because the payments industry rested on it laurels for far too long. The existing payments model has been around for decades and did not evolve quickly enough in introducing uniform standards for protecting payment data. When they realised they needed too it was too late so they pushed the responsibility onto the merchants to acheive it with the DSS controls.
Technology such as end-to-end encryption and dynamic data authentication are going to change payments security for the better for everyone though in the coming years. It may take a while for the model to be standardised however the concepts are there already once common will let you as a business owner focus on business, banks focus on making money from our money, and will require hackers and "expensive consultants" like me to find the next opportunity to leach off. :)
I can see small internet traders moving to Pay Pal and such like.
Personally, I wouldn't touch PayPal with a barge-pole.There are much better and cheaper payment providers available.
It makes no difference who your payment processor is, you still have to show you're compliant.
and when the "heavyweights" fail utterly
Then what happens? Sweet fuck all is the answer.
PCI DSS is routinely flouted by most, if not all big business. The list of high profile compromises goes back years and NOTHING was done by Visa. Not even increasing merchant fees when you lose several MILLION credit card numbers tells us all we need to know.
It's VERY difficult for small sites using shared hosting pass all the PCI tests which means they often have to plump for pricey (and OTT) dedicated servers...
Why cant the government save the Post Office
by letting them make an internet Giro bank? Pop in to your local PO to top up your account and pick up your deliveries that came while you were out or just bending over the back of the sofa while some athlete launched the card through your letterbox from the van!
Secure transactions are easy - and the banks and paypal are a bunch of thieving crooks.
The costs to small (actually all) business should be minimal - but then the banks wouldn't have all that money to lend to you so you can push house prices up for them to float on.
Would you use it?
Would you use it? Really? Because they have done it for years, Its called Branch business banking services,
Can't they just use mastercard instead?
or do they expect their users to 'be as loyal as a puppy'?
Terminator - no ED209 icon available...
Too much BS in PCI
If the PCI requirements didn't include every little pointless item it might become less hassle overall. Web sites for example seeking PCI compliance are audited by basically nothing more than a Nessus scan and failed for such things as active security measures recognizing an attack and blocking the attacking IP's or because the SSL enabled POP3 server uses a certificate where the name doesn't match the host name being scanned (duh why would my mail server SSL be signed for www.mystore.com).
I've done work for 2 companies that were supposedly "PCI DSS" certified.
It's a scam.
As I recall, the certifying firms have to pay large amounts of money to the central authority for the "right" to do any work with it (on the close order of 10 to 20,000 or more depending on your "market area"). The necessary documents are only available to those companies, with only general info available outside those channels. So if you want to reduce costs and see if you will easily pass certification - you can't. You have to pay one of these monopoly providers (in your area) for them to theoretically do all the work, at great expense.
Which doesn't guarantee that anything you do is actually within standards. From the limited amount of information available, these two clients were certainly not compliant - yet they passed after paying the "PCI DSS consultant" their fee. It's a standard protection racket really. "Pay us or we'll hurt your business" kind of stuff.
To force such a system onto small businesses who are probably already running on the ragged edge is evidence that "big business" rules the roost, and small businesses are seen as completely disposable by the government.
PCI is a pile of crap
PCI is a deeply flawed, expensive, ineffective knee-jerk response to put a band-aid onto an inherently insecure rickety obsolete payment mechanism. PCI compliance is the equivalent of using a very expensive teaspoon to bail out the titanic - the ship is SINKING. PCI is nothing more than the financial equivalent of the TSA's "security theater" - look at all the security we have while the back door is wide open.
The software already exists to make a one-time-only credit card number for online purchases. With this system, you could shout the number form the rooftops, and subsequent attempted uses of the number would be denied. Only problem is the clowns who SELL compliance programs would be out of business.
And the BIG breaches - millions and millions of card numbers at a whack - would go on, because they are either inside jobs or utter stupidity in not securing networks which contain unencrypted card data.
PCI compliance insists that all data at rest must be encrypted so it's not just network segregation that is required (and that is a requirement as well).
There are no 'programs' that make you compliant - ok you can buy encryption programs, file integrity monitoring programs, log management programs etc. but that's not even the tip of the iceberg. It can cost millions to become compliant if you are a Tier 1 retailer dependent where you are in your current POS lifecycle.
What about the processors? Heartland comes to mind... What happens when a processor, like heartland comes to mind and the intital investigation places the suspicion on the small business?
Rather than going through second party processors, maybe Visa (et. al.) should consider processing credit card transactions themselves, so an entire layer of potential risk is removed. Better yet, hard currency always works.
Easy to avoid
Payment processing is easily outsourced, avoiding the need for any extra red tape.
IIRC, there was quite a checklist to go through back in the late '90s when my company first accepted creditcards. We took the line of least resistance and outsourced to Worldpay. At the time their fees (including the bank's charges) were the same as the bank's charges alone would've been if we'd done it ourselves, making the decision a no-brainer. I expect their economies of scale helped, along with the extra perception of security of a big provider open to audit.
It varies between acquiring banks
The ones we work with have a free self certification for pure e commerce for our SaaS product which is a simple form. The problem arises when people have more than one type of merchant account and need to do the penetration testing and other more complex audits.
The other issue is for companies with more than one acquiring bank who then have to audit twice,once for each merchant account.
Many of the mainstream chip and pin services havent come close to getting merchants through the compliance required yet which with a deadline of tomorrow is not good.
I cant see how paypal will be exempt either as most if not all businesses have to use the paypal x or pro (or whatever it is this week) to accept cards so will need to fulfill compliance in the same way.
trying to price us out of business?
Hopefully this does not apply to the myriads of smaller users who do not use epos and just take cards as an alternative to cash/cheques.
Wasn't that bad
I feared the worst when our acquirer started bothering us about this, but actually it was a doddle. Making sense of the questionnaire (and finding the right one to fill in) was the hardest part, but the bank had enlisted a third-party who steered me through it before uploading the questionnaire to their website. Then spent half an afternoon knocking up the required "policy document" that covered the clue-stick-grade data-protection safeguards everyone already knew to take, just in case anyone should ever ask to see such a thing (somewhat sceptical about that), and job done.
Of course we are definitely in the "Mom'n'Pop" category, but beyond the initial trepidation I'd say it was less onerous than most of the bullshit "compliance" headaches we face nowadays. (PRS For Music, I'm looking at you - among others.)
The PCI Security Standards Council (which in any case is a front for the card schemes like Visa and MasterCard) merely drafts the standard. It has no power to enforce it.
The enforcement is done by the card schemes of which Visa is much the largest. The card schemes require the merchant acquirers (eg Barclaycard Business, Streamline etc) to impose the PCI DSS on the merchants whose transactions they process.
Consequently, yes it is Visa who is effectively enforcing the rules (albeit by proxy).
Third party processing systems/PCI regs assume one business model!
I haven't been able to find a Third party processor that can cope with the fact that that all the items on our website are in stock. Normally we can get the out of stock items quickly but we don't want the customers card debited until we have the stock.
Also if we find we can't get more stock. Giving refunds is expensive as we still get the percentage charge on the initial payment and then a flat charge on the refund.
We also need to be able to say yes to customers known to us who's 'address does not match'  and no to other suspect transactions.
If anyone knows of a 'Third party processor' who can cope with that I'd be pleased to hear who?
 We often get that for no good reason e.g. A customer who's lived all his life at an address and the postcode has not changed but still get a 'Sec only' message!
I can't speak for any of the competition, but we use SagePay (nee Protx) for our ecommerce processing, and it does what you seek. You can choose to take "deferred" payments, meaning the authorisation is done as normal, but the debit isn't taken straight away, just "shadowed" (reserved so they can't spend it in the interim) until you log-in and either accept or abort the payment.
The auth system allows you to set rules (thresholds, really) such as: reject txns that fail address check *IF* txn value is £* or greater. This makes a lot of sense because, as you say, there are a lot of inexplicable false-alarms, but at the same time it's best to be covered against chargeback if the sum in question is high enough to hurt.
BTW I don't work for the aforementioned company. They were in fact recommended to us by a competitor(!) as being more suitable for a business of our size. If you have a high turnover and tight margins, you probably want to think about someone else as their servers do occasionally have a wee lie down (couple of times a year).