Treat credit card data as you treat cash
Niell,
I'm one of the "expensive consultants" you refer to in your post. To play Devil's advocate on a couple of your points:
1) Banks only insist on "expensive audits" for those companies handling the most credit card data or for those that have been compromised. Small business, while required to comply with the same standard, is only required to validate (report) their compliance status by completing an annual questionairre and some vulnerability scans (if you're internet facing).
2) The banks don't make any money from "expensive audits", only the consulting companies do. In fact they hate this stuff because it creates a bad relationship between the bank and their client. If they are unreasonable enough the banks are afraid you as a merchant will take your business elsewhere. They want this to be as little a headache to you as possible, but they also need to ensure you are protecting your acquirers reputation.
3) The reason the banks want "and expensive consultant" involved in the first place is because banks aren't security experts, and neither is the merchant. Someone knowledgeable needs to attest to the status of the environment handling the data.
4) "the bank hooking you into their costly systems" - I think a key thing PCI DSS is trying to acheive is to send the message to small business that handling credit card data, while only appearing as a bunch of 1's and 0's on your systems, needs to be handled responsibly, just like you handle cash. You don't just leave your cash sitting out in the open do you? You don't send it to the bank in the post either do you? You pay banks and security companies to protect it for you. Small business has failed to see the comparison. The "expensive systems" the banks and payment service providers are trying to "hook you into" is a way of allowing you to outsource the bulk of the security controls that need to be in place if you're going to handle credit card data. It's taking risk away from you as a merchant and for your acquirer. In the long run it's a cheaper option for you and spreads the cost over each transaction rather than requiring you to spend a lot of money on becoming a security and IT expert; something your wife or brother probably is not. You can't have your cake and eat it too.
In your defence however it's also worth pointing out that the entire reason PCI DSS exists and you as a merchant are being forced to comply with all of these controls is because the payments industry rested on it laurels for far too long. The existing payments model has been around for decades and did not evolve quickly enough in introducing uniform standards for protecting payment data. When they realised they needed too it was too late so they pushed the responsibility onto the merchants to acheive it with the DSS controls.
Technology such as end-to-end encryption and dynamic data authentication are going to change payments security for the better for everyone though in the coming years. It may take a while for the model to be standardised however the concepts are there already once common will let you as a business owner focus on business, banks focus on making money from our money, and will require hackers and "expensive consultants" like me to find the next opportunity to leach off. :)
Regards
Biting the hand that feeds IT
