Way to go Arnold — why AB 779 was a lose-lose situation for small business
A lot of commotion has recently been stirred up around California Governer’s, Arnold Schwarzennegar’s recent vetoing of a bill (AB 779) that would strictly mandate all merchants to comply with. Many have scoffed at the Governer’s “caving to lobbyists and members of the retail industry.” You know what?? I actually agree with the Governer’s vetoing of this bill. Even though I’ve expressed some criticism recently over the ambiguity of PCI DSS, I really think the Governer has it right.
This bill is only friendly to big business, not the little guys. Compliance with state laws and regulations costs small businesses money, sometimes more than they can afford. Many businesses thus stick with cash-only policies and weigh the trade-offs from losing business from processing debit and credit card transactions. Does anyone know how much money is spent on getting licenses for business and all that other stuff a mom and pop retailer needs to do?
Bill Brennar of Security Bytes is dissapointed with the veto. He states “Apparently no one told the governer that PCI DSS is NOT working.” Okay, where’s your data to back up this claim? He later on says “Big business, hackers, and ID theives won today.” Hmmm, it’s easier for big business to comply because they have vastly larger bank accounts and can throw more people at the problem. Small business?? not so easy. Just take a look at how much of a percentage health insurance for your own family ends up costing you when you own a small business.
In addition, the law would conflict with PCI DSS. PCI already has multiple levels (four) for compliance that apply differently to merchants based on the number of transactions processed annually. To push another regulation on every business is just pointless. Chaulk up another useless regulation with no teeth that we have to think about. The list goes on and we all know them… HIPAA, FISMA, etc.. Who would make sure merchants are compliant on a every-other-day basis?
I can compare this bill to NASCAR regulations. A couple years ago, NASCAR introduced a rule that would require teams to dial-in shocks and keep them within spec following a race. The teams with the most bucks turned to sophisticated seven-post rigs to dial-in their suspension easily. What does this mean? The teams with less money get shafted… literally. For the teams that can’t afford this tool, more time and money is spent meeting suspension specifications.
Too much effort to comply “not an excuse?” Well, when you’re a small business, you have less money, less time, and less resources to do it. What you can do is far less than what a big company can do. For anyone who owns their own business, you know how much time you spend doing government paperwork.. Almost half.
Also, think about the risk here. What’s a better target? Mom and Pop with 100 cc#’s, or a multinational with 100’s of thousands? Surely, a high-profile nation-wide company/chain inherits a greater risk of security breach just because of the cost-benefit to a hacker. Hacking a little town store is just not worth the trouble. A small-time criminal takes a bigger risk (stupidity, desperateness, etc) holding up a convenience store because the payout isn’t even nearly as much as a bank heist (planning, worth, etc).
I can understand some of the arguments being that a Mom & Pop would be low hanging fruit, and I could argue that hitting 10-100 Mom & Pops would be easier than attacking a single company. But what I am not understanding is why a Mom & Pops would need to store credit card information. With online payment services such as Paypal, subscriptions can be set up to be handled automatically.
I have taken 2 credit cards in my 16 years of being in business, I never touched the credit cards or knew numbers, both were handled over my business account with Paypal. In the little research I have done Paypal’s fees are a bit higher than a “traditional” transaction processor, but I’ve not paid a monthly fee for 16 years to have the “permission/opportunity” to accept a credit card.
When I walk into a store and they swipe my credit card into their little machine and I walk out, what type of retention on that card data is kept, and if it never leaves that machine would not the integrity/protection of that data be the responsibility of the processor or machine creator, aside from theft?
The next question I have is if a mom & pop uses a program such as Quickbooks or Peachtree shouldn’t their software have the necessary protections built into it? Especially if the software allows for the storage of credit card data?
Aside from a Mom & Pop having a website with a custom designed shopping (in house) cart/payment system, the credit card transactions should be protected by the design of the system.
I feel a better way to approach protection of CC data would be to have a series of PCI approved systems/work flows where I could walk into a store and purchase a “compliant”/reasonable secure system.
From what I have been hearing PCI/the PCI Board is just a way of the CC industry being specific & vague enough to avoid responsibility of creating a valid system. The people who have the money (CC industry) should be the ones to implement the secure system, not the smaller companies. But it is cheaper/easier for them to accept fraud/theft as a cost of doing business.
–Tim
I ran across an article on ittoolbox about small SMBS(larger mom & pops). The article, while a bit lite on details, mentions that most SMB don’t have sufficient Staff or resources to adequately protect data and PCI
http://blogs.ittoolbox.com/security/adventures/archives/smbs-are-a-very-large-soft-target-19920
Marcin, just noticed this post - I’m 100% on board with you. The problem isn’t one that is going to be solved by more laws and a new government department of blah blah.
TKrabec brought up an interesting point but not quite the way h/she expected.
“From what I have been hearing PCI/the PCI Board is just a way of the CC industry being specific & vague enough to avoid responsibility of creating a valid system. The people who have the money (CC industry) should be the ones to implement the secure system, not the smaller companies. But it is cheaper/easier for them to accept fraud/theft as a cost of doing business.”
There is never going to be 0% fraud. What’s the sense on taking a 0% acceptable policy? The ’secure system’ is the actual system taking payment card data. How can the card co’s secure merchants computers for them? The credit card industry are the “people who have the money” as you put it because they created the credit card system. They have to maintain consumer confidence in it or people will stop using it. They have a big incentive to self regulate.
The diff between PCI levels is minimal. You have to do the same stuff for all of them - the only difference is in the kind of reporting required, ranging from onsite annual audit and quarterly testing by an ASV, to an annual self assessment. All however, must do quarterly testing and annual network and web app pentest. Yes, that cost is pushed down to merchants, but how can the card company put protective mechanisms in place on some guys shopping cart system? PCI isn’t a regulation - it’s a standard - and a contract between the merchant/service provider, card brands, and pcissc. If a merchant doesn’t like the regulations, they can take another form of payment. No one forces them to take CC. They could use a gateway and outsource taking cards. My point here is that who better to know the acceptable level of fraud before than the companies subject to it, the card brands? They own the payment instruments being stolen. PCI isn’t perfect but it’s pretty good, and even better it’s a free market approach. I have the sneaking suspicion that’s the reason some oppose it.