TKrabec brought up an interesting point but not quite the way h/she expected.

“From what I have been hearing PCI/the PCI Board is just a way of the CC industry being specific & vague enough to avoid responsibility of creating a valid system. The people who have the money (CC industry) should be the ones to implement the secure system, not the smaller companies. But it is cheaper/easier for them to accept fraud/theft as a cost of doing business.”

There is never going to be 0% fraud. What’s the sense on taking a 0% acceptable policy? The ’secure system’ is the actual system taking payment card data. How can the card co’s secure merchants computers for them? The credit card industry are the “people who have the money” as you put it because they created the credit card system. They have to maintain consumer confidence in it or people will stop using it. They have a big incentive to self regulate.

The diff between PCI levels is minimal. You have to do the same stuff for all of them - the only difference is in the kind of reporting required, ranging from onsite annual audit and quarterly testing by an ASV, to an annual self assessment. All however, must do quarterly testing and annual network and web app pentest. Yes, that cost is pushed down to merchants, but how can the card company put protective mechanisms in place on some guys shopping cart system? PCI isn’t a regulation - it’s a standard - and a contract between the merchant/service provider, card brands, and pcissc. If a merchant doesn’t like the regulations, they can take another form of payment. No one forces them to take CC. They could use a gateway and outsource taking cards. My point here is that who better to know the acceptable level of fraud before than the companies subject to it, the card brands? They own the payment instruments being stolen. PCI isn’t perfect but it’s pretty good, and even better it’s a free market approach. I have the sneaking suspicion that’s the reason some oppose it.

http://blogs.ittoolbox.com/security/adventures/archives/smbs-are-a-very-large-soft-target-19920

I have taken 2 credit cards in my 16 years of being in business, I never touched the credit cards or knew numbers, both were handled over my business account with Paypal. In the little research I have done Paypal’s fees are a bit higher than a “traditional” transaction processor, but I’ve not paid a monthly fee for 16 years to have the “permission/opportunity” to accept a credit card.

When I walk into a store and they swipe my credit card into their little machine and I walk out, what type of retention on that card data is kept, and if it never leaves that machine would not the integrity/protection of that data be the responsibility of the processor or machine creator, aside from theft?

The next question I have is if a mom & pop uses a program such as Quickbooks or Peachtree shouldn’t their software have the necessary protections built into it? Especially if the software allows for the storage of credit card data?

Aside from a Mom & Pop having a website with a custom designed shopping (in house) cart/payment system, the credit card transactions should be protected by the design of the system.

I feel a better way to approach protection of CC data would be to have a series of PCI approved systems/work flows where I could walk into a store and purchase a “compliant”/reasonable secure system.

From what I have been hearing PCI/the PCI Board is just a way of the CC industry being specific & vague enough to avoid responsibility of creating a valid system. The people who have the money (CC industry) should be the ones to implement the secure system, not the smaller companies. But it is cheaper/easier for them to accept fraud/theft as a cost of doing business.

–Tim