The shear enormity of the chaos, confusion and ambiguities surrounding the entire PCI-DSS fiasco for merchants and those of us trying to help them validate compliance should be sending a wake up call to everyone involved.

Just peruse the 100's of threads in this blog and witness the chaos amongst the merchants and those of us trying to assist them achieve compliance.

It's very frustrating and exasperating for information security professionals to attempt to deal with a set of (so called) standards that apply world-wide to a non-standard and highly heterogeneous environment of card brands, acquirers, issuers, merchants, and related service providers - compounded by the plethora of convoluted and disparate technologies used by merchants.

Frankly, I think it's time we abandoned the entire PCI-DSS disaster and have a professional organization, independent of the card brands, banks and acquirers come up with something in it's place that is workable.

Compliance in general has become too much of a cash-cow (and financial drain from the merchant's perspective). There are too many people out there with opinions that vary tremendously from organization to organization about compliance requirements, and PCI is as much a symptom as a cause.

In many cases I know of SoX auditors who mandated companies store their logs for 7 years, not because SoX requires it, but because they were trained as financial auditors and 7 years is the defacto period for the retention of financial records.

Even as a merchant I'm not quite ready to throw PCI under a bus, because compared to many compliance programs it gives relatively concrete instruction on what to do and what not to do.

The issue has become, in my opinion, that there is now a perception that safe harbor no longer exists for "PCI Validated" entities, should they be breached. So, the program now seems all stick and no carrot, and if a merchant will be punished and fined at the same level for a breach regardless of PCI status, where is the incentive to proactively manage security as opposed to doing whatever it takes to get the QSA out of the building?

It's a tough call and it's a flawed implementation, but it's far better than nothing. Also, based on the performance of SoX, and previous breaches at financial institutions (already covered by a myriad of government banking regulations), I also have limited faith in regulation as a tool to reduce paymentcard fraud.

I would not entirely abandon PCI, however, I think another way needs to be conjured up to make utilizing cc a pleasant experience for all!

For example, I bet 99% of my company's customers are still thinking that if they buy compliant hardware/software, they're all set, which is not the case. I had to frequently refer them to PCI-DSS ver 1.2 to read and make sure that they are complying with the protocols. I have even outlined examples what they must do with my company's applications/hardware in emails (written in point form to 'dumb-it-down') and I'm sure they either didn't bother reading or it just went over their heads as the questions they call about (I can tell from the way they ask them), they have no clue what they're doing.

We also have Implementation Guide which I'm sure none of them ever read either.

We also have Implementation Guide which I'm sure none of them ever read either.

I have difficulty getting the 3rd party field techs to read the implementation guides. You always get "Well, I always install it this way for this other brand.. what's the difference"..

Well, just POS software version & capabilities, network, infrastructure topology.. nothing important..

It might be common knowledge here already but there are scanning vendors who simply require a 'clean' nessus scan, and they give your badge of 100% pci compliance, for just $995/year or whatever.

The standard is being simultaneously held under a microscope and being disregarded with a wink and a nod. Here's an example that got me kicked off a forum which didn't want to believe PCI DSS required anything other than a scan.
http://www.zen-cart.com/forum/showthread.php?t=107796

Funny times.

Okay, what do we replace the DSS with?

I have not heard an intelligent answer to that question yet. Most people just shrug or come up with the "We'll just go back to the way we were dealing with it before. After all, we hadn't been breached." If you think the DSS is a pain to comply with, wait until you see FISMA, NIST or some of the other similar standards.

Going back to past practices is not an option. There are too many "bad" people out there waiting for just such an opportunity.

I guess I've been involved in security too long. For most people, it's the approach of "if I don't think about it, it won't happen." Other than banking and government security agencies, security has always gotten the short end until an incident occurs and then it's important until that incident is addressed. That's just an ignorant way to approach this problem.

And those of you that think the ROC costs too much now better get a grip. The cost of a ROC is going up. After years of being told "the ROC is not a SAS 70," it is sure looking more and more like a SAS 70. The PCI SSC and the card brands have made the testing requirements for the ROC more rigorous which is only going to drive costs up, not down.

This is particularly the case in what they are now asking for regarding the testing to ensure a network is properly segmented and secured. While they have not come out and said that QSAs need to use automated tools to analyze a network, but the level of detail they are now requiring sure does seem to imply that an automated tool will be needed. Either that, or QSAs will need to find network specialists at $20/hour that can do a manual analysis of all the network configurations and security.

Another area changing is the analysis of log data. QSAs are now required to look at samples of log data for all in scope applications and in scope network devices (i.e., firewalls, routers, switches, servers, etc.). This means sampling log data for all of these and conducting an analysis of all of this information. The result will likely be an analysis of megabytes instead of kilobytes.

All of these changes are the result of the recent breaches that have occurred.

Okay, what do we replace the DSS with? Something that works and doesn't require someone with an IQ over 200 to understand. Also something that takes into account the immense diversity amongst merchants, acquirers and the plethora of other service providers and the vast spectrum of underlying technologies. In summary, we need something in place of PCI-DSS that we can all understand and implement without herniating the assessor or bankrupting the merchant. The PCI-DSS has been a good starting point and given our whole community a sense of what works and what doesn't - however, the "one size fits all" model simply doesn't make the grade.

I have not heard an intelligent answer to that question yet. Most people just shrug or come up with the "We'll just go back to the way we were dealing with it before. After all, we hadn't been breached." If you think the DSS is a pain to comply with, wait until you see FISMA, NIST or some of the other similar standards.

Going back to past practices is not an option. There are too many "bad" people out there waiting for just such an opportunity. The reality is credit card fraud is virtually non-existent as a percent of total dollars transacted through credit purchases. It is infinitesimally small = something less than .000001%

I guess I've been involved in security too long. For most people, it's the approach of "if I don't think about it, it won't happen." Other than banking and government security agencies, security has always gotten the short end until an incident occurs and then it's important until that incident is addressed. That's just an ignorant way to approach this problem.

And those of you that think the ROC costs too much now better get a grip. The cost of a ROC is going up. After years of being told "the ROC is not a SAS 70," it is sure looking more and more like a SAS 70. The PCI SSC and the card brands have made the testing requirements for the ROC more rigorous which is only going to drive costs up, not down. We are now on the same page, PCI makes SOX pale by comparison and look what SOX achieved - nothing but a trillion dollars in audit and consulting fees.

This is particularly the case in what they are now asking for regarding the testing to ensure a network is properly segmented and secured. While they have not come out and said that QSAs need to use automated tools to analyze a network, but the level of detail they are now requiring sure does seem to imply that an automated tool will be needed. Either that, or QSAs will need to find network specialists at $20/hour that can do a manual analysis of all the network configurations and security. Whoops, who's side are you on? This only illustrates, in detail, one of the very issues at stake.

Another area changing is the analysis of log data. QSAs are now required to look at samples of log data for all in scope applications and in scope network devices (i.e., firewalls, routers, switches, servers, etc.). This means sampling log data for all of these and conducting an analysis of all of this information. The result will likely be an analysis of megabytes instead of kilobytes. More evidence that the PCI standard isn't working and needs radical surgery or be simply replaced with something that does.

All of these changes are the result of the recent breaches that have occurred.
IMHO, PCI-DSS is little more than another 'blunt instrument" approach to a relatively trivial information security problem.

IMHO, PCI-DSS is little more than another 'blunt instrument" approach to a relatively trivial information security problem.

If you dont like PCI then get out of the business!

The biggest problem I see is this cycle:

As everyone seems to know, there are some pretty crap auditors out there. These auditors may sometimes certify companies that aren’t compliant. If those companies are then compromised, the company is judged to be non-compliant, and rightfully protests – it has some paper issued by a PCI trained and certified consultancy, and the bit of paper saying “Compliant” was approved by the PCI.

Then this appears in the news. No one knows the details of the company – they just hear that the company was labelled compliant by PCI members, and now that there’s a problem, the PCI members are turning around and saying the company is not compliant. People assume that the PCI members are being unfair, or potentially just covering their backsides.

Other companies see these news stories, and think to themselves “well, clearly getting someone to say you’re compliant is no help if there’s a security breach, so why bother trying? This company will pretty much just sell me the stamp – that’ll shut up my acquirer, and if there’s a compromise I’ll see the same fines as if I’d put together this million pound compliance project.”

And it goes on and on.

So how to fix this? The problem isn't the standard - it's the things around it. Auditors need more training, but also more vetting. The generic five year's experience is, if I remember correctly, also the minimum needed for a CISSP, and let's be honest folks, we've all met some useless CISSPs. Perhaps a security equivalent of the ACCA (http://www.accaglobal.com/) is needed.

Secondly, the certification has to have some value. If VISA approves my certification and then two weeks later I'm compromised, and I'm told that actually haha, I wasn't compliant, I've every right to be angry. At the moment the certification is meaningless in the eyes of businesses, except as a means to avoid the recurring noncompliance fines.

I saw this on Wired this morning (http://www.wired.com/threatlevel/2009/06/auditor_sued/). I can’t comment on the details of the case, clearly, but I hope a lot more merchants start to look at options like this. It might make consultancies take this all a bit more seriously.

Because of the lame approach for a PCI assessment, what do you expect?

Savvis will likely not be held responsible because of that lame approach. What is the lame approach? The fact that the PCI assessment is as of a point in time. Actually, the assessment can be multiple points in time. Because of this, one area can be found compliant and the QSA moves on to the next area. In the mean time, any of the areas found compliant can go out of compliant due to any sort of human error. However, the ROC will report all areas in compliance.

And conducting periodic testing over the reporting period will not not entirely solve the problem of compliance. It will only minimize the problems with compliance. So there will always be a risk that any organization will not be compliant at some point. After all, there are human beings involved and human beings are fallible. Therefore, there will always be the risk of non-compliance.

There was a great quote in one of the articles a couple of months back when the US House of Representatives' DHS sub-committee held hearings on the PCI process. One of the experts the reporter quoted in the article commenting on PCI compliance and the forensic investigations that occur after a breach said, "When you have a 'witch hunt', you can always find a witch." How very true.

In the end, I doubt that any company, breach or not, would survive an investigation with the rigor of a forensic investigation - today's version of the Spanish Inquisition. They are out to find the culprit and they WILL find a culprit because that's what they are being paid for. Oh, and by the way, they have all the time in the world to find the culprit, so they will find one.

Sorry for the cynicism, but that's my take on how things work today.

There was a great quote in one of the articles a couple of months back when the US House of Representatives' DHS sub-committee held hearings on the PCI process. One of the experts the reporter quoted in the article commenting on PCI compliance and the forensic investigations that occur after a breach said, "When you have a 'witch hunt', you can always find a witch." How very true.

In the end, I doubt that any company, breach or not, would survive an investigation with the rigor of a forensic investigation - today's version of the Spanish Inquisition. They are out to find the culprit and they WILL find a culprit because that's what they are being paid for. Oh, and by the way, they have all the time in the world to find the culprit, so they will find one.

So basically, there's no way the merchant will ever win, and no way that Visa & Co. will ever lose. You're right - this pretty much validates the point of view of my hypothetical merchant, who sees himself getting kicked in the shins after a breach no matter what he's done on the compliance side. Small wonder businesses are doing their best to ignore the standard.

Sorry for the cynicism, but that's my take on how things work today.
Cynicism in the information security industry - now I've seen everything! ;)

IMHO, PCI-DSS is little more than another 'blunt instrument" approach to a relatively trivial information security problem.

So what's a better option/model?
This sounds like the alternative medicine industry vs proven science and healthcare.

Its too easy to ask companies to protect against fraud. The hard part is to get consistency in protection, and any improvement over the status quo in some sites is going to reduce the financial loss exposure.

If nothing else, PCI DSS is starting to get some professionalism into information security, where not only is there a basic qualification level, but QSAs are putting their name/backside on the line via accountability for their assessment outcomes - something no amount of CISSP, CISM/CISA/GIAC acronyms has achieved to anywhere near the same degree, in my experience.


Is PCI DSS going to fix every thing, card fraud wise?
Maybe, maybe not - but modern health care doesn't cure every disease either.

lyalc

So what's a better option/model?
If nothing else, PCI DSS is starting to get some professionalism into information security, where not only is there a basic qualification level, but QSAs are putting their name/backside on the line via accountability for their assessment outcomes - something no amount of CISSP, CISM/CISA/GIAC acronyms has achieved to anywhere near the same degree, in my experience.

I'd have suggested that the basic qualification level is not very high. I don't think the CISSP level is very high, but the CISSP exam was certainly more in depth than the QSA tests. The only real requirement is five years of security experience in some form, and the ability to find answers in the book of notes while you're taking the test.

The accountability part though, you're right there - at least I think you're right. Are there any numbers on the QSAs or QSACs who have been stripped of their status?

The accountability part though, you're right there - at least I think you're right. Are there any numbers on the QSAs or QSACs who have been stripped of their status?

One idea is to keep checking the Council's website for results of the QA program as QSAs are placed on the remediation list. This list is based on analyzing sample ROCs, but I think will reflect merchant feedback, too.

I can tell you there's nothing like being graded with a grading scale produced after the fact.

The PCI SSC QA assessment rating scale for how they assess reports was finally released to the QSACs around February or March. As we have found out, there are nuances to how the PCI SSC and the card brands want things documented in the ROC that were not communicated very well, if at all, to the QSACs. As a result, I don't see how any QSAC can come through the QA process without going on at least probation.

My biggest problem with the QA program as it exists today is that it totally ignores the supporting evidence (i.e., work papers) collected during the assessment. Today's QA program is based on whatever is written in the ROC in the In Place, Not In Place and Comments columns. As a result, all the PCI SSC QA people are ensuring is that you wrote a ROC to their 'standard'. In fact, we were told at our re-certification training session by an anonymous PCI SSC employee that getting a ROC template created using their grading scale to create appropriate answers/responses should be created so that we could get through the QA process easier.

In my opinion, based on the breaches that have occurred, the problem isn't with how the ROC is written, it's that the QSA does not have the evidence to support their conclusions in the ROC. However, that too is not entirely the fault of the QSA. More times than not, the environment is so complex or misunderstood, that no matter how much the QSA tries to uncover everything in-scope, the client keeps finding things that should have been in-scope, learns that a particular process does not always work the way they were told or whatever. It's unfortunate, but I can count on one hand the number of clients where this has not been the case. In most cases, I go through the ROC process with a recurring client and every time we find some new applications, databases, files (electronic or physical), devices, etc. that are in-scope and have been around since we started doing their ROC years ago.

I feel the need to chime in here. It seems like most of the responses here are from assessors or those who make a living providing security services. Let me give you the perspective of a merchant.

First, let me provide some background. We are a multi-site brick-and-mortar retailer that also does minimal business online. The number of payment card transactions that we process per year puts us in the Level 2 category. For an initial outlay to shore up our environments for PCI, we spent almost $800,000. That does not include salaries. On an ongoing basis, we spend close to $400,000 annually for salaries, subscriptions, scans, pen tests, etc. just to meet the requirements of the PCI-DSS standard. I point these numbers out to show that it is not a trivial amount that we have spent and are spending.

Now, here is what I see as the good and the bad of PCI:

Good:

It gave us a big stick to run around and threaten people with internally to take information security seriously.
It got us needed budget dollars to harden our infrastructure.


Bad:

It is wasted time and money. Yes, we have protected ourselves. But, as everyone here knows, our compliance is a point-in-time. Visa has never found a company that was breached to be PCI-compliant at the time of the breach. That makes sense in a very odd fashion. But, it does nothing for us. We spent the money to become compliant to protect our customers, but also to protect our business entity from potential exposure. However, when we are breached, all of those protections we thought we had go right out the window when Visa, MC or other brand says, “You were not compliant at the time of the breach”. The money that we spent on insurance, bonds, etc. gets pissed away because they all state that we must be compliant.



So, how does this get fixed? It is multiple steps.

Do away with the PCI-DSS standard.
Put the burden of protecting cardholder data where it belongs and can be properly controlled, with the card companies. There are no entities better positioned to secure and protect cardholder data than Visa, MC, AMEX, Discover and the rest. We, as merchants, have been carrying the burden of patching the dysfunctional system that they have created. They can fix their systems. I can’t. When you have a problem, you need to identify the root cause. The root cause of breaches targeting payment card information is that it can be easily used by unauthorized individuals. Fix that and the problem goes away.

So, how does this get fixed? It is multiple steps.

Do away with the PCI-DSS standard.
Put the burden of protecting cardholder data where it belongs and can be properly controlled, with the card companies. There are no entities better positioned to secure and protect cardholder data than Visa, MC, AMEX, Discover and the rest. We, as merchants, have been carrying the burden of patching the dysfunctional system that they have created. They can fix their systems. I can’t. When you have a problem, you need to identify the root cause. The root cause of breaches targeting payment card information is that it can be easily used by unauthorized individuals. Fix that and the problem goes away.


Option 2, imho is just as complicated, equally/more expensive, and will take longer to deploy globally. I've beaten my head against that wall, trying to sell security innovation for any form of electronic payment, including cards.
PAN-related fraud occurs due to business decisions made in the 1960s and 1970s by card brands and an few large merchants of the time. Changing that requires virtually replacing the entire payment card technology/security model.
Millions of merchants globally, installing a parallel security/technology infrastructure (to support 'old card' and 'new card' transactions) that has yet to be designed and agreed is going to cost a way more than PCI DSS and take more than a decade (the 3DES rollout in ATM and PED is not yet complete, over a decade since it was the first mandates were announced).

Even then, those same merchants will continue to need network security, change management, security policies and premises security - the basics that PCI DSS requires.

While I can't comment on the cost issues, I have seen minor business process changes allow major savings in IT costs. It also sounds as if the costs incurred were simply catch-up costs for long-deferred IT security controls.

I'll (try to) stop offering opinions on this topic now :-)

lyalc

My biggest problem with the QA program as it exists today is that it totally ignores the supporting evidence (i.e., work papers) collected during the assessment. Today's QA program is based on whatever is written in the ROC in the In Place, Not In Place and Comments columns.

The classic thing about this is that the last time I went through QSA training, which was 2008, we were told that we needed to keep our working papers in case a ROC was selected for QA.

I think I prefer running remediation work to doing audits. :D

Bad:

It is wasted time and money. Yes, we have protected ourselves. But, as everyone here knows, our compliance is a point-in-time. Visa has never found a company that was breached to be PCI-compliant at the time of the breach. That makes sense in a very odd fashion. But, it does nothing for us. We spent the money to become compliant to protect our customers, but also to protect our business entity from potential exposure. However, when we are breached, all of those protections we thought we had go right out the window when Visa, MC or other brand says, “You were not compliant at the time of the breach”. The money that we spent on insurance, bonds, etc. gets pissed away because they all state that we must be compliant.



So, how does this get fixed? It is multiple steps.

Do away with the PCI-DSS standard.
Put the burden of protecting cardholder data where it belongs and can be properly controlled, with the card companies. There are no entities better positioned to secure and protect cardholder data than Visa, MC, AMEX, Discover and the rest. We, as merchants, have been carrying the burden of patching the dysfunctional system that they have created. They can fix their systems. I can’t. When you have a problem, you need to identify the root cause. The root cause of breaches targeting payment card information is that it can be easily used by unauthorized individuals. Fix that and the problem goes away.


AMEN! I wonder how long it will take for merchants to band together to bring a class-action lawsuit against the card companies for creating a program which is practically impossible to enforce, excessively expensive AND fosters an environment where the brands can make money off merchants (please do not try to tell me they are not making money on this). IMO, it's not the responsibility of merchants to guard this data. That responsibility belongs with the brands . . . period!

Thank you for starting this thread. Most of the comments expressed here mirror how I have felt for quite awhile.

Also speaking as a merchant, the thing we all need to remember is that PCI is a contractual obligation. If Visa fines you through your Acquirer and you stop processing their cards, they're never going to collect the fine because you will have no daily settlement to withold from.

The thing is, PCI is really the least of your worries in the event of a breach. By the time you're done with the FTC and 15 state attorneys generals who want to be governor, you'll wish PCI was all you had to deal with.

We get so focused on PCI that we sometimes forget about all of the compliance hammers you'll be hit with if you allow sensitive data in your care to be breached, and the law doesn't give a rat's butt about whether or you were PCI compliant, or whether the card brands should have been protecting the data. If you breach, you report and you probably get sued and fined. Period.

I adhere to PCI because it is a contractual obligation, but regulation and risk are my primary concerns with regard to the data I am storing. PCI is really just a component of the risk.

We need to remember that security is not a perfect science. If it were, banks and art museums would never be robbed, but they still are robbed.

There are people in this world that, for whatever reason, are willing to go through whatever they need to to get what we have. They do not care about what we put in their way, they are willing to work their 'magic' to get around our barriers and will spend whatever amount of time and energy to figure out ways around the barriers. All they typically are waiting for is the inevitable human error to occur that allows them access and they are willing to wait.

AMEN! ..... it's not the responsibility of merchants to guard this data. That responsibility belongs with the brands . . . period!

How can you say that it is not the merchants responsibility to secure payment card data after a purchase? The merchant chose to accept payment cards. The credit card companies did not force you to put that sticker in your window and start accepting cards.

As a consumer, when I make a credit card purchase my expectation is that you will not allow my data to be breached. Period! I don’t expect Visa, MasterCard or anyone else to protect it. I expect the guy that accepted my card to protect the data.

If you dot want to deal with PCI then stop accepting credit card payments. If you are going to continue to accept credit card payments then do what is right and secure the data. If you follow simple security best practices you will meet PCI requirements.

If you dot want to deal with PCI then stop accepting credit card payments. If you are going to continue to accept credit card payments then do what is right and secure the data. If you follow simple security best practices you will meet PCI requirements.

We, both as individuals and professionals, expect the same of
- doctors for protection of medical records,
- lawyers for protection of client records,
- banks for protection of customer records,

Why should merchants be exempt from a basic 'duty of care'?

lyalc

Seems we have kind of strayed off topic, yet this continued debate that rages on and on, I suugest, supports the notion that, in its present form, the PCI standard is not workable.

There are far too many inconsistencies, ambiguities and contradictions throughout the standard which leads to an inconsistent interpretation, application and treatment of the individual requirements across the millions of merchants and service providers.

IMHO, if the standard isn't replaced, it certainly needs major and immediate surgery.

In addition to venting frustrations with the PCI Standard, you might consider providing constructive feedback and proposed solutions to the Council.

Have a look at https://www.pcisecuritystandards.org/pdfs/OS_PCI_Lifecycle.pdf for more info. The time lines may not mesh with need for immediate change, but there is a well developed process available for feedback.

If I had to make a constructive criticism of PCI it would be that it attempts to be all things to all people.

As a Level 1 merchant I NEED to be doing PCI, or something that looks very much like it. If I went out and designed controls around my cardholder data segments, the program would bear a striking resemblence to the PCI DSS.

However, if I am a Level 4 merchant running a convenience store I need something written at a much more practical level. I don't want to have to learn to be "An IT Guy", and I probably can't afford someone capable of giving me competent advice. The SAQ's were a step in the right direction, but overall it's still a bit like the TV show Pro's vs. Joe's.

When I hear comments that PCI DSS should be abandoned, I generally think it's originating from this demographic. If you're processing more than 6 million cards per year and you're arguing not to secure your data, shoot me a note with your boss' contact information so she can have my resume in her desk when they start looking for post-breach replacements.

Unfortunately, level 4 merchants live on such small margins that any changes to their operation create costs that cannot necessarily be incurred.

That said, I think over the next five years, we will see new solutions introduced that are affordable to the level 4 merchant that will take them totally out of the loop as far as PCI compliance is concerned because they will no longer process or store cardholder information in any form, only transmit it. Once that occurs, then it will only be the large e-Commerce and brick & mortar retailers that may have issues. We are already seeing the trickle of those solutions in the high-end market with tokenization and the like. It's only a matter of time before they are migrated down stream.

Technically, this can be accomplished today if a small merchant replaces their existing credit card terminal with one of the new ones that is PCI PED and PCI DSS compliant and only connects to dialup, cellular or the Internet. But that costs money that a lot of the small merchants do not want to spend.

...and you're arguing not to secure your data...I would never argue about not securing my data. However, I do take issue in regard to taking extraordinary steps to comply with a requirement that really does nothing to make my environment more secure and offers me absolutely no protection when a breach occurs. Again, I'm just plugging holes in the sieve that was created by the card brands.

I would never argue about not securing my data. However, I do take issue in regard to taking extraordinary steps to comply with a requirement that really does nothing to make my environment more secure and offers me absolutely no protection when a breach occurs. Again, I'm just plugging holes in the sieve that was created by the card brands.

I hear you.. and I hated taking credit cards when I owned a business because of stuff like this.

The problem is, 90% of businesses would go back to doing absolutely nothing in terms of security if they weren't being forced to by the card brands.

It hasn't been that long ago that the strategy taught in business schools to deal with this stuff was, "Don't find out about a compliance issue. If you don't know, you don't have to address it. Once it's proven you know, you have to deal with it". That dog won't hunt in the world of credit card security because a breach triggers the beginning of a very expensive nightmare for the business owner.

You exchanged a good or service with a consumer and took a portion of their identity in exchange for it. It IS YOUR DATA, because you bartered for it and accepted it, and it has value (at least until the chargeback window has expired). You always had the option of cash or check or house credit (which probably opens you to GLBA).

For anyone who wants to get a feel for what it is like to be a small business owner in the middle of a PCI breach, see if you can get a viewing of the RSPA's DVD called Project PCI. It's old, but you can really empathize with the woman in the interview. It used to be available at www.gorspa.org.


Now, I'll give a caveat that has nothing to do with PCI..but if you sell tobacco or booze in a state that requires Age Verification software, I think it's fairly tacky of the government to force you to take the driver's license information and keep it, then bludgeon you to death when someone steals it. You don't really have a choice in this case, other than not selling something your competitors are.

For anyone who wants to get a feel for what it is like to be a small business owner in the middle of a PCI breach, see if you can get a viewing of the RSPA's DVD called Project PCI. It's old, but you can really empathize with the woman in the interview. It used to be available at www.gorspa.org. Thank you for posting that. I had never seen that video before. I will probably use it as part of our employee education program. It is available on YouTube:
http://www.youtube.com/watch?v=7W-k3R2N7Zk