Why Some Merchants Should Not Worry About PCI
When I had my hair cut today, I got to thinking about what level of responsibility this small business should have to protect my credit card data. This is not some big chain. It’s one lady with a couple of employees to help out. She knows as much about computers as my Mom, which, no offense to Mom, is not a whole lot. It’s not that she (or Mom) isn’t smart, it’s just that they are ordinary non-computer folks. They have skill sets in different areas, and that does not make them any better or worse than a tech-savvy person.
Although she probably doesn’t even realize it, Lisa (the hair lady) is supposed to comply with PCI. She doesn’t even get a break for just having a card terminal. She has to comply with the entire standard. Some sections will not apply, such as if she does not store the card data, but she doesn’t get a “just the hair lady” break.
I think she should.
Don’t get me wrong, I actually think PCI is one of the best standards out there. Since it is so prescriptive, it doesn’t leave a whole lot of wiggle room for larger companies to justify their way out of it. It absolutely can lead to better security. I have witnessed it. But it is not a one-size-fits-all standard.
It’s unreasonable for merchants like Lisa to be expected to act like companies with security departments and dedicated budgets for lots of fancy controls. So while this may not be the expected position of a security professional, I can’t ignore that little voice in my head that says she should just do what she does well–that is cut hair–and not worry too much about credit card security. PCI is not a law, and the chance of her suffering extensive damage from a credit card breach is small. A few reasonable precautions are all she should have to worry about. Anything else is a design failure of the credit card system and should be addressed there.
Update: Be sure to read the follow-up post where I stand corrected.
But your hairdresser will be given help to achieve compliance, with letters such as the following:-
———————————–
URGENT: You are not PCI DSS compliant and are at risk of heavy fines and penalties
Dear Sir/Madam,
According to our records your PCI DSS compliance has expired and we have still not heard from you.
It is important that you become PCI DSS compliant as a matter of urgency as you are currently at risk of significant Card Scheme fines and financial penalties in the event of a data compromise, as well as additional PCI DSS non-compliance charges which may be avoided if you are compliant.
What you need to do
You need to contact our business partner
For further general information and advice regarding the Payment Card Industry Data Security Standard please visit our website at
Yours sincerely,
Head of Payment Security
———————————–
That was sent to a company with a single PDQ terminal.
I’m sure this must be a common enough case that there really ought to be a cut-down version of the documentation and certification without the need to pay consultancy fees. (Should this be called a protection racket?)
*Name omitted by admin to avoid sending business their way
That does indeed seem to be a conflict of interest or at least a situation that raises eyebrows. Sorry to have edited your comment, but I really want to avoid talking about individual businesses for this post and focus on the problem of attaining PCI compliance for very small businesses. Your comments are very poignant and I am glad that you took the time to speak out.
Michael, just curious — the name you cut out of the first comment, was it a card ISSUER or a Security company that sent the letter? Just trying to determine if it was vendor FUD or an Issuer directing business to (perhaps) their affiliate.
@Paul: I wasn’t entirely sure what the relationship was, which is why I chose to leave it out. It could have been the equivalent of domain name spam for PCI merchants.
I didn’t believe it was the equivalent of domain spam, but I appreciate why you cut out the names.
The original email appeared to come from a UK card issuer. They appear have a contract with the business partner, who has a UK address but the company website contact details are in the US. That business partner has been tasked with collecting PCI validation documentation (free to retailer) that is self-certified of comes from another PCI validation vendor. But they also offer fee-based services to assist the retailer gain certification.
I say “appeared to come” as the email headers actually showed it was sent by the mail server of the business partner, but “From”, “Sender” and “Reply-To” were all set to the card issuer’s email.
Now I’ve actually examined the email headers, I begin to wonder if it was the domain spam equivalent. However, as the return address went to a domain registered by the card issuer, I think returned mails would have triggered an alert to the issuer if it wasn’t genuine. I wish I’d queried it at the time. I will if I see it again.