PCI DSS Compliance

disciple3d

I think that a lot of what the banks are saying is nonsense. Having read through the documentation, as a level 4 trader (I take internet only payments, all processed by external companies, so don't deal with credit cards myself) it seems I have to fill out a self-assessment questionnaire. By virtue of being a SELF assessment, I think I am fair to judge that I don't need to pay bank of scotland £35 or so to do it for me. So I have downloaded said form, from the pcisecuritystandards website (sorry, won't let me post the link).

I left the section at the top empty, since I am doing it myself. That's why it's called a SELF assessment. I guess Bank of Scotland would rather I didn't know that.

There are two issues here - what the credit card issuers, i.e VISA, Mastercard want (people to not leave credit card numbers unsecured), and what the endless security compliance companies set up to make a quick buck want. I would prefer to assess it myself.

Essentially, as a small trader, a lot of people will be able to do a self-assessment, at little to no cost. They are scamming small businesses good and proper with this - basically trying to scare people into using their 'security management system'. Does using their system make you any more secure? No.

What makes you more secure is by taking sensible and common sense approaches to storing card data. Don't store it if you don't need to, don't keep paper copies unless they are secure, and encrypt all card data stored or transmitted on computers. That's essentially what they are trying to do. Most of the questions on computer security are straight forward stuff to someone who knows computers like myself, but I think a lot of the technical jargon is meant precisely to scare people into paying whatever security company lots of money to sort it out for them.
:mad: