PCI DSS regulations are not suitable for small businesses, as claims are made that enforcements could cause a business to go under

News by Dan Raywood

A claim has been made by a small business owner that if the Payment Card Industry Data Security Standard (PCI DSS) regulations were enforced it would 'cripple' them.

A claim has been made by a small business owner that if the Payment Card Industry Data Security Standard (PCI DSS) regulations were enforced it would ‘cripple' them.

Writing on the philosecurity blog, author Sherri Davidoff interviewed ‘Mike', the owner of a mid-sized web-hosting company, and he talked about the effects of PCI DSS on web hosting companies and small online merchants who are his customers. When she asked what the impact of PCI DSS was on small businesses, he claimed that ‘if it continues to be generally ignored by the vast majority of small merchants and small hosting companies, then the impact will be slow and steady'.

He said: “It's a matter of how aggressive the credit card processors and the PCI security standards council (SSC) themselves decide to get on their customers. Sure, my payment processing company could decide to demand from me an attestation of compliance. They could hold this over my head and say ‘we will revoke your credit-card processing privileges if you do not submit your attestation of compliance'.

“Imagine us asking thousands and thousands of customers who have previously been on auto-pay to ‘please, hand-write me a cheque from now on', and customers in 40-something countries. Good luck.”

When asked if regulations would put him out of business, he commented that ‘it might not kill us, but it would cripple us'.

He said: “But that credit card processor, in making that decision to revoke our privileges, would of course be cutting themselves out of thousands of dollars of revenue every month that we paid them. They would be killing one of their customers. So, they're torn in two directions.”

He also claimed that the PCI SSC would not have been able to take appropriate input from merchants, as 95 per cent of merchants would not have been capable of providing substantive technical feedback to the committee.

When asked why, he said: “Because 95 per cent of merchants are not technical operations. They are businesses that are selling coffee on the corner, or they are selling widgets, and their cardholder data environment doesn't consist of much but a plastic box with a phone line connected to it.”

He further commented that small businesses, and small-to medium-sized web hosting companies that are called upon by these small merchants, have a 100 point checklist of things that are not terribly understandable and are broadly interpretable and in many ways onerous to the point of absurdity for a small operation.

The interview concluded by Mike said that if PCI DSS was enforced vigorously it could cause small businesses to go under.

He said: “I should go on record as saying that I support the general idea of having standards for how credit card data is handled on behalf of your customers. People should use secure best practices and due care to ensure that credit card data is not released to hackers in Des Moines or Denmark or Indonesia. We must avoid that. Good! Let's have some standards.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews