J. Trent Adams · Aug 23, 2018 · 7:38 PM UTC

J. Trent Adams

J. Trent Adams @jtrentadams

23 Aug 2018

I documented my experience helping some small businesses respond to their PCI DSS self-assessment questionnaires. There's no way they could be expected to understand what was being asked. medium.com/@jtrentadams/pci-…

PCI DSS in the Real World

My experience trying to help small business owners respond to their Payment Card Industry (PCI) Data Security Standard (DSS)…

jtrentadams.medium.com

Bil Corry · Aug 24, 2018 · 4:49 PM UTC

Bil Corry · Aug 24, 2018 · 4:49 PM UTC

Bil Corry @bilcorry

24 Aug 2018

Replying to @jtrentadams

Perhaps the thought is if they don’t understand the questions, then how can they be trusted to protect credit card data? Maybe it’s a way to ensure they reach out to someone that has that expertise, or to push them to services that handle the PCI details for them.

Aug 24, 2018 · 4:49 PM UTC

J. Trent Adams · Aug 24, 2018 · 4:55 PM UTC

J. Trent Adams @jtrentadams

24 Aug 2018

Replying to @bilcorry

Based on my (small) sample size, my conclusion is there’s no way PCI DSS is anything more than security theater and liability adjustment when dealing with SMBs.

Bil Corry · Aug 24, 2018 · 5:02 PM UTC

Bil Corry @bilcorry

24 Aug 2018

True. If the card brands were interested in stopping card fraud, they’d require merchant-anchored or one-time tokens for online payments. Leaked/stolen tokens have no value.