J. Trent Adams · Aug 23, 2018 · 7:38 PM UTC

J. Trent Adams

J. Trent Adams @jtrentadams

23 Aug 2018

I documented my experience helping some small businesses respond to their PCI DSS self-assessment questionnaires. There's no way they could be expected to understand what was being asked. medium.com/@jtrentadams/pci-…

PCI DSS in the Real World

My experience trying to help small business owners respond to their Payment Card Industry (PCI) Data Security Standard (DSS)…

jtrentadams.medium.com

Bil Corry · Aug 24, 2018 · 4:49 PM UTC

Bil Corry @bilcorry

24 Aug 2018

Perhaps the thought is if they don’t understand the questions, then how can they be trusted to protect credit card data? Maybe it’s a way to ensure they reach out to someone that has that expertise, or to push them to services that handle the PCI details for them.

J. Trent Adams · Aug 24, 2018 · 4:55 PM UTC

J. Trent Adams @jtrentadams

24 Aug 2018

Based on my (small) sample size, my conclusion is there’s no way PCI DSS is anything more than security theater and liability adjustment when dealing with SMBs.

Bil Corry · Aug 24, 2018 · 5:02 PM UTC

Bil Corry · Aug 24, 2018 · 5:02 PM UTC

Bil Corry @bilcorry

24 Aug 2018

Replying to @jtrentadams

True. If the card brands were interested in stopping card fraud, they’d require merchant-anchored or one-time tokens for online payments. Leaked/stolen tokens have no value.

Aug 24, 2018 · 5:02 PM UTC