 Poster: A snowHead
|
Evidently anyone who takes payment by credit and debit cards in the UK are likely to suffer additional charges by their card services processor to comply with something known as the Payment Card Industry Data Security Standard (PCI DSS).
I'm pretty sure any increased costs will be passed on to the customer, so will ski holiday costs increase in the near future?
Wikipedia includes the following comments regarding the implementation of the PCI DSS in the U.S.:
PCI-DSS has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.
According to Stephen and Theodora “Cissy” McComb, owners of Cisero’s Ristorante and Nightclub in Park City, Utah (which was fined for a breach that two forensics firms could not find evidence even occurred), "the PCI system is less a system for securing customer card data than a system for raking in profits for the card companies via fines and penalties. Visa and MasterCard impose fines on merchants even when there is no fraud loss at all, simply because the fines “are profitable to them,”".
Additionally, Michael Jones, CIO of Michaels' Stores, testifying before a U.S. Congress subcommittee regarding the PCI DSS, says "(...the PCI DSS requirements...) are very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement. It is often stated that there are only twelve “Requirements” for PCI compliance. In fact there are over 220 sub-requirements; some of which can place an incredible burden on a retailer and many of which are subject to interpretation."
|
|
|
|
|
|
Obviously A snowHead isn't a real person
Obviously A snowHead isn't a real person
|
|
Mr Marmot, This is nothing new PCI DSS has been happening in the UK for the past 3 years. The charge for it to the merchant is around £50.00
|
|
|
|
|
|
Well, the person's real but it's just a made up name, see?
Well, the person's real but it's just a made up name, see?
|
We're not in the holiday business but we've only had to comply with this PCI DSS stuff this year, we're charged £29 + VAT. But we don't like it, its a meaningless exercise where we tick some boxes on line saying that we understand the rules and comply.
Its just another financial services scam.
Bring back the "bank manager" rather than "the computer says no!"
We are not big merchants, but feel its a service we should offer our customers.
We're looking into another system.
But I cant see it adding to the cost of ski holidays though, it certainly should not. Perhaps the margins are so thin that its these little extras such as booking & inflated card surcharges are the only answer.
|
|
|
|
|
|
You need to Login to know who's really who.
You need to Login to know who's really who.
|
A ridiculously overblown thread title to (maybe) grab some attention; fair enough.
I agree with what DrLawn and Boredsurfing have said. This is yet another scam by the banks to rake in money. It does NOT mean that your systems are any more secure, whatever the banks and card issuers say.
We used HSBC for our card machine and they (not surprisingly) have a company that you have to use to check your PCI compliance. Oh, did I mention that this company charges more than most other Co’s doing the same. Mhhhhhh, but when you call them up (HSBC) to tell that that they are not allowed to specify which compliance accrediting company we should use, they put you through their card compliance section – which just so happens to have the same phone number as the (apparently) independent company.
It cost us £42 per year.
This REALLY bugs me as it is so obviously another bank scam. But unless we do it, HSBC will change us £50 per month in “administrative fees”.
I don’t think anyone will add this to the cost of a holiday as I can’t see how you could justify such a small cost per person, so maybe the thread title should be changed to something like:
“all banks and card issuers find a new way to scam funds, which even they couldn’t justify on any environmental grounds (but I bet they gave it a try though) so they are using the feeble excuse of card security for this one."
The new title may need trimming/editing somewhat
|
|
|
|
|
|
Anyway, snowHeads is much more fun if you do.
Anyway, snowHeads is much more fun if you do.
|
In the eurozone costs should be a little less for those paid in sterling, for this coming winter. 
|
|
|
|
|
|
You'll need to Register first of course.
You'll need to Register first of course.
|
Obviously I may have misunderstood what I have read.
However, I read it that the systems that would need to be put in place for full compliance with PCI DSS could cost up to approx. £12,000, with a possible further up to £600 per year for software updates etc. I understood that these costs relate to what would be required for a single retailer to fully meet all the requirements of the scheme. I appreciate that there is also an annual assessment fee to pay, which is probably the £29 - £42 mentioned above, but my understanding is that this doesn't actually assess that you have all the £12,000 worth of systems in place to avoid the various 'fines and punishments' that could be levied if the card company decide that suitable systems are not in place!
I like the thread title. It gets people's attention.
|
|
|
|
|
|
|
|
| Mr Marmot wrote: |
Obviously I may have misunderstood what I have read.
However, I read it that the systems that would need to be put in place for full compliance with PCI DSS could cost up to approx. £12,000, with a possible further up to £600 per year for software updates etc. I understood that these costs relate to what would be required for a single retailer to fully meet all the requirements of the scheme. I appreciate that there is also an annual assessment fee to pay, which is probably the £29 - £42 mentioned above, but my understanding is that this doesn't actually assess that you have all the £12,000 worth of systems in place to avoid the various 'fines and punishments' that could be levied if the card company decide that suitable systems are not in place!
I like the thread title. It gets people's attention. |
If you are your own payment processor, personally handling and storing credit-card data, then you're not too far off the mark. However, the majority of retailers and businesses won't be doing that and will be using a third-party such as Worldpay, Sagepay or Netbanx to do the payment processing and card data handling, in which case you are protected by their PCI status.
PCI DSS doesn't 'require' any hardware per se. It requires you to evaluate a specific set of risks and show how you intend to prevent them.
The complete documentation is here:
https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2-0#pci_dss_v2-0
If someone's telling you that you need specific hardware or software to meet PCI standards, they are not being entirely truthful. Certainly there are certain hardware appliances and software solutions out there that are recognised by PCI and make life easier when being audited and to ensure compliance, but that's not to say it can't be met without them.
I've worked in the payment card processing industry for a number of years in the past, and now do database support for one of the main UK players in online card processing, so I'm reasonably up-to-date with PCI requirements.
|
|
|
|
|
|
|
|
|
|
|
|
FAQ