A Lawyer's analysis of PCI

PCI-DSS - the Payment Card Industry Data Security Standard, has attracted some interesting views to it. The latest one is here. The writer describes it operating "like a court" - I don't quite agree, it operates under contract law, and I've been involved in at least one case where the issuing brand failed to have a recovery clause in the contract allowing them to seek reparation from the retailer-in-breach.

However, the interesting thing is that its not just a good idea to be compliant with PCI if you are "storing, processing or transmitting" credit card numbers. If you want to take payment with credit cards, then your bank (urged by VISA and MasterCard) will require you to sign up for PCI, with contractual caveats that any PCI breaches and costs thereof are born by .. erm, you.

In other news, my friend Branden has a spiffy blog online. Go check it out. The link is to his "All QSA's are not created equal" post, which given the legal post above, is worth considering. Not only do you get what you pay for, but selection of a high quality QSA over a bucket shop could save a hell of a lot of money in PCI reparation costs.