Re: A fairly basic question...
I work for private schools.
They all want to take credit cards etc. on their website, tied in with the school MIS, so that parents can pay for trips, fees, activities, uniforms, etc.
Despite working for many schools over the years, it's never ONCE resulted in anything actually in-house, because it's just such a bad idea. PCI DSS is no simple matter, especially when you want to tie into their school records (i.e. they were here X days a year, so we charge them for X activities / etc.).
Most state schools use a handful of outside providers for their equivalent (which is usually just cashless catering) and let that provider take their percentage to handle all the security.
But all the private schools I've worked in don't risk that, even if they run their own in-house MIS (which makes GDPR so much easier!). They use card machines (and ask people to visit with their card or at best take the details over the phone and type into the card machine as CNP transactions), Direct Debits, etc. or they use something like WorldPay or similar, but they don't store / process card information themselves.
I see PCI DSS as a "good thing". The fact that it discourages people from running their own databases like this is exactly what you want. Unless you have the confidence and evidence that you are able to store this data in the correct manner (and Dixons don't seem to have done a bad job - no CVV, no link to personal data/address, etc. just means a big list of mostly-useless numbers), then you shouldn't be doing so.
And, yes, we do get targeted. We literally get targeted, faked, convincing email pretending to be the bursar (down to first-name familiarity and copying their style) to the finance department asking to pay something urgently, or we get fake "new bank details" for existing companies and when we phone up to confirm are told that they haven't changed their bank details, and phone calls from the scammers to follow up on them. I have reported several to various cybercrime reporting sites linked to the police.
But just having a good process is good enough to stop those kinds of things ("New bank details"? Okay, I'm going to ring your head office details that I have on your previous invoices on another line to confirm that).
However, I can't imagine the carnage if such a place was to store credit card details protected only by the diligence of basic finance staff in an over-worked office. And then consider, that actually the more valuable information is probably in the school MIS anyway. Almost every private school I've worked at holds the details of at least one celebrity, including child's names, real address (not just agent), where they summer, what their mobile phones are, ***who is allowed to pick them up and when***, and potentially lots of personal data (e.g. divorced couples spats with the school, etc.). Before you even get into credit card numbers.
And it's not just celebrities. If you've ever worked for a private school, you'd be aware of who the army brats are, and I can damn well guarantee you one of them has an "anonymised" profile for a reason. But the real information will still be in the database somewhere.
Biting the hand that feeds IT
