Reply to post:

Verizon: Just 25% of global businesses comply fully with the Payment Card Industry Data Security Standard

Security nerd #21

Having done a fair few PCI DSS compliance reviews over the last 15 years, I've come to the firm conclusion that the whole point of it is to try and offload the responsibility on to the payment provider (i.e. use their code / servers etc) - not try and do it yourself. Some pretty clever stuff being done these days, with field level iframes etc, to make it entirely transparent to the user.

The PCI standard might have worked in 2004 - but doesn't work in 2020, when using API driven services, fronted by cloud load balancers etc. (Have you ever tried to get a VA scan through Akamai ? ...)

Get down to the basic SAQ-A, and it ends up with "do you have some InfoSec policies", and "Do you sack people" - job done.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon