| Funny. I have a friend in the 'business', he does a very substantial amount of volume every year. I've helped a bit coding the now mandatory 'VBV' component for their system. The spec was about 400 pages, it took weeks to read it and digest it to find out that it was relatively simple to implement. This work gave me some insight in what goes on behind the scenes to get those deceptively simple rules from that page that you link put in to practice. On paper, it's very easy to be PCI compliant. The problem is that in practice it really isn't all that easy. The auditing firms that will verify that you are indeed PCI compliant (you did request an audit?) are not going to sign off on this on a lark, they want really hard proof. The nasty ones are requirement '9', anything short of a cage at a provider with biometric access protection and a whole host of other measure simply isn't going to do. That alone will outweigh the costs for most small time merchants of doing this by themselves. Requirement '6', '7', '10', '11' and '12' are beyond the capabilities of most small business to implement anyway. A guy like cperciva (and you, by your moniker) could probably do it in their sleep but I think you're the exception, not the rule. It's fairly easy to miss a trick or two, the consequences would be pretty grave, the cost of outsourcing it is actually not that bad so that's the way most people will choose to go. |
I'm not saying that a lot of consultants aren't out there, making a crap load of money. Hmmmmm.