[bardworx]

> I've been watching experienced lawyers, general counsels, etc from various companies, vendors, etc literally yell at each other about some of the finer points of the laws. It's quite fuzzy on a lot of things, and get REALLY complicated in some cases, especially when dealing with 3rd party vendors, or when you are yourself the third party vendor. Certain patterns, technologies and software are very hard to retrofit properly. Some concepts like the business justification stuff gets really fuzzy when handling things like free accounts.

I totally agree with you. But like you said, "It sucks, but hey...". That's totally the approach.

Yeah, it sucks, and what's new? There is always something that sucks. Within the next two months, there is: TLS1.2, new PCI guidelines, and GDPR that go live.

GDPR has more nuance then most other situations but just like PCI, you just deal with it.

What I imagine is this situation is like a bunch of stores stop taking credit cards because the new PCI guidelines require TLS1.2, anonymized customer data, and all customer data stored at rest to be encrypted or hashed.

Would folks have same reaction if their neighborhood deli said "fuck it!" I ain't protecting the CC data cause its tough and requires too much work?

[closeparen]

The cost of PCI compliance is baked into the transaction fee, and yes, businesses are sometimes cash only; particularly if the business is small and its products are affordable, customers understand and appreciate the owner's unwillingness to pay those fees.

[manigandham]

PCI is well defined. It's a lot of process, but nobody is confused on what the process is.

[ncallaway]

How true was that on week 1 that PCI went live?

[shados]

There was still a pretty easy line between "I take credit cards" and "I don't take credit cards". The rules for PCI drastically vary between company size too, in that compliance for small companies is pretty easy, and your responsibilities increase as you go. To this day, there are companies that don't take credit cards too (though usually its not to avoid PCI, heh).

But yes, once there's an industry of GDPR auditors, precedents in lawsuits, and the threshold for "Do not market explicitly to europeans" is obvious and well understood, this will be much easier.

And still, until the end of time, there will be companies that aren't GDPR compliant and don't work with EU customers. Maybe with the goal of doing so once they have more time and resources.

[manigandham]

100%.

It's basically a checklist, and you're either compliant or you're not. It includes various levels with actual numbers and explicit requirements, there's very little interpretation needed.

If anything, it should've served as the model for GDPR.