[icebraining]

The system is not flawed, merchants are flawed.

A system that forces you to trust (without being able to verify) every single merchant you do business with is flawed.

Same with hosted wallets and exchanges.

Not the same. For one, you only need to trust one exchange to use Bitcoin with N merchants, so the attack surface is much lower. Secondly, you only need to trust them for enough time to move the Bitcoins out - a few hours, whereas with CCs, the merchant can save the info forever, for all you know.

Not to mention that, if Bitcoin becomes successful, and I doubt it will, people will receive Bitcoins from other sources (e.g. some people are already paid in BTC).

There's no PCI Compliance equivalents for them, so, you can expect much worse. And how can you trust them? They don't get audited and are not certified. How can you know for sure that they are not gonna manipulate the market or run away with your funds?

You should read on that PCI compliance. Most merchants do not get audited, they can audit themselves[1]. Many, if not most, are not compliant[2]. Tens of millions of CCs have been leaked since just 2006.

Besides, nothing in Bitcoin prevents the creation of independent certification authorities. Unlike with the CC system, it's not a built-in flaw, it's just a temporary situation.

Most of those don't even have a physical address (Bitstamp and BTC-e), no phone number, and info is very limited in general.

Just like with many CC merchants.

My point is that everything comes at a price. Bitcoin is cheap as it lacks all that, which is not necessarily a good thing!

And my point is that what Bitcoin lacks can be added, without increasing the costs of every single transaction by allowing massive amounts of fraud, like the CC system does.

[1] http://www.cbsnews.com/news/pay-with-plastic-risk-your-perso...

[2] http://www.theregister.co.uk/2008/06/24/pci_dss_compliance/

[kolev]

I've lead PCI Compliance and I know how it works, but large companies really try to do it right and implement the best practices and it costs them a lot. For example, you can't hire developers and assume they know OWASP guidelines - they need to pass formal training, get a certificate, etc. The SDLC also needs to accommodate for PCI Compliance, and so on. The self assessment questionnaire is for guidance. At the end of the day, you get audited, and you may have or not have to prove everything you declare you have in place. You also need to do periodic scans from a third party. And, yes, this can be implement with Bitcoin, but it will affect the cost of the service, so, my point is that the costs of credit card processing have a very good justification and are pretty low for that you get!

[icebraining]

yes, this can be implement with Bitcoin

No, with Bitcoin, you don't need PCI compliance, because there's no way fir the merchant or someone who hacks it to steal your wallet from the information they get. You only need to audit the exchanges / only wallets (the current equivalent of banks, which get audits anyway).

And by the way, the proof that those costs are not inevitable, is the fact that some countries like mine (Portugal) are already using sane push-based payment systems for decades now. and they are cheaper and easier for merchants than CCs. The advantage of Bitcoin is that it works internationally.