[Silhouette]

it's actually pretty easy for a shop with its own servers and network team (in-house or outsourced) to come up with a network diagram that satisfies the PCI DSS 3.0 SAQ requirements.

I think you are dramatically underestimating how many very small businesses, private individuals, bootstrapped start-ups, etc. would be caught by this.

For one perspective, consider that in the current EU VAT mess, some estimates have suggested that over 250,000 microbusinesses are selling on-line in the UK alone right now (or at least were until the end of last year). Many of them are side businesses, either earning a little bit of extra money for selling anything from music to knitting patterns, or second businesses run by folks who already have full-time jobs. Of course some of them are entirely built on marketplace sites, but plenty aren't, they just know enough web design to set up a basic site and slap something like a PayPal or Stripe Checkout button on the page.

To a first approximation, none of those businesses is going to comply with the new rules, despite operating their own site and taking money on-line via credit card. They wouldn't even know what the long words meant. Even the outliers who do, either because they're in an IT field or maybe if they're a bit larger and have slightly more resources, probably don't have the time and money available to comply.

These are ma and pa shops, family businesses, side businesses run in people's spare time, start-ups trying to gain traction, and so on. They don't have their own networking team. They don't even have a dedicated IT guy. And they surely can't afford to double the number of servers they use just to avoid the redirect issue, to pay specialist consultants to figure out all the details of their almost certainly outsourced IT infrastructure, whether or not the infrastructure provider makes available the necessary data in some form, and to spend hours if not days figuring out how to self-certify under the new PCI-DSS rules.

Avoiding that kind of nonsense is, after all, why these organisations use services like PayPal or Stripe or the hosted pages from their bank in the first place.

[grandalf]

it's actually pretty easy for a shop with its own servers and network team (in-house or outsourced) to come up with a network diagram that satisfies the PCI DSS 3.0 SAQ requirements.

> I think you are dramatically underestimating how many very small businesses, private individuals, bootstrapped start-ups, etc. would be caught by this.

This is not new, it has been part of SAQ A for quite some time.