Running a small business can be challenging, and the burden of regulation is at times staggering. Despite the government’s promises to reduce red tape I've just found out about the Payment Card Industry DataSecurity Standard.
PCI DSS is all about ensuring that companies properly secure card data, which is absolutely fine with me. You sign up with one of several companies that will, on behalf of your card services company, audit your security on an on-going basis and in theory prevent hackers from stealing your customers card details – in return for a monthly fee of course.
We are a little old fashioned in the way we deal with credit card details in that we don’t store them either in our database or on paper. I promise you that I’m no luddite; I choose not to store this information not out of any fear of being hacked, but out of fear of having to wade through unbelievable amounts of red tape. So we use an old fashioned credit card terminal, and we have rules that dictate that card data is either entered via the Chip-and-PIN terminal, or over the phone directly into the keypad (with nothing being written down).
Surprisingly I first found out about PCI DSS not from HSBC Merchant Services company who provide my card taking facility, but from some poorly addressed emails from an unknown company that I was about to consign to junk because they were addressed to the generic emails we use on our website. Once I’d realised these were in fact genuine, and got over the complete failure of my Merchant Services team to get this important message to me, it was then time to be amazed at a brazen attempt to take money from us in return for nothing.
Can you believe that despite our decision to avoid electronically storing credit card data I was still told I’d have to pay £84.00 annually to this third part for the privilege of being audited – audited for what I ask you? This seems to me like nothing short of a racket. Even worse is that nobody else seems to be aware of these new requirements despite the fact that next month thousands of small businesses will get their first taste of the regulations when, according to Security Metrics, HSBC merchant services begin charging them an additional £50 a month for non-compliance.
Security Metrics, who act for HSBC Merchant Services discussed the options with me, and I discovered that by taking the step of unplugging my EPOS terminal from the network and back into the old analogue line I could halve their fees, but that still means I’m paying for a system that is completely divorced from my own IT infrastructure, secure or not.
Smelling a rat I did some research and spoke to Alan Green of nettitude.com who told me that if I opted to use an analogue phone line then I could exempt myself simply by filling in a Self Assessment Questionnaire and sending this to my Merchant Services company every year.
So there you have it: A poorly communicated initiative* that is going to unfairly penalise thousands of small businesses across the UK, while at the same time mis-selling them services that they don’t require. I think it's time the shit hit the fan.
*I really can't say for sure whether HSBMS sent me information on this subject - I can't see how I could have missed it, but then again it's possible I may have taken it for some marketing rubbish. What I can be sure of is that I didn't receive a letter of appropriate gravity to get my attention, nor have HSBCMS followed up the matter which in my book still amounts to a failure in communication given the importance of the subject.