Running a small business can be challenging, and the burden
of regulation is at times staggering. Despite the government’s promises to
reduce red tape I've just found out about the Payment Card Industry DataSecurity Standard.
PCI DSS is all about ensuring that companies properly secure
card data, which is absolutely fine with me. You sign up with one of several
companies that will, on behalf of your card services company, audit your
security on an on-going basis and in theory prevent hackers from stealing your customers
card details – in return for a monthly fee of course.
We are a little old fashioned in the way we deal with credit
card details in that we don’t store them either in our database or on paper. I
promise you that I’m no luddite; I choose not to store this information not out
of any fear of being hacked, but out of fear of having to wade through unbelievable
amounts of red tape. So we use an old fashioned credit card terminal, and we
have rules that dictate that card data is either entered via the Chip-and-PIN terminal,
or over the phone directly into the keypad (with nothing being written down).
Surprisingly I first found out about PCI DSS not from HSBC Merchant
Services company who provide my card taking facility, but from some poorly addressed
emails from an unknown company that I was about to consign to junk because they
were addressed to the generic emails we use on our website. Once I’d realised
these were in fact genuine, and got over
the complete failure of my Merchant Services team to get this important message to
me, it was then time to be amazed at a brazen attempt to take money from us in
return for nothing.
Can you believe that despite our decision to avoid
electronically storing credit card data I
was still told I’d have to pay £84.00 annually to this third part for
the privilege of being audited – audited for what I ask you? This seems to me
like nothing short of a racket. Even worse is that nobody else seems to be
aware of these new requirements despite the fact that next month thousands of
small businesses will get their first taste of the regulations when, according
to Security Metrics, HSBC merchant
services begin charging them an additional £50 a month for non-compliance.
Security Metrics, who act for HSBC Merchant Services discussed
the options with me, and I discovered that by taking the step of unplugging my
EPOS terminal from the network and back into the old analogue line I could
halve their fees, but that still means I’m paying for a system that is completely
divorced from my own IT infrastructure, secure or not.
Smelling a rat I did some research and spoke to Alan Green
of nettitude.com who told me that if I opted to use an analogue phone line then I
could exempt myself simply by filling in a Self Assessment Questionnaire and sending this to my Merchant Services company
every year.
So there you have it: A poorly communicated initiative* that
is going to unfairly penalise thousands of small businesses across the UK, while
at the same time mis-selling them services that they don’t require. I think it's time the shit hit the fan.
*I really can't say for sure whether HSBMS sent me information on this subject - I can't see how I could have missed it, but then again it's possible I may have taken it for some marketing rubbish. What I can be sure of is that I didn't receive a letter of appropriate gravity to get my attention, nor have HSBCMS followed up the matter which in my book still amounts to a failure in communication given the importance of the subject.
