PCI-DSS rules apply to anywhere and to anything that transmits, stores or processes card data. PCI-DSS applies equally to the terminals at retailers where cards are swiped, inserted or tapped, and systems at banks and retailers used to process transactions.
PCI-DSS also covers paper records such as the printouts from card machines. A lot of people don't realize that there are two different formats of printout for each card transaction from a regular card machine. The copy given to the customer doesn't contain the full card number but the merchant copy has the full account number as well as the expiry date. That's all that's needed to commit card fraud. It's easy for a waiter in a restaurant, for example, to harvest credit card numbers and expiry dates. They could also harvest CVV numbers quite easily.
Card payment terminals supplied to small businesses are increasingly using an internet connection rather than dialup modems and this means that PCI-DSS covers the retailer's internal network as well as the card terminals. Does the retailer have wifi enabled? Is this segregated from the network used to transmit card data? Are all other systems segregated from the network used by card terminals? If they're not, the system isn't compliant.
Achieving PCI-DSS compliance for a small business that uses IP connected terminals can be prohibitively expensive. It's certainly quite a few hours of work for someone who has a reasonable level of technical expertise and there are other costs too. Small businesses often staple the merchant copy of the card slip to their till copy for their records. They need to keep the card slip until the card company chargback period has passed - which can be six months. At the end of this period they are required to destroy the card data. Do they? Are all these slips stored safely under lock and key?
I think that the banks are aware how difficult it is for small businesses to achieve proper PCI-DSS compliance and see it as a money making opportunity. Businesses which don't achieve PCI-DSS compliance are charged a monthly 'non-compliance fee' or a less favourable card processing fee. It's just another way for the banks to grab more money. As you can see from my previous post, banks' own systems aren't compliant with the latest PCI-DSS requirements.
Edited by caffn8me (Wed 08-Feb-17 14:10:42)