A long time ago, I signed up for credit card processing with the Royal Bank of Scotland. When RBS took over Natwest, I found myslf dealing with Natwest. Natwest, in some sense, morphed into Worldpay (I don't know how or why).
Each of these changes meant that I had to take some action. Of course it did. Why would THEY care about us hard-working small businesses?
Then along came the PCI DSS (payment card industry data security standard). that was several years ago. I took it seriously, did a bunch of programming, installed encrypted file systems, installed a camera to watch the servers, and so on and so on. I filled in a form with hundreds of questions, and my servers are tested each month. And about one month in six, some new vulnerability is announced that means that I have to reinstall various things on my servers. It's a pain, but I can see the need for security!
Compliance is pretty much compulsory. There are big fines if you're non-compliant, and you can be barred from accepting credit cards. So it's all good, right?
Except that in 2015, several years after the scheme was launched 80% of businesses are non-compliant.
So today's rant comes to you courtesy of Worldpay. They just sent me a letter. My compliance, which was formerly checked by Trustwave, will now be done by SaferPayments.
What does this mean for me? Well, I don't know. The Trustwave user interface was horrible (it was all done via Flash), and we all know the security problems with Flash, so I don't know why they did it that way, except that Flash makes the user experience worse, so maybe that's what they wanted? But after using it for some years, I'm used to it, and know how to use it, and I'm able to maintain my PCI DSS compliance.
So now it's all going to be changed.
I've ranted about this before. The banks keep changing my interface to the card system, for no good reason. There are changes in the card system that are really needed (I'll list a few below), but no-one in any of the acquirers has ever asked my opinion. Despite that, I'm giving it; I've told them before and I'll tell them now. Stop changing things for no good reason!
So what does need to be changed? Here's a few suggestions.
1. When they send me a new card, the card number is the same. But the card number is like a password to my money! Some banking systems require me to change my password every couple of months, but my credit card number has stayed the same for many, many years.
So here's my suggestion - when you send out a new card, chenge the number!
2. When a card is cancelled, banks continue to accept billings on it for a while. That's just insane.
3. When you give your card number, you're also asked to give the expiry date. Some banks require that this be correct, but some banks don't. That's crazy. They should check that the date is correct, otherwise, why ask for it?
4. When my bank phones me, they want to put me through a security check before they'll talk to me. But I don't actually know who phoned me, all I know is that someone phoned me claiming to be my bank. So I don't want to reveal security details to an unknown, and they've forgotten to set up a system so that I can know that it really is my bank (forexample, they might mention a password that I've assigned to them). So what I have to do, is phone them back (and, for obvious reasons, I can't use the number that the caller would give me, I have to use a number that I know really is my bank) and then ask for the person who called me, and in a big organisation like a bank, they usually don't have any sort of "phone book" that would let them put me though. So banks - please fix that problem.