People following this blog have been reading about the various hurdles I've had to jump in order to become, and remain, PCI DSS complaint.
I used to have to fill in a huge form each year, with a couple of hundred questions. And then, every three months, they would test my server to check that it was secure to their exacting standards. And if it failed (which happened whenever a new threat emerged, like "Poodle" or "Heartbleed"), I'd have to work out why, and make changes to the version of Apache, or the version of Openssl, or to the configuration, or whatever.
Well, all that has completely changed!
Last week, I got a letter from Barclays, telling me that if I didn't get PCIDSS complaint by September, it would cost me an extra 0.3% per transactions. "Oh dear," I thought, then I realised that this might put up the amount I pay them by about 5%. And that's the worst case scenario!
So I stopped worrying, and filled in their online form, which I was surprised to discover was only about a dozen simple questions. Then I waited a week while they got around to processing it.
Today, I got the phone call. I was asked several questions, which duplicated the questions I'd already filled in, and I don't know why they did that. And then the lady on the call said "That's fine, you're compliant for a year." What about the quarterly security test?" I asked. "No need," she said.
So I went to the Barclay's web site, and sure enough, I'm compliant until this time next year.
They've abolished the server test.
My server tests out as A+ on the Qualys test, so I'm not worried about that. But this means that they've abolished the server test for other people too, and I don't know how many others.
Have they stopped caring about computer security? Surely not.