Is PCI DSS being undermined by the little guys?

After a few Friday afternoon beers, group consensus was to order pizza delivery for dinner.  I drew the short straw so I phoned up our local pizza place.  After running through the order, I asked whether I could pay by credit card? The guy said ‘yes! No problem’, so I read out my card number and expiry date.  Then he asked for my CVC number (you know, that 3-digit code on the back of your card that’s supposed to increase the security of your card, and never be recorded by anyone?).

So I flipped my card over, then realised that two of the three digits were completely worn off.  I could make out the first digit, but the 2nd and 3rd were anyone’s guess.  I took a stab at it: “Uh, it’s, ummm, 774.  No wait!  It’s 744.  Oh no, hang on, maybe it’s 771?”  It was no use, we’d have to go hungry (at least we still had beer!)  I had to confess:  “I’m sorry but I have no idea what my CVC is – the numbers have worn off my card”.

Luckily, the pizza guy was a helpful sort.  He said, “don’t worry, I have your number here, it’s 714 *.”

Fantastic!  The pizza place kept a record of my super-sensitive CVC number!

So my order went through, the pizza arrived, and everyone was happy.

Except for the Payment Card Industry body who have to cover the costs of credit card fraud. And except for the companies that are spending squillions to become PCI DSS compliant – and to prove that they’re compliant – only to have the security of the whole card system undermined by the smaller merchants.

I don’t envy the Payment Card Industry body – they obviously have a mammoth task in front of them to get the message out to all merchants – including the little guys!

* not my real CVC number!