At the BC ISMS User Group meeting last week we were concentrating on the relationship between the ISO 27000 family of standards, and the PCI-DSS (Payment Card Industry Data Security Standards, usually just known as PCI). PCI-DSS is of growing concern for pretty much anyone who does online retail commerce (and, come to that, anyone who does any kind of commerce that involves any use of a credit card).
It kind of crystalized some ideas that I’ve been mulling over recently.
Over the past year or so, I’ve been examining some situations for small charitable organizations, as well as some small businesses. Many would like to sell subscriptions, raffle tickets, accept donations, or sell small, specialty items over the net. However, I’ve had to consistently advise them that they do not want to get involved with PCI: it’s way too much work for a small company. At the same time, most small Web hosting providers don’t want to get involved in that, either.
The unintended end result consequence of PCI is that small entities simply cannot afford to be involved with credit cards anymore. (It’s kind of too bad that, a decade ago, MasterCard and Visa got within about a month of releasing SET [Secure Electronic Transactions] and then quit. It probably would have been perfect for this situation.)
Somewhat ironically, PCI means a big boost in business for PayPal. It’s fairly easy to get a PayPal account, and then PayPal can accept credit cards (and handle the PCI compliance), and then the small retailer can get paid through a PayPal account. So far PayPal has not created anything like PCI for its users (which is, again, rather ironic given the much wilder environment in which it operates, and the enormous effort phishing spammers make in trying to access PayPal accounts.) (The PayPal Website is long on assurances in terms of how PayPal secures information, and very short on details.)
This is not to say that credit cards are dead. After all, most PayPal purchases will actually be made with credit cards: it’s just that PayPal will handle the actual credit card transaction. Even radical new technologies for mobile payments tend to be nothing more that credit card chips embedded in something else.
These musings, though, did give a bit more urgency to an article on F-commerce: the fact that a lot of commercial and retail activity is starting to happen on Facebook. Online retail transactions aren’t new. They aren’t even new in terms of social networks or a type of currency created within an online system. Online game systems have been dealing with the issue for some time, and blackhats have been stealing such credits and even using them to launder money for a number of years now. However, the sheer size of Facebook (third largest “national population” in the world), and the fact that that entire population is (by selection) quite affluent means that the new Facebook credit currency may very quickly balloon to an enormous size in relation to other currencies. (We will leave aside, for the moment, the fact that I personally consider Facebook to be tremendously divisive to the Internet as a whole. And that Facebook does not have the best record in terms of security and privacy.) Creation of wealth, ex nihilo, on a very, very large scale. What are the implications of that?