PCIv3 brings nearly every web page into scope

PCI v3 brings into scope any system that even redirects to a payment solution for processing. The first step of thinking takes you to small e-commerce sites that send you to a third party to collect payment (eg. pay with PayPal). But how far does the rabbit hole go? If you are a blogger, and you want to link to a product on Amazon with your blog, is your little WordPress install now a PCI nightmare?

Sure a hacker could compromise your blog, change the link to a page that looks like Amazon, and subsequently steal the users's card data. Nobody is arguing that this is not a risk, but is the potential risk great enough to require the full extent of the SAQ A-EP?

Where do we draw the line? The web is defined by it's links, and any one of them is at threat of being "rerouted". At what point is security in the hands of the buyer? The buyer should make sure that they are connected correctly with SSL and that the certificate clearly shows they are on a trusted domain before they enter their card data.

If the buyer cant be trusted with their own security, then who can be? What kind of disruption is needed to make their cardholder data safe? It is impossible to remove all risk, so how much risk is tolerable? Can't we come to a compromise where small startups can get off the ground without such ridiculous requirements?

Perhaps our websites are not the problem, perhaps credit cards are.

http://pciguru.wordpress.com/2014/04/26/why-saq-a-ep-makes-sense/ https://www.pcisecuritystandards.org/documents/SAQ_A-EP_v3.pdf