Self-assessment is the method used by the vast majority of small businesses, and they're often not even required to do even minimal work to get started. The acquiring bank will just set them up an account and start the ball rolling after Farmer Bob buys a cheap swipe terminal off eBay for the weekend Farmer's market and signs a couple papers. For those organizations that aren't self-assessing, they get to deal with the fact that QSAs often can't even agree on what some requirements mean in principle, let alone when applied to their specific circumstances. Show three different QSAs the same architecture and documentation, get three different reports. That ROC? That's good for toilet paper by the time the QSA pulls out of the parking lot. Don't believe me? Have a data breach and watch Visa roll in with auditors who won't leave until they find a reason to fail your compliance. That's just how the game is played.

All that said, people just declaring that they are PCI DSS compliant is actually exactly what happens. You tell the acquiring bank that you're PCI compliant (either via SAQ or QSA/ROC). If you've met certain levels of activity, the acquiring bank may pass along some paperwork regarding your audits to certain payment brands who require it. They then effectively state that your paperwork appears to be in order and begin processing your credit card transactions. At no point do they declare you PCI DSS compliant and they will most certainly toss your ass to the wolves the second there's a whiff of trouble. And even if they did say you were compliant at filing time, any QSA will tell you that any minor change, lapse, or mistake can completely alter the state of your compliance. From the PCI SSC website: "There are three steps for adhering to the PCI DSS – which is not a single event, but a continuous, ongoing process."

In other words, yesterday you might have been compliant, and tomorrow you might be compliant, but today (always of course the day of the breach), you're non-compliant.

This depends entirely on the organization and their acquiring bank's requirements (ultimately the acquiring bank is the only one who matters, but most reasonably organizations develop their own process to ensure they're covered as much as possible). For many small businesses, they're often times just buying a cheap terminal and swiping away. The acquiring bank isn't pressing them for details of their security measures and they're often completely clueless about any requirements they're supposed to be meeting. They aren't bringing in a QSA. Even if they were, bring in three QSAs to any decently sized organization and get three different opinions about your scope and your compliance measures. Half the fun of PCI assessments is determining what the requirements mean, how they apply in your specific instance, and where scope ends. But the point is, there's no issuing authority to say that you're PCI compliant. There's no governing body certifying anyone. The only thing that's actually there are the contractual relationships between the merchant and the acquiring bank and the contractual relationships between the acquiring bank and the payment brands.

It's not a pointless semantic game because it's the unspoken risk for anyone accepting credit cards. Since there is no official PCI certification and since there is no agreement between QSAs on what the requirements mean in principle (let alone in practice in a specific organization's situation), the PCI SSC gets to stick the claim up on their website that no breach has ever occurred in a PCI-compliant vendor. Best of all, each individual payment brand actually gets to decide what requirements have to be met in which situation by which type of vendor doing what type of business at what scale and via which medium. The ambiguity and the leverage the payment brands hold allows them to arbitrarily decide who is and who isn't compliant at any given moment.

So you keep on doing your documentation and your testing processes (and you should, it's good practice), but if you think for a second your customers are somehow protected from Visa, Mastercard, etc in the event of a breach, you'd best think again. It's a shell game designed to ensure that whenever things go south, the payment brands are never the ones left holding the bag.

You aren't accredited to be following PCI because nobody is. There is no certificate. There is no special seal of approval. You provided security information to your acquiring bank(s) and you were allowed to process credit card transactions. There's no such thing as certification or accreditation for PCI.

Who says they're holding the PAN in plaintext? They can decrypt it to send it to the Feds as needed without keeping it in plaintext in their systems. The Feds have no agreement with an acquiring bank, so they don't have to worry about how they store it. Nobody can do anything to them. Any agreement the airlines have with their acquiring banks undoubtedly includes plenty of cover for Federal data reporting requirements (likely a blanket "if the Feds come calling, we're just going to give them everything"). So long as the acquiring banks have signed off on it, they're in the clear. And since all these guys would like to continue doing business in the largest economy in the world, nobody's going to say no.

It's Texas, they broke ground three weeks ago.

FAA? Never heard of 'em.

I was hoping one of those might strike a cord, but consider if the Federal government stated you had to directly fund the murder of children up to say 5 years of age. Since many religious people believe that the life of a child begins at conception, that's what people like the founders of Hobby Lobby believe they are being told to do: directly fund the murder of children, not with the collection of taxes that go to a general fund, but rather by paying the private business that pays the private business that murders children. I would assume you would have significant objections to being forced to pay someone to murder children, but would you do it anyway simply to comply with the law? Or would you seek to be excluded from that requirement?

What an interesting perspective. Pray tell, once the baby is born, but still attached via the umbilical cord, is it still a parasite you can destroy at will? I don't actually care one way or another about abortion, but I do care about consistency. From a medical standpoint, there are some specific events such as fertilization, implantation, birth, etc which could be used as a basis for drawing the line between a non-human thing (which one might describe - as you did - as a "parasite") and a human being. Thus far, the only group that seems to define that line at a medically objective point are the religious crowd (who use fertilization as their starting point). Again, consistency.

Because the people who founded this country came here seeking relief from religious oppression. Thus, when they created their own government (the one we have today), they ensured that the highest law of the land specifically restrained the government from doing to future generations what the Crown had done to them. If you don't think religious beliefs deserve special consideration, feel free to propose an amendment to the US Constitution stating so.

That would be a more challenging case to prove. The benefit of belonging to a popular religious group is that the tenants are widely known. As such, one must only then demonstrate that one actually belongs to that group (and even so, only minimally; stating as much without evidence to the contrary would typically be enough) to gain protection from government policy, law, or action which would violate that group's religious beliefs. In the Hobby Lobby case, there were 4 specific methods of birth control out of 20 which the owners maintained violated their core beliefs. In essence, they viewed those 4 specific methods as murder, but raised no objection to the other 16. The SCOTUS found those beliefs to be sincere and reasonable, and found that there was no interest at stake compelling enough to override the protections afforded to the owners of Hobby Lobby by the US Constitution. This was found in no small part due to the multitude of other options available for those seeking to attain the goals of the underlying legislation.

It's actually a pretty mundane case and shouldn't get people this riled up, but it does because the ACA and the President are attached to it. If this case involved any other law but the President's signature legislation, nobody but SCOTUS buffs would have heard a word about it.

I tend to wonder if you'd feel the same way if you owned a business and the Federal government passed a law stating you had to pay for female genital mutilation procedures for young girls and "straight camps" for gays.

Not advocating a side, just seeking consistency. Out of 20 different birth control methods, the SCOTUS ruling continues to require HL and others like them to provide coverage for 16. There were 4 specific methods which the owners found to be abhorrent to their religious convictions. In essence, they consider those 4 specific methods to be murder. The other 16 are covered without objection and if the employees just have to use those four specific methods, there's nothing in the SCOTUS ruling stating that they can't; they'll just have to bankroll them on their own.

This doesn't strike me as a case where the concept of birth control or 'reproductive health' as a whole are under attack. Rather, this seems to be a legitimate situation wherein reasonable religious conviction clashed with law passed by Congress. The impact is quite limited and thus, the SCOTUS correctly provided reasonable latitude to the religious beliefs over the law.

People on the right are blowing this case way out of proportion because they see it as a victory against the ACA. People on the left are blowing this case way out of proportion because they either don't understand what actually happened or they're convinced it's a victory against the ACA. The reality is that it isn't any such thing; rather it's a fairly mundane case which wouldn't make it to page 4 below the fold if it weren't tied to the ACA and the President. In other words, relax, it's really no big deal.

I think it depends a lot on your management. If you can get them to recognize your value to the company (assuming you're providing that value) and make yourself especially difficult to replace (due to skillset and work ethic, not sabotage and self-niching), you have some more leverage where you are. I've found it fairly effective to engage on the subject in a more cooperative - rather than adversarial - manner. For instance, making it about what your fair market value is versus what your pay is, rather than an issue about raises not being high enough, or that your lifestyle is exceeding your means. When you can show that your paycheck isn't reflecting your fair market value, it removes a lot of the emotion from the conversation. At that point, you have a couple of ways to deal with it: adversarial (which largely consists of holding your management hostage by threatening to leave or by getting and showing written offers for more money) and cooperative (convincing your management to find a way to get you what you're worth as quickly as possible without an overt or heavily implied threat of leaving).

Ultimately, it doesn't have to get personal and it won't if both parties can avoid making it personal. You're an asset that's worth $x in the market. If the company is paying you .75x and the company doesn't feel it's in their interests to pay you $x, you should work elsewhere. If the company does feel it's in their interests to pay you $x, they can choose to find a way to make that happen. If they don't, there's no reason to be personally offended when the asset finds and accepts a better offer.

Needless to say, it won't always work this way. Some people (on both sides of the table) are just children and will make it all very personal. If you find yourself working for children who can't have adult conversations in an adult manner, you should be seeking additional compensation to account for that and you should leave if it doesn't come. You're only a supplicant if you allow yourself to be one. That doesn't mean be a controlling jerk; it means ensuring you're a valuable asset and only working at places which recognize you as such.

You can fill your car in 5 minutes and go another 600KM. You can battery swap a Model S in 90 seconds and go another 500KM. Or you can wait 20 minutes and get a supercharge that will get you 250KM for zero cost.

Seems like the electric car not only meets your expectations, but rather exceeds them.

What it can do is provide an interface between NGOs and common people. NGOs typically receive much of their funding from governments and rich or wealthy benefactors. Fundraising means getting those folks into a room and convincing them to cough up some cash. Crowdfunding allows a wider audience (literally everyone on the Internet) to see the intended actions of the NGO and then choose to contribute. Rather than getting $45,000 from 100 rich people, they can get $45 from 100,000 without the immense overhead of doing so without using the Internet. That's the real difference. It isn't easier so much as it's a different way of fundraising from a different audience.

The Reading Rainbow Kickstarter campaign isn't going to send men with automatic weapons to break down my door and haul me to prison if I decline to provide it funding. The entity you describe will.

It won't happen for precisely the reason you stated. If one got through, it would open the floodgates and overwhelm the judiciary. I'm not saying it's right, but that's the reality.

BART police shooting of Oscar Grant is another one. Cop grabs his gun and shoots a guy who's laying on the ground and the guy dies the next morning. 2 years. Minus time served. If the roles were reversed and Grant had shot the officer, he'd have spent the rest of his natural born life in prison.

If the general public wakes up, most of them will beg the government for Ambien so they can get back to sleep. This isn't an issue of education; it's a problem of apathy.