The rent is too damned high!

Why would you think that? I use it here for internal web apps, I don't care about their youporn visits and I don't want that on my network. So, if they're at home, let them connect to the VPN, access the internal apps and do their work and wank on the side using their own Internet connection.

Probably. I must be getting too old for slashdot, because I'd rather concede the point instead of arguing until my dying breath over slight nuances of words and corporate governance.

No doubt it was a different time. In addition to few external competitors, the entire world was rebuilding due to WWII and recovering from a decade of pent up desire from the Great Depression.

No. They're more like Ford/Mazda, wherein Ford owned a big chunk (49%) of Mazda. Hyundai owns ~40% of Kia. Not the same company.

Self-assessment is the method used by the vast majority of small businesses, and they're often not even required to do even minimal work to get started. The acquiring bank will just set them up an account and start the ball rolling after Farmer Bob buys a cheap swipe terminal off eBay for the weekend Farmer's market and signs a couple papers. For those organizations that aren't self-assessing, they get to deal with the fact that QSAs often can't even agree on what some requirements mean in principle, let alone when applied to their specific circumstances. Show three different QSAs the same architecture and documentation, get three different reports. That ROC? That's good for toilet paper by the time the QSA pulls out of the parking lot. Don't believe me? Have a data breach and watch Visa roll in with auditors who won't leave until they find a reason to fail your compliance. That's just how the game is played.

All that said, people just declaring that they are PCI DSS compliant is actually exactly what happens. You tell the acquiring bank that you're PCI compliant (either via SAQ or QSA/ROC). If you've met certain levels of activity, the acquiring bank may pass along some paperwork regarding your audits to certain payment brands who require it. They then effectively state that your paperwork appears to be in order and begin processing your credit card transactions. At no point do they declare you PCI DSS compliant and they will most certainly toss your ass to the wolves the second there's a whiff of trouble. And even if they did say you were compliant at filing time, any QSA will tell you that any minor change, lapse, or mistake can completely alter the state of your compliance. From the PCI SSC website: "There are three steps for adhering to the PCI DSS – which is not a single event, but a continuous, ongoing process."

In other words, yesterday you might have been compliant, and tomorrow you might be compliant, but today (always of course the day of the breach), you're non-compliant.

This depends entirely on the organization and their acquiring bank's requirements (ultimately the acquiring bank is the only one who matters, but most reasonably organizations develop their own process to ensure they're covered as much as possible). For many small businesses, they're often times just buying a cheap terminal and swiping away. The acquiring bank isn't pressing them for details of their security measures and they're often completely clueless about any requirements they're supposed to be meeting. They aren't bringing in a QSA. Even if they were, bring in three QSAs to any decently sized organization and get three different opinions about your scope and your compliance measures. Half the fun of PCI assessments is determining what the requirements mean, how they apply in your specific instance, and where scope ends. But the point is, there's no issuing authority to say that you're PCI compliant. There's no governing body certifying anyone. The only thing that's actually there are the contractual relationships between the merchant and the acquiring bank and the contractual relationships between the acquiring bank and the payment brands.

It's not a pointless semantic game because it's the unspoken risk for anyone accepting credit cards. Since there is no official PCI certification and since there is no agreement between QSAs on what the requirements mean in principle (let alone in practice in a specific organization's situation), the PCI SSC gets to stick the claim up on their website that no breach has ever occurred in a PCI-compliant vendor. Best of all, each individual payment brand actually gets to decide what requirements have to be met in which situation by which type of vendor doing what type of business at what scale and via which medium. The ambiguity and the leverage the payment brands hold allows them to arbitrarily decide who is and who isn't compliant at any given moment.

So you keep on doing your documentation and your testing processes (and you should, it's good practice), but if you think for a second your customers are somehow protected from Visa, Mastercard, etc in the event of a breach, you'd best think again. It's a shell game designed to ensure that whenever things go south, the payment brands are never the ones left holding the bag.

OTOH, some of the mid-range Android stuff is quite good, and much cheaper than iPads. There may be better edu software for iOS, though, as another commenter claims.

An SUV plus a utility trailer does fill the role of a pickup truck.

The cost of a minivan plus a pickup plus the fuel to commute in the pickup is greater than the cost of an SUV plus a small sedan plus the fuel to commute in the sedan.

Depends somewhat on lifestyle. If I'd had a minivan, I'd also have needed to buy a pickup truck. An SUV fills both roles. Neither quite as well as the ideal vehicle, but well enough that it makes more sense than two vehicles... actually three since we also needed a commuter vehicle.

Agreed, unless you also need to tow stuff and/or go off road. Even if you don't do that stuff very much, renting an SUV or truck for those occasions isn't feasible, because as far as I can tell all rental car companies prohibit towing and off-road use. I do tow stuff regularly (boat, camp trailer, ATV trailer, utility trailer), and need to seat at least six people, which has made an SUV the practical and logical choice.

Now that my kids are moving out I no longer need so much seating, so a pickup truck is becoming the practical and logical choice. I'd like to upgrade to a bigger camp trailer, so one with a powerful diesel engine is looking particularly attractive.

'In living memory'? Ask George Takei what he remembers from his childhood.

Now if only trucks or trains could be used to transport lithium...

In the 50's and 60's? Most of them.

You aren't accredited to be following PCI because nobody is. There is no certificate. There is no special seal of approval. You provided security information to your acquiring bank(s) and you were allowed to process credit card transactions. There's no such thing as certification or accreditation for PCI.

Who says they're holding the PAN in plaintext? They can decrypt it to send it to the Feds as needed without keeping it in plaintext in their systems. The Feds have no agreement with an acquiring bank, so they don't have to worry about how they store it. Nobody can do anything to them. Any agreement the airlines have with their acquiring banks undoubtedly includes plenty of cover for Federal data reporting requirements (likely a blanket "if the Feds come calling, we're just going to give them everything"). So long as the acquiring banks have signed off on it, they're in the clear. And since all these guys would like to continue doing business in the largest economy in the world, nobody's going to say no.