alt Hacker News> PCI-DSS still takes the cake for most oppressive rules out of all the compliance frameworks.
My personally most hated compliance ruleset. I've been in Healthcare for over a decade, I'm a HIPAA/data security expert, and PCI compliance is genuinely harder and more nonsensical than HIPAA.
And to be honest, for every ONE healthcare place I've seen that would fail a HIPAA audit, I've seen 20 companies that would fail PCI compliance and by a wider margin. The number one PCI issue I've seen *literally* everywhere is recording/writing down card numbers with CVV. It's strictly forbidden by the rules, and every snall and medium business breaks that rule constantly.
What kind of business writes down credit card numbers (even without CVV)?
Online payments (e.g. e-commerce) usually send such data directly to the PSP, or encrypt it with a PSP controlled key.
And in person payments (e.g. stores and restaurants) use a payment terminal/device, which is presumably PCI DSS compliant and doesn't store such information.