I was lucky enough to spend some quality time away from the tubes last week, and while I am not part of a rogue PCI enforcement militia, I do tend to observe how organizations tackle security and compliance issues.  For the first time, I found a rather unique disclaimer that was mere feet away from the Point of Interaction.  It shocked me so much, I snapped a picture to make sure I got the wording correct.  It plainly stated:

WARNING: The method used to authenticate credit card transactions for approval is not secure and personal information is subject to being intercepted (the original sticker said ‘intercetped’) by unauthorized personnel.

I promptly copied the phone number down and passed it to one of my reps.

Everything is better in a coconut!

Doesn’t this just scream, “F YOU banks and payment brands! I’m just going to tell people it’s THEIR problem if things go bad to discourage the use of payment cards, thus reducing my operating costs!”?  Of course, it doesn’t work this way now does it?

Should a breach occur at this transportation shop, that shop’s acquirer is solely responsible for all fines that follow it, and unless there is some wacky agreement between the shop and the acquirer, that means the shop will ultimately pay. This type of notice should not be used in place of PCI Compliance. If you don’t wish to accept credit cards, then don’t accept them and just live with the business you may lose.

Granted, I didn’t actually dig into what this meant, and if it was just an overarching disclaimer that did not reflect what was really going on. My guess is that it was sent via cellular or localized digital shortwave in an unencrypted format. It wasn’t even my card that was used, so the guy could have read the card number and authentication data over the radio.  I exited the taxi before payment was rendered.

Regardless, this is NOT the right message to send. Merchants need to take responsibility for the data they accept as part of their normal business processes, or they need to change their processes so they do not retain said data. Things have a way of catching up to the merchants that don’t.

This post originally appeared on BrandenWilliams.com.