yup, they way PCI is set up is disgraceful. all a crook needs to do is get a merchant account and some card numbers and he can just help himself to the money pool
cash out and bug out
we should be using smart cards such that the merchant never has the card number and in fact cannot initiate and execute transfers without customer authorizations as is now the case
to do this the POST would be changed to transfer a copy of the invoice to the processor on the customer smart card. the smart card would then encrypt the invoice together with the authorization for payment and transmit it to the PCI via the POST. the merchant would never have the card number in plain text.
PCI would then transmit the paid copy of the invoice to the POST and to the customer account and execute the EFT
all the POST should do is relay the messages. the way it is set up now it is an open door to crooks — and there was a big story on this exact scam just last week
anyone with a merchant account and your card number can steal from you at will.