What’s really going on both with the PATRIOT Act and its sequels is two things:
1) When any tragedy takes place, some of the public, and naturally the media, urgently demand that government DO SOMETHING. Often the result is some feel-good law that doesn’t accomplish anything worthwhile, but does make it look as though lawmakers are doing what the public wants. Another example of this was the Sarbanes-Oxley act, passed in reaction to the Enron and Worldcom frauds: we all know perfectly well that it wasn’t needed, because the chief bad guys in both cases went to prison under the old laws anyway, but stupid people demanded action and now everyone in the business world has to deal with extra burdens. Similarly here, all air travelers have to deal with extra hassles so it will look like Congress DID SOMETHING.
2) The drug police had been asking for most of the powers in the PATRIOT Act for decades. 9/11 gave them an excuse and they grabbed it. Of course, the drugs still get through and always will: Adam Smith’s invisible hand is a natural law and no human agency can defeat it.

The feds pulled a Big Lie and most of you fell for it. Let’s try not to get fooled again.

Of course, so what. I doubt that Visa, MasterCard, or any bank, will challenge that practice (unless maybe there is a major breach of a homeland security database). Since the PCI standards are promulgated by Visa, MasterCard (and to a lesser extent the issuing and acquiring banks) they are the only ones who can take action against merchants who don’t comply. Do you really think the CC processor for United Airlines is going to tell them not to give Uncle Sam CC data and risk loosing the account?

But I’m not convinced that PCI DSS isn’t applicable.

The standard also applies to Service Providers. Based on the PCI SSC’s definition of “service providers,” I think a case can be made that the standard applies. The point of the standard is the security of payment cards.

“Service Provider: Business entity that is not a payment card brand member or a merchant directly involved in the processing, storage, transmission, and switching or transaction data and cardholder information or both. This also includes companies that provide services to merchants, services providers or members that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.”
(https://www.pcisecuritystandards.org/security_standards/glossary.shtml#s)

Just a quick nit pick, because it really does matter – stealing credit card data is not IDENTITY THEFT, it is credit card theft. It is a non-issue to most consumers as the extent of damage they will actually endure is the annoyance of getting the charges cancelled and waiting for a new card. Identity theft, however, is a horribly frustrating crime to the victim as it can take years of legal wrangling to clear them of the liability for any fraudulent credit taken in their name, repair credit history, etc. Identity Theft should not be watered down with such casual usage as it removes a sense of the severity, in the same way as labeling punching a guy as murder would remove any sense of severity from the label murder.

Honestly what bugs me is all of the other information associated here. It may make a convinient audit log for the government to back track through, but thoroughly monitoring the movements of citizens is ripe for abuse (FFN even if one isn’t used serves the sole purpose of being able to link together travel records for monitoring purposes).

To pick a particularly inflammatory example, were German Jews in the 1930s doing anything “wrong”. Nope, not until they were effectively outlawed. Did it happen on one particular day? Nope, fascism creeps in like fog, and your legal actions today can be the Star of David sewn on your coat tomorrow. Think “That can’t happen in these enlightened times”? I’m certain that’s what many thought in the ’30s as well.

Secondly, claiming that you are comfortable with government surveillance because you feel safer, may I direct you to the words of one Benjamin Franklin (paraphrased) “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.” I for one suspect Franklin was a more keen observer of the dangers of government that most Americans today, raised as we are in the cotton candy padding of wealth and isolationism.

The world did not change on 9/11, Americans were merely made aware that the world extends beyond our borders.

I am not an alarmist, conspiracy theorist, member of a paramilitary enclave, nor do I wear a tinfoil hat. I’m a middle class, middle age, mid-western American who happens to know his history and the fallibility of government.

The government naturally doesn’t need to comply with commercial standards like PCI (in fact businesses don’t need to comply either; it’s just a good practice). Of course DHS doesn’t need to comply with lesser state privacy regulations; the federal government is not subject to state law in such a situation. They may be stupid and even malicious, but they’re not breaking the law.

I don’t believe the DHS fits this definition and thus couldn’t suffer the normal penalties the credit card companies might seek to impose for standard violations. The companies passing the DHS this information might, but they may also have an excuse if the DHS is requiring them to pass on the data.

As far as I know, I could ask all of you for your credit card data and then post it on the Internet because I’m not bound to the PCI agreement.

Se informa de los datos que el DHS guarda de los viajeros que llegan al país y pasan por los servicios de aduanas/inmigración. La información la obtuvieron haciendo una petición oficial de esas que obliga a revelar los datos de que dispone el oganismo;…