Policing the police – managing PCI vendors bull****

Written By:
Content Copyright © 2007 Bloor. All Rights Reserved.

I am a great fan of PCI DSS—the Payment Card Industry Data Security Standard. Not that I spend my evenings in wistful thought about card security, rather I am convinced that PCI is starting to drive some maturity into the IT security industry.

When a standard is created vendors will follow in its wake with a selection of products all claiming to deliver the user from any hassle in implementing these—no matter how complicated or loosely defined, you will find snake oil to solve your problem instantly.

In reality we all know that this not the case, and that products will vary and vendors will always argue about the relative competence of the products on offer. To help focus the minds of the payment card community the PCI Security Vendor Alliance (PCISVA) has been founded by many of the great and the good in the industry not only to promote the goodness of PCI but also to self-police vendors.

How so?

The 50 or so members act as an anti-bull**** forum shooting down any excessive claims an individual vendor may make about their product solving PCI compliance issues over night. Vendors are probably in a better position to do this than most others as they will be faced with each other in a competitive pitch, so excessive claims will be subject to scrutiny.

This is especially important when faced with two of the toughest compliance standards of the 12 PCI requirements—number 3 (encryption) and number 11 (penetration testing). Few, if any, vendors claim to be able to deal with all 12 PCI standards and if they do they are subjected to extra special scrutiny in these areas.

In all it can take 3–6 months to achieve full PCI compliance. This process can be tough, time consuming and expensive, but ultimately needs to be successfully completed by merchants if they want to process credit and debit cards. The IT security industry is slowly evolving, and I tip my virtual hat to groups such as the PCISVA in recognition of the work they do.

Now then, anyone for a SOX vendor alliance?