Can You Buy PCI Compliance?Can You Buy PCI Compliance?

It's no surprise that vendors have swarmed around the PCI Data Security Standard. It already has generated a mini-industry of Qualified Security Assessors and certified scanning companies. While it's true that many retailers need to invest in new hardware and software, the fact is, compliance is a process, not a product. But hardware and software vendors are still packaging pieces of their portfolios as "PCI enablers."

For instance, Cisco Systems has developed a 380-page design guide to help customers build a PCI architecture--featuring, of course, lots of Cisco gear, including routers, switches, firewalls, and wireless devices. But Cisco is careful to say its architecture is PCI-validated, not compliant. "No product can guarantee compliance," says Ed Jimenez, director of market management for Cisco retail. He notes that retail is a fast-growing segment of Cisco's business but says the company doesn't break out revenue generated by PCI.

Smaller vendors are also getting in on the act. LogLogic, Arsenal Data Security, and SecureWorks recently launched a "PCI Starter Package." It includes LogLogic's LX1010 log management appliance and a PCI gap analysis conducted by Arsenal. SecureWorks will manage the appliance for free for two months.

Many retailers can spot the opportunism a mile away. The CIO of a Level 2 outdoor equipment company says he and his IT staff get calls every day from vendors pitching PCI compliance. "There's a swarm of people that are misleading the industry by saying that they can do this. It's not about hardware or software."

Alan Stukalsky, CIO of Church's Chicken, has had similar experiences. "Vendors are coming in: 'Here's a $50,000 device that will help you get certified,'" he says. "We said, 'No thanks.'" Return to the story:
PCI And The Circle Of Blame