Tuesday, October 13, 2009

More On Security Vendors and PCI DSS

Information Security Wordle: PCI Data Security...

Image by purpleslog via Flickr

This is a forced follow-up to my “Top PCI DSS Security Marketing Annoyances” post. What forced this is that a lot of folks are googling for “pci-dss market analysis”  (double laugh, if you read my previous post)!

So, let’s analyze this a bit: what creates such tidal wave of PCI security marketing stupidity is a mindset of some vendors. They keep thinking “how to sell our shit using PCI?” and not “how to help organizations with PCI challenges?” This is what drives people to buy encryption instead of not storing the data, to deploy IDS sensors with alerts going to /dev/null, to scan web sites and never fix them, etc.

It is not uncommon for a security vendor to review a report that says that “only 6% of companies under PCI DSS use a technology X mentioned in the standard” (and that said vendor happens to produce) and then think “Wow, those merchants are stupid! They really should buy out shit NOW!”  A quick question to merchants reading this: do you guys like it? :-)

The answer is obviously “NO!” You probably want said vendor to actually understand your problems with PCI DSS and then offer, well, SOLUTIONS! It is very hard for some vendor to shift to that helpful mode if they keep obsessing about the following: “Problems? What do you mean “what problems we solve?” – out bottom-line is our problem! ‘PCI-says-YOU-MUST-BUY!’” :-( 

Yes, PCI DSS does mandate the use of many security technologies and it is prudent to mention that fact, whether you are vendor looking to help others or an end user looking to gain management support. Admittedly, I’ve long called PCI our sledgehammer of both awareness and budget for information security. But you can build a house with a hammer or .. you know how this metaphor goes :-) PCI DSS has a lot of energy to motivate people to improve security, please help them do just that!

But what if a merchant’s only perceived challenge is to “make QSA go away and take his PCI thing with it?” Obviously, the other side of the coin is merchants buying something (like a Dell box with the the label “FIREWALL” taped on [source here]) just to fake validation. This is where you as a vendor must evangelize! As Guy would explain, “evangelism” is not the same as “shouting the loudest” or “lying the vilest,” it is educating and then eventually converting the customer base to your way of thinking, which also happen to be the most useful one for them as well…

Finally, if you did get here after googling for “pci-dss market analysis,” please keep in mind:

  • Payment card security standard is called “PCI DSS”, not “PCI-DSS.”
  • There is no such thing as “PCI market” so there is nothing to “analyze”; PCI is not for sale :-)


Possibly related posts:

Reblog this post [with Zemanta]

Dr Anton Chuvakin