While working on a story about how updates to PCI compliance rules will phase out WEP for retailers who process credit cards, I came across one of the more interesting takes on PCI compliance, by Anton Chuvakin, whose written or contributed to a number of books on the subject and now works at compliance solutions company Qualys.
As Anton sees it, there are two camps in the compliance world:
1. “Please, please make PCI easier by letting us skip the requirements; or, better, just let us ‘SAY YES ON THE SAQ!’” camp.
2. “We know that our security program makes us PCI –compliant; please make it easier for us to prove it!” camp.
For the former, Anton recommends ScanlessPCI*, a simple, quick banner that shows your customers you are PCI compliant — while actually proving, and doing, nothing.
The latter camp, in which I hope (pray?) most of our readers fall, might be better served by investigating tools and techniques to help prove that their security passes muster, which is exactly the advice Petco’s vice president of network and store systems J. Smith gave me.
“All vendors are definitely not created equal,” he said. “And all you have to do is ask your vendor where they stand in terms of upcoming compliance.”
If you’re looking for some more insight into how you can make sure you’re headed down the right path, you’re in luck, because TechTarget has just launched a brand new IT Compliance Advisor Blog, and SearchCompliance.com is launching tomorrow for all your PCI — and other — compliance needs (a sneak preview is up today in case you can’t wait).
But the takeaway message? Even as everything else in the world seems to be getting cut back, the cost of PCI violation fines or, worse, an actual intrusion, is too great to risk. Trying to go the ScanlessPCI route is as deluded as thinking you’ll get money for nothing …
*NB: ScanlessPCI is, of course, a joke service, legitimate as the page may look. Don’t expect your compliance officer to be pleased if you try and pass it off!