Customers beware when buying an approved Payment Card Industry Data Security Standard (PCIDSS) solution. It may be approved but implementing the solution doesn't mean customers are immediately compliant, according to a PCIDSS accredited auditor.
Drazen Drazic, managing director of auditing firm Security-Assessment.com, said customers shouldn't assume they are compliant simply because they have purchased an approved PCIDSS solution.
The standard was introduced in 2004 to ensure retailers are responsible for cardholder data or risk facing fines of more than $500,000.
Drazic's comments follow the launch of a number of merchant retail solutions that address PCI compliance.
It is the selling point for a new retail solution jointly released by security heavyweights Cybertrust and Cisco Systems last week.
According to a press release, Cisco will provide audited network architectures tailored to individual stores under the mandate and Cybertrust will validate the gear as PCI compliant.
Cybertrust is an approved assessor for the PCI DSS for American Express, MasterCard and Visa. Cisco provides approval under the Cisco Secure Store Program, which offers both the PCI Solution for Retail and a Digital Video Surveillance solution.
According to Cisco, the Digital Video Surveillance solution includes "human and automated video surveillance, and reduces retail shrink through improved loss prevention capabilities".
However, Cisco did not confirm whether the surveillance solution is part of the accreditation for PCI compliance, or an additional feature.
Cisco did not respond to repeated attempts by Computerworld to clarify how its solution complies with PCIDSS.
Drazic said using a solution from an approved assessor doesn't automatically make a company compliant.
He said some vendors are using PCI compliance to try and sell product.
"Like products from any other reputable vendor, it's how you implement, manage and maintain those systems that is the key; simply implementing this product doesn't make you compliant," Drazic said.
"Do you need to throw away what you have now? No way if it is working. Do you need to consider these offerings? Possibly, but it shouldn't be different to any other purchase.
"This is an interesting approach by Cisco and CyberTrust to make inroads into what is becoming a potentially lucrative market, and the PCI name is becoming a selling point. Is there anything really new about this solution aside from the PCI name? I doubt it."
Despite repeated attempts to get Cisco and CyberTrust to respond to these claims and clarify their partnership, both companies did not respond.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Providing Business Continuity and Disaster Recovery for Microsoft Cluster Server and Windows Server 08 Failover Clustering Apps
Top 10 Ways to Increase IT ROI Without Adding Staff
Reducing the risk of insider abuse
Keeping your SQL Server Going 24x7
Look before you leap | Key considerations for moving to 802.11n
5 steps to getting started with data loss prevention
Customer Experience Management: Improving the Consistency and Quality of Customer Interactions
How to Beef Up Your Sales Pipeline
Zones provide focussed content from Computerworld and leading technology partners.
Comments
Post new comment