Top PCI DSS Compliance and Security Marketing Annoyances

Friday, October 02, 2009

Anton Chuvakin


As it happens, I just read one too many PCI-focused whitepapers and my annoyance at some vendor’s ignorance boiled over the top. This post is the result:

Don’t misspell PCI DSS. It is not “PCI DDS”, and even not “PCIDSS.” BTW, if you want to impress PCI literati, make sure that “PCI DSS” has a space, while “PA-DSS” has a dash.Most definitely, do not pretend that you address ALL PCI DSS requirements for the only reason of wanting to look good.

You cannot “automate PCI.” Don’t market it and don’t sell it … or people will call you on it. Admittedly, you can automate a lot of it, but not all (think “policy and process”).

Please don’t say “PCI compliancy!” This is just another synonym of “I am a buffoon.” BTW, if you offer “free PCI compliancy”, then your case is worse, much worse.

Don’t call QSA (Qualified Security Assessor) “an auditor.” That “A” does NOT stand for “auditor” and PCI on-site assessment is not the same as, say, a SOX audit.Further, if you want to market to QSAs or ASVs, spent a few minutes learning what they actually do, which is which, etc. Helpful hint: QSA is not the same as a penetration tester. As per Requirement 11.3, QSA must ”obtain and examine the results from the most recent penetration test to verify that penetration testing is performed,” not go and ”just do it.”“Ongoing compliance” theme is awesome. Sadly, a majority of your customers don’t do it like this (to their own loss – this why it is sad). They still have assessment-time rush, pleasing the assessor approach and checklist-oh-we-are-DONE! mentality.

If you want to sell continuous compliance, you need to educate them first!Don’t pretend that “PCI is about data encryption.” It is not! If you have to have some simple one-liner, use “PCI is about not having card data sitting around” instead.Please don’t write whitepapers that are structured like this: “section 1: this is PCI”, “section 2: this is our shit”, “section 3": our shit is great” (and, no, it has only very, very tenuous relation to PCI DSS…). Specifically, don’t say “these are PCI-compliant features of our security product.”

If you mention cloud computing in your PCI marketing materials, think – very hard! - whether the rest of the content has ANY relationship whatsoever to it…

Finally, if you are building the dreaded matrix of how your product magically makes everything PCI compliant, try differentiating between features that directly satisfy requirements vs those that enable somebody to eventually reach compliance vs those that simplify compliance validation. Your users and their QSAs will thank you for it! There is no such thing as "PCI certified" either. PCI validated is what you are likely trying to say. TO add to this, there are no "PCI validated" products, only companies or organizations.Please also forget about "selling into PCI DSS market." PCI might be a driver, might be some other motivation for buying stuff, might be the regulation du jour, etc. But it .. is ... not ... the ... market.

Overall, unless your goal is humorous relief of people working on PCI projects, please pay attention to these.

Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.