Resources for Federal Financial Institutions Examination Council (FFIEC)

Can You Buy PCI Compliance?

www.informationweek.com

It's no surprise that vendors have swarmed around the PCI Data Security Standard. It already has generated a mini-industry of Qualified Security Assessors and certified scanning companies. While it's true that many retailers need to invest in new hardware and software, the fact is, compliance is a process, not a product. But hardware and software vendors are still packaging pieces of their portfolios as "PCI enablers."

For instance, Cisco Systems has developed a 380-page design guide to help customers build a PCI architecture--featuring, of course, lots of Cisco gear, including routers, switches, firewalls, and wireless devices. But Cisco is careful to say its architecture is PCI-validated, not compliant. "No product can guarantee compliance," says Ed Jimenez, director of market management for Cisco retail. He notes that retail is a fast-growing segment of Cisco's business but says the company doesn't break out revenue generated by PCI.

Smaller vendors are also getting in on the act. LogLogic, Arsenal Data Security, and SecureWorks recently launched a "PCI Starter Package." It includes LogLogic's LX1010 log management appliance and a PCI gap analysis conducted by Arsenal. SecureWorks will manage the appliance for free for two months.

View the Resource

Share or bookmarklet this web page at: