With the introduction of our new service, PCI Complete, and our new blog, The Security Samurai, we wanted to take a moment to talk about why we’ve been spending our time and energy on the PCI compliance problem.
We’ve been helping organizations – 3 out of 4 of the DoD services, large commercial enterprises, and small to medium sized businesses – with their security and compliance needs for over 10 years now. Over the last several years, more and more of our clients have been using our products and managed services for compliance with PCI.
As we’ve spent more time talking and working with them, we’ve learned that organizations, for the most part, have great intentions, but the compliance process is just a huge distraction from their core business activities – they aren’t being rewarded in their marketplace for being compliant. There is really only downside for them – fines, PR headaches, customer defections, etc. And, to be compliant is daunting for IT teams that are already stretched thin – not to mention exceptionally resource intensive.
The actual process of creating evidence from multiple vendor solutions, in house processes, and documenting policies is painful for any organization, and then to have an auditor review whether you got it right – not fun.
The sad part of the conversations that we’ve had with folks is that they debate how to deal with this problem with options such as doing the minimum possible to get compliant, or even just opting out and saying, ”if we get fined it will be cheaper than the cost and pain of doing the work.”
Dave Greenstein, our Chief Architect, kept saying that we could do better. We could really try to solve this holistically rather than the piece parts approach that everybody has been dealing with. We have a wide breadth of technology, our managed services, a certified SOC and personnel to put towards the problem. But, as we talked about what would make a difference for people, we knew that it had to be a single managed solution that would take on all of the requirements that could be managed. We didn’t want to put people through the pain of cobbling together reports and evidence for many different solutions.
We also decided very early on that whatever we did needed to be certified by an independent QSA. We know full well that there has been tons of smoke and mirrors out there around services that said they could take care of PCI compliance, or offered “PCI in a Box.” That’s why we wanted to be completely transparent - here’s a specific matrix of exactly what PCI Complete covers – and what it doesn’t. That’s why we wanted somebody independent and qualified saying that our solution would meet the PCI requirements, not just us. That’s why we’re working with Coalfire to achieve Reports on Compliance for all parts of PCI Complete.
Finally, we needed it to be cost-effective. We wanted it to be easier, cheaper, and better to turn to our solution, than to risk avoiding the problem.
We believe it’s time our industry stepped up to the plate. Claims that technology products will make someone PCI compliant have to stop. Hand waves towards compliance aren’t acceptable any more. Companies that sit on both sides of the table – both auditor and service provider – are setting their clients up for failure and damaging the reputation of our industry.
PCI compliance is the best way to give companies a solid baseline for security moving forward – but only if it’s done correctly. It’s no wonder that the distraction of the current solutions delude companies into thinking they are secure as a result of their compliance efforts. Compliance should be achievable and manageable so companies aren’t distracted from taking true, measurable steps towards better levels of security.
And, that’s how PCI Complete was born. Out of the frustration and confusion that we were hearing from customers; out of the pain of melding a variety of solutions, processes, and personnel to solve a problem that has vexed the vast majority of merchants and transaction processors; and, out of the gap in the market – where no single, consistent PCI solution existed.
We’ve spent the last few weeks talking to press and analysts describing PCI Complete and have been excited about the response. But we want to hear from you – what do you think? How can we make PCI compliance easier for merchants and processors? How can we make compliance equal better security?
This stuff is difficult and serious, but it shouldn’t be a daily distraction from focusing on your business. So, to lighten the mood a bit, we’ve put together a little live action video from some of our employees highlighting their feelings on PCI Complete.
Update: More info from Network Computing