Opinion

FUD Watch | Vendor Hype Escalates Over PCI Deadline

Monday is the day merchants must be in compliance with PCI DSS Requirement 6.6. That means the security vendor PR machine is in overdrive

By Bill Brenner, Senior Editor

June 27, 2008

About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD - overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry's most egregious FUD, send an e-mail to bbrenner@cxo.com.

Merchants have to comply with Requirement 6.6 of the Payment Card Industry's Data Security Standard (PCI DSS) by June 30, and those who haven't done what's necessary probably won't meet the deadline no matter what they do between now and Monday.

But that won't stop security vendors from using the deadline as an excuse to drum up a little publicity, laboring under the hope that some businesses will line up at the last minute to buy their product. In the past week, I've taken my share of PR calls asking if we wanted to speak to their client about the deadline.

This is especially the case with those selling application security products, since 6.6 is all about protecting the Web applications. Among the mandates: Merchants must have all custom application code reviewed for common vulnerabilities by an organization that specializes in application security and install an application-layer firewall in front of Web-facing applications.

As the deadline edges closer, debate continues over whether PCI DSS is a genuine road map to better security or just another misguided mandate that will do little to stem the tide of data breaches and identity fraud. A side debate over whether the costs of being in compliance or in violation are appropriate is also smoldering.

As I've said before, I don't blame vendors for trying to seize every opportunity to make a sale.

But security pros need to be able to cut through the hype and assess the best application security fit for their organizations without being blinded one way or another by the mania over the latest deadline.

In the final analysis, much of what's required under PCI DSS is common sense in an age where more and more businesses rely on e-commerce and tend to rush online shopping portals into circulation with security holes easily identified and exploited by the bad guys.

Though skeptics are right to point out that data breaches and identity fraud continue to rage despite the standard (Hannaford's supermarkets suffered a major breach despite all the investments it made in PCI compliance), it's foolish to argue that we'd be better off without it.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

Using Likewise to Comply with PCI Data Security Standard

Enabling Compliance with Converged Mainframe Security and Storage

Maximizing Site Visitor Trust Using Extended Validation SSL

Get in Compliance With Government Data Regulations

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

Managing SSL Security in Multi-Server Environments

Solving Online Credit Fraud Using Device Reputation

Understanding Data Location is Imperative for Data Loss Prevention

Taking the Botnet Threat Seriously

Any company can promise identity protection. Only Debix can prove it

Welcome to the age of Service-Oriented Security (SOS)

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Efficient - Flexible - Compliant

Envision Identity-Based Access Control for the Datacenter

Simplify your data center with Juniper Networks. View the webcast

The Case for Business Software Assurance ~ Securing Your Applications

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Secure your virtual and physical environments with the same software

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

5 Steps to Secure Outsourced Application Development