Auditor warns: Beware of security vendors selling PCI compliance

Customers beware when buying an approved Payment Card Industry Data Security Standard (PCIDSS) solution. It may be approved but implementing the solution doesn't mean customers are immediately compliant, according to a PCIDSS accredited auditor.

Drazen Drazic, managing director of auditing firm Security-Assessment.com, said customers shouldn't assume they are compliant simply because they have purchased an approved PCIDSS solution.

The standard was introduced in 2004 to ensure retailers are responsible for cardholder data or risk facing fines of more than $500,000.

Drazic's comments follow the launch of a number of merchant retail solutions that address PCI compliance.

It is the selling point for a new retail solution jointly released by security heavyweights Cybertrust and Cisco Systems last week.

According to a press release, Cisco will provide audited network architectures tailored to individual stores under the mandate and Cybertrust will validate the gear as PCI compliant.

Cybertrust is an approved assessor for the PCI DSS for American Express, MasterCard and Visa. Cisco provides approval under the Cisco Secure Store Program, which offers both the PCI Solution for Retail and a Digital Video Surveillance solution.

According to Cisco, the Digital Video Surveillance solution includes "human and automated video surveillance, and reduces retail shrink through improved loss prevention capabilities".

However, Cisco did not confirm whether the surveillance solution is part of the accreditation for PCI compliance, or an additional feature.

Cisco did not respond to repeated attempts by Computerworld to clarify how its solution complies with PCIDSS.

Drazic said using a solution from an approved assessor doesn't automatically make a company compliant.

He said some vendors are using PCI compliance to try and sell product.

"Like products from any other reputable vendor, it's how you implement, manage and maintain those systems that is the key; simply implementing this product doesn't make you compliant," Drazic said.

"Do you need to throw away what you have now? No way if it is working. Do you need to consider these offerings? Possibly, but it shouldn't be different to any other purchase.

"This is an interesting approach by Cisco and CyberTrust to make inroads into what is becoming a potentially lucrative market, and the PCI name is becoming a selling point. Is there anything really new about this solution aside from the PCI name? I doubt it."

Despite repeated attempts to get Cisco and CyberTrust to respond to these claims and clarify their partnership, both companies did not respond.