Just following up on Liam’s posting regarding this presentation.
I concurr with his comments regarding confusion, fear and doubt. Unfortunately, in general the PCI standard are very open to interpretation, and anyone with a history in security will understand that the standard is essentially a good roadmap to ensure you have a decent security posture. From that perspective, its a ‘good thing’.
Structured alot like Sox and HIPAA standards, you’ll notice similarities. Controls, documented processes, actionable plans in cases of breaches, etc. Folks, this is sophisticated stuff. As was brought up a few times, PSI/DSS isn’t for everyone, and definitely the smaller, non-niche focused providers will probably want to steer WELL CLEAR of anything PCI related. Perhaps as a backup point, someone brought up that if you are not PCI compliant, or offering those services, ENSURE that your documentation and policies CLEARLY state that.
As was stated, you can’t be ‘sort of’ PCI compliant. If you’ve been through a SOX audit, or been only the receiving end of audit request information, you’ll understand that this is going to be a big impact for everyone.
As well, you yourself will have to be compliant in order for you to have a merchant account. Expect to see a large split in the hosting marketplace, those that offer PCI-Compliant hosting, and those that don’t. It is VERY different. Perhaps more diverse than what we are used to in hosting – such as video hosting vs. shared hosting. The parameters, paperwork and legal ramifications are large. And perhaps this is good. This may perhaps be YAN (Yet Another Niche) in hosting that will develop over the next few years to be another service offering that you partner up with for your customers.
Unfortunately, we ran out of time, because I had wanted to stir the pot abit with the great folks on the stage in relation to the latest NSI breach (who immediately ducked under the ‘I am PCI compliant’ banner) right after the breach.
As Liam said, we’ll see a lot more churn, misinformation, and confusion in this area. The early thought leaders and those willing to invest heavily I think will be well rewarded.
About Jason Remillard
Jason Remillard has been involved with Enterprise IT for over 15 years now with extensive exposure to corporate security and compliance issues. He has a proven track record leading geographically diverse development teams in North and South America, Europe, China and India. A strong communicator who has delivered CxO-level presentations globally and fostered advanced relationships with Microsoft, Cisco, Novell, and other high-profile vendors - Jason is currently with Quest Software Inc - as a Product Manager for some of its leading Enterprise security and automation toolsets.
No related posts.
