PCI-DSS and PA-DSS: Industry Recognition
There was an very interesting article posted yesterday on StorefrontBacktalk entitled How To Get Small Retailers To Take Security Seriously When They Can’t Afford It. The premise of the article is that there should be a PCI compliance tool that can be run on a smaller merchants machine in order to address compliance.
While I don’t, necessarily, agree with all the recommendations (or think that it is the only solution) there is a paragraph that is extraordinarily important to consider.
Beyond these problems, Remote Compliance Monitoring tools have to perform tasks such as identity and access management (IAM), configuration lockdown, change management and maybe encryption. So, what does the footprint of such a "cool tool" look like? Is this a plug’n’play box (does anyone still call these "appliances"?), or is it 100 percent software? Personally, I’m expecting software is the only way to win this market. The next question is "When will all this happen?"
The main driver for this market shift will be the PA DSS enforcement date: July 1, 2010.
The trend is clear.
PA-DSS enforcement is forcing an industry wide evaluation of security and compliance and methods to address these issues. It is not a question of “when” it will happen…it is happening now. In addition, software becomes the BEST method of ensuring compliance issues are addressed.
But, and this is where I disagree with the author, the first thing that (as Software Companies) must be done is ensuring payment software is developed in a fashion to meet, and exceed, the requirements of PA-DSS. And, when this is complete, to have the application certified as compliant. The “how” is something I will address in the upcoming weeks.
The merchant must start the engagement process of ensuring their software is compliant today. This shift in the market is tectonic and cannot be taken lightly.
Software will win. And secure developed, certified software is no longer a feature…it is a necessity.
What’s your perspective? Agree? Disagree? Anything to add? Critiques?
The comment form is below. . .
September 11, 2008