Cisco and security vendors would like you to think so, but some CIOs aren't so sure.
It's no surprise that vendors have swarmed around the PCI Data Security Standard. It already has generated a mini-industry of Qualified Security Assessors and certified scanning companies. While it's true that many retailers need to invest in new hardware and software, the fact is, compliance is a process, not a product. But hardware and software vendors are still packaging pieces of their portfolios as "PCI enablers."
For instance, Cisco Systems has developed a 380-page design guide to help customers build a PCI architecture--featuring, of course, lots of Cisco gear, including routers, switches, firewalls, and wireless devices. But Cisco is careful to say its architecture is PCI-validated, not compliant. "No product can guarantee compliance," says Ed Jimenez, director of market management for Cisco retail. He notes that retail is a fast-growing segment of Cisco's business but says the company doesn't break out revenue generated by PCI.
Smaller vendors are also getting in on the act. LogLogic, Arsenal Data Security, and SecureWorks recently launched a "PCI Starter Package." It includes LogLogic's LX1010 log management appliance and a PCI gap analysis conducted by Arsenal. SecureWorks will manage the appliance for free for two months.
Many retailers can spot the opportunism a mile away. The CIO of a Level 2 outdoor equipment company says he and his IT staff get calls every day from vendors pitching PCI compliance. "There's a swarm of people that are misleading the industry by saying that they can do this. It's not about hardware or software."
Alan Stukalsky, CIO of Church's Chicken, has had similar experiences. "Vendors are coming in: 'Here's a $50,000 device that will help you get certified,'" he says. "We said, 'No thanks.'"
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?