THE PCI GRAVY TRAIN
Mention PCI compliance to security vendors and watch them salivate. In an attempt to stem the flood of stolen credit card numbers, the major credit card brands have developed a list of requirements to be met by any organization that takes credit cards or processes credit card transactions. Entities that fail to meet those standards can be fined by their merchant banks.
PCI's strongest impact is on retailers, which often lack on-site security and IT professionals to implement and manage the standards. Security vendors are stepping in to help customers map existing security processes to regulations and mandates, and see where they may need entirely new technologies.
PCI lays out a checklist of technologies, including antivirus software, firewalls and intrusion-detection systems, encryption, and vulnerability assessment. In contrast, regulations such as HIPAA are broadly written and thus more open to interpretation (and consulting) as to what constitutes "compliance."
Thanks to PCI's explicit instructions, product vendors smell gold. But they're careful in what they promise. For instance, Cisco notes that deploying its PCI compliance platform, built on Cisco products and aimed at the retail sector, doesn't automatically bring a company into compliance--it's just an important step.