Over the weekend I received several emails on my prior blog entry, POS Ending Event - July 1, 2010!!! Based on the response, this posting appears to be my most popular thus far. Most were favorable and many had guesses: "was it this vendor or that vendor because I have received similar letters." An interesting point is that of all the guesses, none guessed the vendor that I used in my example. This confirms my belief that marketing campaigns like this one are as wide-spread as I thought.
The vendor who I used as the example also contacted me and in hind sight, I may have been a little harsh in use of the word "unscrupulous." Instead, what I should have said was that letters like this could be the result of either unscrupulous, ill-advised, or simply naive marketing departments with a cursory knowledge of PCI. Heck, I've had to do some postmortem clean-up after some naive statements from a prior marketing department of my company, and I would not have classified their intent as unscrupulous. Anyway, the intent of Friday's post was not to finger point to one particular vendor as there are many in the same situation. The real intent was to make merchants aware of some of the misconceptions that plague PCI.
The reason for my ire last Friday dealt with this exact same topic. We (the company I work for) were having several days of debate with a QSA (again, who shall remain anonymous) about the July 1, 2010 patch cutoff date by Microsoft. The QSA's corporate party line was that as of 7/1/2010, Windows 2000 will no longer be compliant under PCI. We obviously did not agree and didn't know if they realized the scope or magnitude of their interpretation: A majority of the POS merchants are currently out-of-compliance because there are many POS applications running on non-current operating systems: old Unix, old Linux, old Windows. I would venture to guess that a large percentage of existing firewalls use old o/s as well and would also be deemed out-of-compliance based on this same interpretation. On 7/1/2010 another huge segment of merchants would be out-of-compliance overnight as Microsoft stops patching Windows 2000. Take all those pats on the back that the cards brands and PCI-SSC have been giving themselves about industry wide PCI acceptance and compliance percentages and throw them out the window. After several to and fro emails and walking up the chain of command, using the same references given in my post, we finally got our point across. At the end of this, I felt I had to write something about this experience and this vendor's letter happened to be within my reach. I apologize if my posting came across as anti-XYZ vendor.
As I ended my last post, do your research. The correct information is out there. With Friday's example, the information was not all that hard to find.
No comments:
Post a Comment