We have occasionally taken some heat (from a select few “passionate pundits”) for our messaging around making PCI compliance easy and affordable for our customers and I wanted to take a moment to explain our position.
Alert Logic’s core mission is to provide technologies that help our customers address their security and compliance challenges. In order to best accomplish that mission we’ve intentionally targeted some of the most painful requirements within PCI and have tried to bring them within the reach of our typically mid-sized and IT-constrained customers. PCI compliance isn’t just a nice-to-have for these organizations, it’s a necessity for doing business.
For many of our customers, implementing and properly managing technologies and processes like log management, vulnerability scanning, and intrusion analysis & response is more than difficult, it’s a financial impossibility – and yet it’s required by regulations like PCI. This is where Alert Logic has played an important role for over 1,000 businesses. Our products and services have focused on those technologies and processes that are difficult to implement and that, when well integrated into an overall information security program, help our customers achieve significantly stronger security.
And we do it in a way this is easy and affordable. Not easy and affordable relative to many things in everyday life, but easier and more affordable than any reasonable alternative technology.
But to be perfectly clear, PCI-DSS contains 12 requirements, and our products and services help to address portions of 4 of the 12.
Achieving full PCI compliance is not a trivial process. That said, our customers consistently tell us that when it comes to meeting and adhering to PCI standards, we bring many of the requirements within reach that were previously unattainable.
{ 3 comments… read them below or add one }
chris, glad to see more successful products available for customers. PCI compliance is very important.
I think for many of those customers, it still goes beyond being able to afford compliance. Many aren’t even aware they are expected to be compliant. Recently, Amazon announced that their S3 services would not provide Level 1 compliance. This isn’t a huge deal for most SMB customers, however what happens to the mom/pop that start selling widgets for fun, see the Digg-effect and are suddenly a Level 1 vendor overnight? Many have no clue what is expected of them for compliance. I think the solution is that all PCI-service companies should be held to a code of ethics that requires any company that advertises their service as meeting a PCI requirement, to explain to their potential customers where the customer fits in at within the PCI layers and what is fully expected of them.
Eric, thanks for your thoughtful comments and contributions to how companies should address PCI compliance. I especially appreciate your suggestion that companies like Alert Logic who offer PCI related services help prospective buyers navigate the sometimes tricky PCI waters. Most of our marketing activities (and most of our selling conversations) include an element of PCI education. We help our buyers understand where they fit in the merchant stack, what they need to comply with, and how they will need to demonstrate the effectiveness of their compliance efforts. We continue to be surprised at the lack of PCI understanding that still exists in the market, but we also see that lack of understanding as a business challenge that we can help our customers overcome. Thanks again for your comments.