May 6, 2008

PCI Self-Assessment Questionnaires Embrace Use-Case Philosophy!

I have been meaning to comment on this for a while, but better late than never. Earlier this year, the PCI SSC released an updated, and well-thought out collection of self-assessment questionnaires to replace the previous, single questionnaire. This is a very welcome enhancement for a number of reasons, not the least of which is because it shows a clear support for a use-case-based approach - something NSS Labs has been working towards in its own testing.

In fact, we've written a white paper outlining how use cases can help IT Security and Compliance professionals evaluate products for appropriate usage in their environments. In short, know your environment, and specifically what you're trying to protect, and this will help you define more granular (and thus more useful) protection requirements for your control selections (i.e. security products).

There is no silver bullet or magic product, and in fact, as products are increasingly differentiating themselves, defining the requirements early on in the process is increasingly important. For buyers, this means being better prepared, and more discerning in the evaluation process. For vendors, this should be a welcome opportunity to claim some higher ground (in terms of positioning and differentiation) in some very 'mushy' crowded markets where customers turn quickly to price as a differentiator when they can't tell the difference in benefits.