There is a lot of buzz around Visa’s PCI Standard these days. Companies are scrambling to be compliant, auditors are experiencing Y2K kind of consulting revenue growth, and technology vendors are claiming to solve all your problems. Many companies find themselves at a crossroads: Do I take the short cut or the path to real, ongoing protection of customer data. For example, most PCI Level 2 merchants can do a self assessment and say they are compliant. If they are later audited and some problems are found they get 6 months to fix those problems and get compliant again, before they face any fines. But what if there’s a data breach in the meantime? Like anyone else, I am a consumer. I buy groceries Safeway and Albertsons. I take my girls out to buy beads from small art stores and ice cream from Dairy Queen. Before walking into any of these shops I don’t think about whether the store is a level 1, level 2, level 3 merchant. But, maybe I should. We use credit cards in all those stores indiscriminately and even if they are all PCI compliant, the risk of our credit card data being stolen may be different orders of magnitude. This whole mess reminds me of when I came to the US as a student couple of decades back and in those days the Stanford International Student Center advised us not to use our credit cards in very small shops San Francisco. They advised us to use cash. So, if you are CEO or CFO at a company with retail stores what do you do? If you pass a PCI DSS compliance assessment how safe and secure should you feel? Others companies in the industry like Hannaford were PCI compliant but still had problems. You have the stamp of compliance but what does that mean for your business? There are no easy answers but the one thing I can guarantee is that all retailers have “STUFF RUNNING ON THEIR POINT OF SALE SYSTEMS” which should not be there. How would I know? Solidcore technology ships on a huge number of POS systems and the software creates an inventory of all the software it finds on the POS and store back office systems. The results are often shocking. And it doesn’t matter if your IT folks tell you we run anti-virus or we have a strict gold image; the reality is very different. This is not entirely the IT folks fault as stores are typically serviced by local people and employees have physical access to these machines 24x7. The Solidcore solution for POS and Store Back Office Machines makes sure that only the right things run (runtime control) and can’t be tampered with (change control). When we designed this solution in 2003 it was not with PCI in mind, it was to solve the problems that customers were having with keeping these machines operational given that they are remotely dispersed and the fact that Anti-Virus on these machines was practically useless as the signatures were almost never updated. Our PCI solution for data center servers has now emerged as the market leader with the leading QSA’s blessing it and recommending it to their customers. The combination of these two solutions is becoming a standard for store-based companies that are avoiding shortcuts and pursuing the path towards sustainable protection of customer data. Rosen Sharma
President & CEO
rosen@solidcore.com | 
