Logo for PCI Compliance?

Update: In the Oct 2011 issue of the assessor updates, the PCI SSC has addressed the use of logos. “PCI DSS Compliant”, “PCI DSS Ready”, and other variations that combine a portion of the SSC’s official logos with an organization’s own marketing text and/or graphics is not permitted, either in printed marketing collateral, business cards, or web sites.

The PCI SSC is a standards-setting body, and makes no determination as to any individual organizational compliance status. The use of such unauthorized logos not only creates confusion in the marketplace by mistakenly implying recognition of a compliance status, or the endorsement of, an organization by the Council, but also the use of these logo variations constitutes an infringement of the Council’s trademark and copyright rights, and the PCI SSC is obligated to enforce its intellectual property rights in order to further the organization’s mission and objective.
With this in mind, should you receive inquiries on this topic, please ensure your clients understand the role the Council plays in the compliance process; that we do not determine compliance, and that their use of these logos is not permitted.

Original post continues…

I just read an article in SC Magazine that says that some vendors are calling for a logo that can be displayed by PCI compliant companies. The idea is that being compliant can be used as a marketing tool and that a lot of companies are not able to communicate the impact of being compliant properly. If they had a logo on their website, people will know right away.

I do not think it is a great idea. They may be good for marketing in the short term, but will decrease the value of PCI over time. We will see more and more companies showing the PCI logo, but we will also hear about more breaches in these companies. There are a couple of reasons for this.

First, if you read my post on why compliance does not guarantee security, you will realize that there can be PCI compliant sites with huge security vulnerabilities. Hackers will start to target these sites just to make a point. This will result in lots of publicity for these breaches which will lead to the second reason.

People will get confused by the contradiction of a supposedly secure site being breached and PCI will start to lose value. Most people still do not realize the purpose of PCI-DSS. The PCI-DSS requirements are supposed to ensure a minimum level of security that companies that handle card holder data (CHD). If that is the case, the certification itself does not mean much. My favorite analogy is this: When you purchase a home, would you consider it a huge selling point if the seller says to you that the home meets the minimum building code? I hope not. It is the same here.

Another reason is that PCI only talks about CHD. You environment can be vulnerable, but as long as the parts that handle CHD are considered secure, the company will be considered PCI compliant. All the other parts of the environment will be considered out of scope for the PCI assessment and will not even be part of the assessment.

Here is a quote from one of the proponents of the logo plan:

while PCI compliance alone does not guarantee all of the necessary computer security precautions have been implemented by a particular merchant, it does demonstrate that they are investing time, money and resources to protect their customers

Everyone with common sense knows that spending money does not guarantee security. For all we know, the merchant might be building a bridge to nowhere. But people will expect the company to be secure because they have the PCI compliant logo on the website.

I hope the PCI SSC will ignore this nonsense about logos that have been thought up by marketing people, purely as a selling tool. They will only end up defending PCI-DSS against ridiculous charges that PCI is meaningless.

Link to original article:
Calls for PCI DSS compliance logo