Secure Payments, PCI DSS, Regulatory Compliance Blog

Emergence of the WESME

July 31st, 2006 by datasecurity Posted in Uncategorized

Recently friends who know I am very involved in PCI DSS have pointed to several WebEx sessions, touting “experts” in PCI compliance, recommending that I attend to learn a few things. I have listened to these sessions and they are either one of two things:

  1. A company pushing a product. I have seen so many product companies partnering with just about anyone who is willing to say the letter P-C-I or “compliance” and hosting community conversations on the topic.
  2. Self proclaimed experts. These are people, who nobody knows, working for companies, that some people might have heard about, touting them as “industry experts” based on the fact that they got a 30-60 minute PCI digest from a friend. They know compliance so they must know PCI, right? They most likely have never done an audit, but they are self proclaimed experts.

With no offense to the product company, I call these people WESMEs (WebEx Subject Matter Experts.) It is easy to sound like an expert when talking about something for 60 minutes (really it’s more like 10 minutes of introductions, 30 minutes of PowerPoint slides, and then 10 minutes of moderated Q&A.) If I wanted to I could talk about SOX compliance for that period and sound very knowledgeable about the topic, because the deck is stacked in my favor.

Put any of these people in front of clients or facing large compliance projects with clients asking complex details and they fall apart, or worse recommend the wrong thing out of fear of not sounding like they know what they are talking about. I have talked with clients that had been told they need to implement encryption to protect their cardholder data, when in reality they were simply never told they could hash or truncate the data. Other clients were never told about compensating controls or how to use them. Still others were held hostage by their assessor who would not provide them a passing rating even though they were secure — many times they want to cover their bases liability than recommend a good solution to their clients.

I simply find it disheartening that there are people out there self-proclaiming themselves as experts in the field when in reality they have not been through the trenches and don’t fully understand the gestalt of the standard.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 5 Responses to “Emergence of the WESME”

  2. By Jeff on Aug 2, 2006

    Has the updated list of rules been pulished yet?

    Thanks…

  3. By datasecurity on Aug 3, 2006

    Nope, but keep checking the Visa web site for updates.

  4. By Kim on Aug 8, 2006

    Is there any full list of vendors who are compliant? I’ve gone to Visa’s website and they only show the one’s that meet their standard. I know of several vendors that say they are compliant but I can’t find any documentation.

  5. By datasecurity on Aug 8, 2006

    The list on the Visa web site shows only a list of compliant Service Providers. First, Merchants submit their compliance to their Acquirer only, not Visa.
    Second, Service Providers must submit a report on compliance (ROC) to Visa. This means that the entity could be a compliant merchant and not be listed on the web site, but all service providers that have validated compliance (based on their Level) should be listed on the Visa service provider list.

  6. By Braxton on Jan 21, 2009

    APlitq7TISfNH

Sorry, comments for this entry are closed at this time.