thePCI Portal

Lets dissect a confused compliance Press Release !

I recently saw this press release and thought it illustrated the high level of confusion that exists about the security standards.   I am going to remove their company name to try save them a little embarrassment.  The bold comments are mine under excerpts from the press release.

<<COMPANYNAME>> Announces PCI-DSS v3.1 Rating – The Highest Credit Card Processing Certification

I dont know what a “PCI-DSS v3.1 Rating Certification” is, but since May 2015 this organization has received the 5th one ever!  Congratulations on your “PCI-DSS v3.1 Rating Certification”.  You should end this sentence with an exclamation point!

“PCI, which stands for Personal Credit Information”.

No it does not.  Not even close really.  Not one letter correct.  Not one.  You are starting to worry me.

“new level of regulations were issued in May, 2015, labeled as v3.1”.

Close, but its a new version of the standard, not regulations.  They are quite different.

“You can view <<COMPANYNAME>>’s certification on the PCI Validation Website by clicking here”

Then they have a link to the list of validated payment applications.  Oh!  I get it now.  They are not even talking about PCI DSS, they are talking about PA-DSS!  This might make some of their earlier claims trueish if they switch this!  I will give them the benefit of the doubt that they actually appear on the list they linked to and not check  🙂

“earning this PCI-DSS certification”.


“<<COMPANYNAME>> has always been in compliance with our credit card processing certification.”.

If this meant something, it would be more impressive than it sounds!  And it sounds impressive!

“However, we felt that earning this PCI-DSS certification was a necessary step”.

Stop it, my belly hurts.

“The challenge in the micromarket/vending arena has been that other competitors have tried to tell the public that <<COMPANYNAME>> and other leader competitors were not PCI certified when all along, <<us and others>>, have been. None of us would be able to operate in the thousands of locations if we were not.”

Uh, PCI certified is not a thing, so maybe it is true!  And, yes, surprisingly, you can operate if you were not.  Lots of organizations are very confused about PCI DSS, PA DSS, etc. 

“PCI is like a universal stamp of approval – plain and simple”

Are you referring to Personal Credit Information again here?  Or compliance with the Payment Card Industry Data Security Standard?  Or maybe the Payment Application Data Security Standard?

You did write a PA-DSS Implementation Guide, right?  I would love to review that! 

I hate to send them any traffic, but the original press release quoted below is here if you want to see it yourself.  :

Ad below this line:

Leave a Reply