I've just been talking to the PCI project manager of one of the largest retailers in the UK. I won't go into any more details in case I give away too much, but the content of the discussion was very interesting.
First of all his assertation that he didn't care about PCI was no revelation - he just wanted a tick in the box. That he said it didn't bring any benefit to the corporation - "We just want to sell things" - was also no big shakes. He'd had resellers and QSAs crawling all over him like a rash, which is sad, but hardly surprising. I expect he's paid well enough to put up with that.
What surprised me was the advice he was getting from his QSA, that all of his branch offices needed IDP/IDS. I must have reacted in the same way as he had done when told that because he smiled wrily at my furrowed brow and said: "That's bollocks isn't it?"
Well, yes, I'm afraid it is. Please correct me if I'm wrong, but no-one needs to have intrusion prevention systems installed at every branch location. Especially not when they're putting encryption in place, practically unbreakable, centrally-managed encryption at that (yes, that would be Ingrian Networks, of course). Not when they have things like firewalls in place. At head office, where the processing is done on the cards and they are stored in databases, perhaps this is valid, but at branches where they are held safely encrypted until they are sent offsite, this is just a waste of money.
I don't think the US is this stringent yet, and the UK certainly isn't. I'm sure VISA and MC would jump up and down shouting hurrah and huzzah if everyone did this, but they would have to recover from the shock first. It just doesn't happen, especially when other retailers are shelving their PCI projects altogether because they can prove they've started them when the auditors come round, and that's all that's required to be compliant right now.
Come next audit of course the latter company will have to show that they are moving again, so effectively all they are doing is making their PCI project more urgent, probably squeezing it into 6 months at the end of next year, when the aforementioned will be compliant by June '08 and squeaky clean - just in time for a change in the rules no doubt.
I have heard no more about the requirement for FIPS being introduced into PCI DSS, but it seems so unnecessary that it is almost destined to happen. Any light that can be shed on this would be much appreciated. I've got another meeting to get to.