A Grade-A, Top Primo Example Of Misleading PCI Vendor Claims

People who work in the marketing departments of security vendors have it hard. They need to make routine situations—like having an app declared PCI compliant—sound impressive. It's like a politician with a big sign outside his office proclaiming: "Haven't been indicted yet this year."

This forces the vendor to get creative (a nice word for "misleading") to trumpet that which is quite ordinary. We see this so often that it's hardly worth mentioning. But every once in a while we see someone push the BS envelope so far that it pretty much requires a mention. A vendor named Transaction Wireless provided us such a reach on Tuesday (Aug. 23).

PCI compliance doesn't come in grades and is a very clean pass-fail situation. That's why the vendor's headline caught our eyes: "Transaction Wireless First Cloud-Based Digital Giftcard Platform to Earn Highest PCI Level 1 Certification."

That is a truly delightful piece of sleight of hand. Other than saying "certification" rather than "compliance,"—see PCI Columnist Walt Conway's classic primer on how to use PCI terms as well as a QSA native—Transaction Wireless' headline is literally correct. But it suggests that the vendor has something above and beyond, which is not the case. Level 1, of course, refers the number of card transactions. That Level 1 category was dictated long before the vendor even started its compliance assessment, so it doesn't get to take any bows.

Level 1 is indeed the most stringent, but that fact impacts everyone. It's like a high school senior touting his pass/fail performance to a college admissions officer: "My score of 'Pass' was for a class in Grade 12, which is the highest and most difficult level of testing available in any high school in the country." The difference? College admissions officers are experts on how high school grades work, while Transaction Wireless seems to be focusing on retailers who don't understand PCI well enough.

The statement quoted CEO Doug Schneider as saying: "While strong security processes have always formed a major cornerstone of our offering, we felt it was important to earn the highest official third-party certification." From a PCI perspective, there is no meaningful "highest official third-party certification." Put another way, the vendor had no choice. Size wouldn't have permitted Transaction Wireless to have sought anything else. From a PCI nitpick perspective, QSAs do not certify; they assess.

From an editing nitpick perspective, the sentence is structured as though the second part conflicts with the first (as in "While profits are very important to our business, this charitable effort merited an exception"), but the two parts of the sentence actually agree. For even more of an editing nitpick, Transaction Wireless didn't mean "while." It meant "although."

On the plus side, there's no reason to doubt that this vendor is now PCI compliant. Had it simply said that—without suggesting its compliance was somehow different from its rivals—there would be no issue. But little by little statements such as this make it more difficult for retailers to make legitimate comparisons between vendors on security matters. These days, that's essential to do. Legal Note: This column has been assessed as the Level-1 Grade-A of all stories we're running this week featuring PCI definitions and cranky editing gripes. (Hey, if you can't beat 'em...)