In this case, the devil is in the details (as well as in an executive office at Ingrian). The Ingrian statement implies, suggests and does everything possible to suggest that it will deliver compliance "within 60 days or less." Never mind that it's reckless to make such a comment without knowing the particulars of the retailer's system and the problems that have to be remedied.
Retail security managers are nervous and some may fall for this pitch and not ask, "Does this claim make sense? Does it pass the laugh test?"
We're not alone in wondering about this program, as SecurityIncite had some wonderfully cynical thoughts as well.
Reaching out to Ingrian didn't do much good. First, they engaged in the PR torture tactic of issuing a release during a time when company officials couldn't discuss the release.
Secondly, the release (near the bottom) raises the possibility that they really can't do this for every company, by saying, "To see if your organization qualifies for this program, please contact" and they then provided an internal sales E-mail address. The address should have been [email protected], but it wasn't. I called the sales people who would receive such messages the day after the statement and the person I spoke with had no idea about what the qualifications were, but promised to get back to me. Of course, he never did.
Someone else working for the company?whose identity we'll suppress--called and said that the 60 days wasn't a promise. It was merely an observation of how long these things typically take. Funny, the release doesn't say that. If true, why call it a 60-Day Program For Compliance? Pricing was also conveniently not mentioned. The person was trying to get someone at headquarters to discuss this, but they never called back.
As PCI deadlines are nearing, these kinds of games are going to become quite popular. For all I know, the Ingrian program is quite effective and useful, but trying to pitch it as a panacea, promising a sure thing where such a deliverable is not possible, really undermines the message. Whether it undermines retail security is still an open question.