Oct 20 2011

“PCI Compliance in a box” Really? #RAGE

Published by at 12:14 pm under PCI

I knew it had to happen eventually, but that doesn’t lessen my desire to strangle the marketing person responsible for what was probably just a reprinted press release!  Or maybe the reporter who came up with the title of the article should be the one throttled.  In either case, I can’t let an article that states “PCI-DSS Compliance in a Box” go by without raging against the very stupidity of the statement at least a little.  It is SC Magazine, but I still hope for better.

If you have even a passing familiarity with PCI, you know exactly why this story about RandomStorm (I have another name for them, but I can’t put it in writing) making a box that meets all your PCI compliance needs is utter nonsense!  It sounds like a UTM providing a bunch of related services, like IDS, log management and vulnerability scanning with a reporting tool on top of it, but these are only a small part of the PCI requirements.  To state otherwise or try to sell a product as covering everything that PCI requires is disingenuous and dishonest at the least, and criminally misleading at the worst end of the spectrum.  How someone could be reporting on the compliance market and not know that is beyond me, but then again no one at SC Magazine was willing to put their name on the post, so maybe they did know how much BS this press release was.

“MicroStorm is delivered on a single small form factor appliance that is
designed to help merchants monitor and prove their compliance on an
ongoing basis, with the reassurance that if anything breaches their
network, they will be immediately alerted.”

Given names like RandomStorm and MicroStorm, I’m hoping this is some sort of trolling attempt and just a joke.  I can’t imagine anyone who knows how to spell PCI actually making a statement like this with a straight face.  I can however imagine many marketing and sales guys trying to sell SMB merchants a small black box with blinky lights that they sit on a shelf somewhere that will protect them from PCI bug bears!  After all, isn’t that what all too many vendors are saying about their products and “Standard Techniques Failed Uss”.

One box cannot meet with all of the PCI compliance requirements.  Even ignoring the fact that a large number of PCI requirements are based on policies and have no way of being satisfied by a technology.  And if you ever find one box that meets all of the technological requirements, back away slowly and get far away from it.  I can almost guarantee that even if it meets any of the requirements in theory, when you actually have to sit down with a QSA or forensics investigator to explain how it works, half the technologies it’s supposed to incorporate will be so minimal as to be worthless.  Less, since they give a false sense of security.  I also predict it will be a forensics investigator you have to talk to, not the QSA.

Simply put, this is more snake oil.  Enough said.

Update (10/24/2011):  You can see a comment from the CTO of Random Storm in the comments along with my reply.  Additionally, I received the following twetts from @phinessence on twitter taking the blame for the naming.  Glad to see they’re on top of the situation, but it was a bad move, despite the use of quotes, inverted or otherwise.

Blame me for that headline. It was in inverted commas for the very reasons you state. Thanks for highlighting the dangers though.
My bad I’m afraid.  It was to provide context, hence the inverted commas, buy your comments have been taken on board.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

4 Responses to ““PCI Compliance in a box” Really? #RAGE”

  1. Melissa Woodon 21 Oct 2011 at 6:07 am

    This is great! You have expressed my frustrations with marketing and sales perfectly. I can’t count the number of times I’ve ranted and carried on that you can’t sell 1 soultion to take someone “out of scope” permanently – very similar to this “PCI Compliancein a Box.” It just can’t happen. Thank you, thank you, thank you. Now if the doofuses would only read and BELIEVE it can’t be done, we’d all be in a better place.

  2. Andrew Masonon 21 Oct 2011 at 6:23 am

    Hi Martin,

    Apologies if the marketing message has come across in a bad light. I fully understand that no single box solution can answer all of the PCI questions or requirements.

    What we are trying to do is to launch an appliance that is aimed for the retail or RO/BO market where they have multiple smaller stores/offices that require a level of protection in a single appliance to comply with the relevant sections of PCI rather than rely upon multiple devices and the associated issues of managing these at scale.

    Please believe me when I tell you that we are 100% a security focussed company and again, I am sorry that you have understood our marketing in this way and you can be assured that I will try to ensure this does not happen again.

    Feel free to contact me at any time if you have any further questions.


    Andrew Mason
    CTO, RandomStorm..

  3. Martinon 21 Oct 2011 at 6:59 am


    I believe you are a security focused company; I’ve had a couple people who’ve come forward to say ‘we use RandomStorm, they’re a decent company’. But what came out in that article/press release is the worst sort of marketing drivel possible!

    I understand that your box meets with a number of different PCI requirements, but suggesting one box can do it all is simply irresponsible and lazy marketing. Especially when dealing with the SMB market and merchants who may not understand even the basics of PCI compliance. This type of marketing could quite possibly leave a merchant believing plugging in your box will absolve them of any other PCI compliance needs.

    If you want to rectify it, remove the “PCI Compliance in a box” crud from your marketing and press releases. If that didn’t come from your marketing, then make sure that you market it as ‘meeting a large number of technical PCI requirements’ rather than making it appear that putting in this one box will solve everything. Take responsibility in educating your customers and the press, otherwise this sort of marketing has the potential for turning around and biting you hard when one of your customers is compromised and blames you for selling them a box that supposedly met all their compliance needs in one box.


  4. Andrew Masonon 25 Oct 2011 at 1:55 am


    Again, apologies for the messages that this has sent out. I share your annoyance with this marketing method and can guarantee you that I have put a process in place to ensure I get to see and agree to every press release from now on.

    I am currently away on vacation with hardly any connectivity but as soon as I get back to the office next week I will be giving this a full post-morten to ascertain what went wrong and ensuring it never happens again. We will try to get the titles changed on the press the story has had.

    So, I guess this just leaves me to thank you for bringing this to my attention and deservedly creating this post to outline where we went wrong.


    Andrew Mason, CTO, RandomStorm.

%d bloggers like this: