Over recent weeks, we’ve been getting a lot of inquiries of PCI-DSS as it looks to pick up in Malaysia. From banks to financial institutions, to insurances, to data centers, BPOs and even software developers, this little compliance standard seems to be touching every part of the every verticals, as Malaysia (and the world) looks towards a society focused on cashless transactions.
More and more, in my meetings with partners and customers, we are seeing the usage of PCI-DSS Logos, and PCI-DSS Compliant symbols in their websites, in their presentation slides and marketing collateral. Unless it comes with a statement to it, for instance you are directly referencing the PCI-SSC in its logo usage, our suggestion is this: Stop using those logos. The SSC has already sent out a circular way back in 2011 addressing the profusion of these “I am PCI-Compliant”, PCI-compliant website seal, PCI-Certified Level 1 Logo etc..and they are basically saying: Unless you are a QSA, you are not allowed to use any of these logos for your own purposes.
Instead, we suggest to either have a link to your certification copy directly from your QSA. Many QSAs provide that and they can attest your compliance easily. This could be a link to the AoC (rare but like AWS, is possible), or simply a seal provided by the QSA (not PCI-DSS Logo seal), if your QSA provides it. All attestation should be QSA specific and not led to believe that the PCI-SSC directly endorses the site or company as PCI-DSS Certified.
I suppose this is to deter companies from falsely advertising their status. As we know, PCI-DSS is based on scope and location. By putting a PCI-DSS logo, it might lead customers to believe that the particular business process (for instance Manage Services) is PCI certified, whereas the actual certification is only on Physical Data Center services (example). Furthermore we have seen unscrupulous software companies advertising their solutions as ‘PA-DSS’ certified along with the logo, but when sold to our customers, is actually the version that is NOT certified, and therefore, our customers paid for something that is non-existent.
Be careful! And stop using PCI-DSS logo indiscriminately!
Here is the full statement direct from the PCI Council: