"The problem with PCI from a customer perspective is that it is challenging and expensive for a lot of companies to get up to speed, and in some cases, it's still unclear what they need to do. They're also unsure of what's coming in terms of penalties for a lack of compliance," she said. "There's definitely a lot of uncertainty out there right now, even though the initial deadlines have already passed."
Lovejoy said that smaller and mid-tier enterprises, particularly in the retail sector, are struggling to figure out where to begin making investments to comply with PCI and other security-oriented regulations. Companies in other countries that are being affected by the mandates have also fallen behind, she said.
IBM's new PCI compliance offerings
Among the new products and services introduced by IBM on Thursday are a set of tools meant to provide end-to-end PCI compliance capabilities.
The vendor believes it has all of the necessary skills in its portfolio, from assessment services that promise to help companies understand where their greatest weaknesses lie to design and deployment offerings that address the composition of related security policies and adoption of needed technologies, to help companies fall in line with the mandate.
From a product standpoint, IBM said it has also added specific PCI compliance capabilities to its IT Governance and Risk Management tools, including an upgrade to its Proventia Network Enterprise Scanner product that includes vulnerability checks tailored to address regulation requirements.
The IBM Tivoli Compliance Insight Manager, a compliance audit and reporting package, had also added a PCI Module with report templates customized to handle the different aspects of the guideline.
Beyond the PCI-specific tools, IBM is also touting risk management capabilities engrained into its Proventia Content Analyzer package, including new data inspection capabilities built into its Proventia Network Intrusion Prevention System (IPS) products.
In addition, the company said that its IBM ISS group is partnering with security vendors, including Application Security, Fidelis Security Systems, PGP, and Verdasys, to create new data protection services. Among those offerings are Data Security Services for Activity Compliance Monitoring and Reporting, Data Security Services for Endpoint Data Protection, and Data Security Services for Enterprise Content Protection.
The services promise to address many of the areas the ISS partners target with their individual products, including applications vulnerability testing, data encryption, and information leakage prevention.
Along with expanded mainframe compliance capabilities in its z/OS and Tivoli zSecure product lines, the company also detailed a range of other data security and regulatory tools, including User Compliance Management Software, QuickStart Services for Tivoli Compliance Insight Manager, and Online Application Security and Compliance Management.
"We've been seeing the security market itself lurch form headline to headline, and customers in particular need to stop thinking about their strategy in terms of the latest crisis," said Lovejoy. "We're trying to elevate risk management above other security conversation; starting with PCI fits that mold well, because it dovetails with this concept of starting with a risk management plan."