Could we have a disconnect on cause and effect? Bear with me a moment.
Maybe the vendor over-promising is a response to the "management" (your term) view of PCI as a checklist. That is, to the manager, as you point out, PCI is a reasonably well specified set of prescribed steps. The instructions go out "Make it happen; get us compliant; oh, and you can have until Tuesday." Vendors are called in and since the customer is always right (damn, how I hate that old saw...), they promise th world, even by Tuesday.
What you describe as a maturing of the PCI market I am seeing in the US, too. At RSA, there was a number vendors who said "we do this bit of PCI." Only a few, to be fair, still claimed to do everything and cure male pattern baldness, too. The PCI Council is doing its part with clarifications and FAQs that should make the buying criteria clearer.
Will this cure vendor over-promising? I doubt anything will, but it can limit it. And as users get more experience with PCI the market will increase sensitivity to excessive vendor claims.
Hey, we can hope!
I think we're basically agreeing here Walt. As I said, I did over-simplify due to an already overlong post. You also have a much more meaningful experience of the US market, so this helps to explain things further.
Thanks!
Commenting by HaloScan
