A vendor today sent me their “PCI certificate.” Turns out this was just a site scan for their external mail server. This is a Google result of what their site certificate looks like (this is just a random Google search result, not my vendor): site certificate.
That’s pretty damn misleading. But then again, so is the entire SecurityMetrics.com website. Check out their steps to PCI compliance. Yes, that says 25 minutes to PCI compliance.
If you have desktops that fall under PCI scope, you can buy and run a scan from their website. Oh shit, someone should tell Steve Gibson to rebrand his ShieldsUp! service.
To at least give the benefit of the doubt, there are some hints that this company actually knows how to do PCI compliance, but the vast majority of their site leads customers down the path of thinking PCI is cheap and easy and takes very little time and only requires making up answers on a self-assessment questionnaire and an external vulnerability scan.
This is really the kind of low-bid crap that causes real security to be elusive.