The Green Sheet Online Edition
October 12, 2009 • Issue 09:10:01
Two companies, two new security departments
Providing comprehensive security for cardholder data from the point of swipe to transaction settlement is of utmost importance to the payments industry. To that end, information technology (IT) and security experts are working to implement promising solutions such as end-to-end data encryption; ISOs and merchant level salespeople are endeavoring to help merchants achieve compliance with the Payment Card Industry Data Security Standard.
Recently, POS terminal manufacturer VeriFone and managed security services provider (MSSP) Gladiator Technology each formed internal security departments to strengthen their compliance offerings through development and implementation of enhanced solutions, as well as to educate payment professionals and merchants on the latest security threats.
Shielded from threats
VeriFone's Global Security Solutions business unit will focus on sales, consulting and implementation of its VeriShield Protect and VeriShield Retain solutions in conjunction with the company's POS devices. It is also charged with developing and delivering end-to-end encryption.
"To effectively protect cardholder data against current and future threats, complete security solutions must span both merchant and processor systems," said VeriFone Chief Executive Officer Doug Bergeron.
"The global focus of this business unit will ensure that all our customers are able to take advantage of these solutions throughout their entire operations."
Jeff Wakefield, former Vice President of Marketing for VeriFone's Integrated Systems business, was named General Manager and Vice President of the new business unit. "The most important aspect of any security solution is the one that brings the most benefit to both merchants and customers," Wakefield said.
"So this group is going to focus on our security solutions and will be an overlay organization over our existing sales channels."
Wakefield believes educating not only clients but also sales and marketing is critical to success. "With any new technology, if somebody doesn't fully understand it or can't answer all the questions about it, it's probably not something a sales agent will try to sell first - and that lack of knowledge certainly won't entice a potential merchant," he said. "We're going to focus on expanding that knowledge base and changing that mindset."
The cutting edge
The Security Research Department at Gladiator, a division of Jack Henry & Associates Inc., was created to foster continued growth of IT services and contribute to the security-related education of its clients. The SRD uses Gladiator's malware network to analyze new attack methods, share that information with payment professionals and help facilitate effective response strategies to protect clients from today's security threats.
"We started the SRD because we wanted to stay on the cutting edge of new attack methods and new malware variants," said Matt Riley, Director of Software Engineering for Gladiator.
"We wanted to understand these new attack vectors being used to target organizations.
"With the SRD, we thought we could bring additional knowledge to the industry to better protect their nonpublic information and critical assets. The information security realm is changing so rapidly that it's hard to keep up with new threats and vulnerabilities."
A sweet diversion
The SRD's main objective is to discover new malware variants and attack methods, but it also uses Gladiator's malicious software network, which is a series of "honey pots" that constantly monitor attacks and prevent cyber criminals from hacking into data networks.
A honey pot is software that mimics different types of servers and entices fraudsters to launch attacks against what they believe to be legitimate networks or servers. The honey pot captures and logs attacks, allowing Gladiator to "reverse engineer" that file to see what type of attack it was and where it came from.
But, according to Riley, that is really only half of the solution: The rest is up to the client. "We pride ourselves on helping financial institutions of all sizes stay abreast of the newest threats and attack vectors, but ultimately what we tell our customers is that you can't outsource responsibility," Riley said. He pointed out that even if a company outsources its security to an MSSP like Gladiator, it still has to have the policies, procedures, risk and vulnerability assessments and scans in place. "But at the SRD we understand the regulatory requirements that govern payment processors and what kind of scrutiny organizations are under, so we can provide the necessary services and support to help them meet all the security mandates and guidelines," he said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.