The Green Sheet Online Edition
July 09, 2007 • Issue 07:07:01
Rake it in: Resell basic security services
The latest industry security statistics illustrate a problem plaguing the payment card industry. The number of small to medium-sized businesses that have adopted the Payment Card Industry (PCI) Data Security Standard, unfortunately, lags.
The card Associations and acquiring banks recognize the problem and have started concentrating educational efforts on these smaller merchants.
As a result, smaller merchants now know more and more about data security. And they are searching for cost-effective solutions that don't require significant time or expertise.
This desire for security solutions that are viable to smaller merchants brings new opportunity to you, as ISOs and merchant level salespeople (MLSs).
You can diversify the services you offer customers, differentiate yourselves from the competition and open a new revenue stream by reselling information security appliances and services to assist merchants in their PCI-compliance efforts.
Breached merchants fail security 101
AmbironTrustWave investigated more than 220 cases in which credit card data was stolen from merchants (a payment card data compromise).
We found that the improper configuration of a firewall, or the lack of one altogether, is the second most common reason an unauthorized user is able to access cardholder data.
Our research also revealed that more than half of compromised merchants failed to meet the first requirement of PCI: Install and maintain a firewall to protect cardholder data.
Don't fall victim to the common misconception that only e-commerce merchants need worry about payment card security.
Ninety-five percent of ATW's probes are a result of a payment card compromise at brick-and-mortar merchants. E-commerce or no, it's likely that a majority of your merchant portfolio has Internet access.
Any connection to the Internet puts payment applications, POS terminals and the payment card environment as a whole at risk. A merchant's first step in mitigating this risk is implementing and properly configuring a firewall.
You could compare a firewall to an immigration officer who allows individuals to cross a country's borders based on governmental rules.
Implementing a firewall and setting the rules to allow or prohibit traffic require data security knowledge that many small to medium-sized business owners neither possess nor have resources to hire.
Outsourcing security management fills gaps
Fortunately, a new development in the information security field addresses this lack of knowledge: unified threat management (UTM) devices.
A UTM device generally consists of a firewall appliance that includes a number of additional security technologies such as intrusion detection or prevention systems, Web content filtering and virtual private network capabilities.
Because vendors develop UTM solutions with smaller businesses in mind, many UTM devices are designed to limit the strain on a user's resources. A merchant need only place the UTM box between the network and the Internet connection and plug in the correct cables.
The vendor's team of qualified data security engineers takes care of the rest.
As acquirers continue to put pressure on small to medium-sized retailers to comply with PCI, merchants will need a variety of technologies to do so. If they connect to the Internet from a network, they will need, at the least, a firewall like those included in UTM devices.
If you sell a PCI-compliance bundle, you will immediately set your organization apart as a trusted PCI resource.
This bundle might include a payment application that adheres to Visa U.S.A.'s Payment Application Best Practices, services from a provider on Visa's list of compliant payment processors and a managed UTM device from a trusted security services provider.
PCI's complexity demands more than a firewall
Leveraging a bundle as just described will not guarantee a merchant's PCI compliance. But it is an introductory step toward securing customers' payment card information. And with high-profile payment card breaches periodically making the news, consumers will become more discriminating in the merchants they choose to frequent.
Additionally, in some cases, the news coverage of breach-related litigation overtakes news regarding the actual payment breaches.
The threat of litigation persuades many merchants to take a second look at their payment environments and seek products and services from security vendors that can help better protect their customers' information.
Offering a PCI-specific bundle of services to merchants allows you to establish or fortify your position as a trusted vendor in the minds of your clients. In addition, reselling security appliances and managed data security services developed specifically for smaller merchants can provide you an additional revenue channel.
Michael Petitti is Chief Marketing Officer of AmbironTrustWave and is responsible for all of the company's marketing initiatives. He serves on the Merchant Risk Council's board of advisers and on The Green Sheet Inc. Advisory Board. Call him at 312-873-7291 or e-mail him at email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.