GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Awaken your ATM ambitions

News

Industry Update

GSTravelAdvice.com: A windfall for wanderlust

CyberSource woos and wins Authorize.Net

Yanks chalk up another fine NEAA show

Discover flying solo

The ATM story in numbers

Features

AgenTalkSM:
Bill Beattie

Contactless and the ATM?

Tracy Kitten
ATMmarketplace.com

Views

Building m-commerce momentum

Paul Rasori
VeriFone

It's cool to build karma

Ken Musante
Humboldt Merchant Services

Education

Street SmartsSM:
Ruminations on ISO registration

Dee Karawadra
Impact PaySystem

Sell something every merchant craves

Marcelo Paladini
Cynergy Data

PCI compliance: A brand builder, not a burden

J. David Siembieda
CrossCheck Inc.

Vigilant compliance revisited

David H. Press
Integrity Bankcard Consultants Inc.

Rake it in: Resell basic security services

Michael Petitti
AmbironTrustWave

New Products

Souped-up, secure e-billing

Company: MODASolutions
Product: eBillme

Software steroid for POS terminals

Company: Hypercom Corp.
Product: SmartPayments Client

Inspiration

Are your ears burning?

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

July 09, 2007  •  Issue 07:07:01

previous next

Rake it in: Resell basic security services

By Michael Petitti

The latest industry security statistics illustrate a problem plaguing the payment card industry. The number of small to medium-sized businesses that have adopted the Payment Card Industry (PCI) Data Security Standard, unfortunately, lags.

The card Associations and acquiring banks recognize the problem and have started concentrating educational efforts on these smaller merchants.

As a result, smaller merchants now know more and more about data security. And they are searching for cost-effective solutions that don't require significant time or expertise.

This desire for security solutions that are viable to smaller merchants brings new opportunity to you, as ISOs and merchant level salespeople (MLSs).

You can diversify the services you offer customers, differentiate yourselves from the competition and open a new revenue stream by reselling information security appliances and services to assist merchants in their PCI-compliance efforts.

Breached merchants fail security 101

AmbironTrustWave investigated more than 220 cases in which credit card data was stolen from merchants (a payment card data compromise).

We found that the improper configuration of a firewall, or the lack of one altogether, is the second most common reason an unauthorized user is able to access cardholder data.

Our research also revealed that more than half of compromised merchants failed to meet the first requirement of PCI: Install and maintain a firewall to protect cardholder data.

Don't fall victim to the common misconception that only e-commerce merchants need worry about payment card security.

Ninety-five percent of ATW's probes are a result of a payment card compromise at brick-and-mortar merchants. E-commerce or no, it's likely that a majority of your merchant portfolio has Internet access.

Any connection to the Internet puts payment applications, POS terminals and the payment card environment as a whole at risk. A merchant's first step in mitigating this risk is implementing and properly configuring a firewall.

You could compare a firewall to an immigration officer who allows individuals to cross a country's borders based on governmental rules.

Implementing a firewall and setting the rules to allow or prohibit traffic require data security knowledge that many small to medium-sized business owners neither possess nor have resources to hire.

Outsourcing security management fills gaps

Fortunately, a new development in the information security field addresses this lack of knowledge: unified threat management (UTM) devices.

A UTM device generally consists of a firewall appliance that includes a number of additional security technologies such as intrusion detection or prevention systems, Web content filtering and virtual private network capabilities.

Because vendors develop UTM solutions with smaller businesses in mind, many UTM devices are designed to limit the strain on a user's resources. A merchant need only place the UTM box between the network and the Internet connection and plug in the correct cables.

The vendor's team of qualified data security engineers takes care of the rest.

As acquirers continue to put pressure on small to medium-sized retailers to comply with PCI, merchants will need a variety of technologies to do so. If they connect to the Internet from a network, they will need, at the least, a firewall like those included in UTM devices.

If you sell a PCI-compliance bundle, you will immediately set your organization apart as a trusted PCI resource.

This bundle might include a payment application that adheres to Visa U.S.A.'s Payment Application Best Practices, services from a provider on Visa's list of compliant payment processors and a managed UTM device from a trusted security services provider.

PCI's complexity demands more than a firewall

Leveraging a bundle as just described will not guarantee a merchant's PCI compliance. But it is an introductory step toward securing customers' payment card information. And with high-profile payment card breaches periodically making the news, consumers will become more discriminating in the merchants they choose to frequent.

Additionally, in some cases, the news coverage of breach-related litigation overtakes news regarding the actual payment breaches.

The threat of litigation persuades many merchants to take a second look at their payment environments and seek products and services from security vendors that can help better protect their customers' information.

Offering a PCI-specific bundle of services to merchants allows you to establish or fortify your position as a trusted vendor in the minds of your clients. In addition, reselling security appliances and managed data security services developed specifically for smaller merchants can provide you an additional revenue channel.

Michael Petitti is Chief Marketing Officer of AmbironTrustWave and is responsible for all of the company's marketing initiatives. He serves on the Merchant Risk Council's board of advisers and on The Green Sheet Inc. Advisory Board. Call him at 312-873-7291 or e-mail him at mpetitti@atwcorp.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems