The Green Sheet Online Edition
July 28, 2014 • Issue 14:07:02
Trustwave, First Data team for 'inside-out' security
In June 2014, the largest U.S. acquirer, First Data Corp., inked a partnership deal with Chicago-based data security and compliance firm Trustwave. The focus of the new pairing will be on offering, via First Data ISOs, what the companies characterized as a new level of data security to small and midsize businesses. This new level involves what can be termed an "inside-out" approach to security and compliance.
The core of the partnership revolves around Trustwave's cloud-based TrustKeeper platform, which Trustwave stated is used by about 2.7 million subscribers worldwide. The service plugs into merchants' POS networks to protect against malware and viruses, critical system changes, unauthorized devices, security misconfigurations and noncompliant payment card storage.
Doug Klotnia, General Manager of Compliance and Risk at Trustwave, highlighted how TrustKeeper fits into the security firm's overall strategy of enabling compliancy with the Payment Card Industry (PCI) Data Security Standard (DSS) through security rather than conducting a compliance review, generating a to-do list and then filling in the security gaps.
"We're kind of turning the whole thing on its head, which is putting security first," Klotnia said. "And by gaining a good, effective security position, compliance will come with it. So that's much different than the history of PCI compliance, which has always been: 'Let's check the box; let's make sure we're doing the minimum.'"
Klotnia is not trying to minimize the importance of merchants undergoing security reviews, which include the routine taking of the PCI DSS's self assessment questionnaires. But securing environments should be the main priority. "[A]t the end of the day, what we're trying to do is defend against the likelihood of a card data breach," Klotnia said. It should be less about stating that you're compliant and more about determining whether you're secure, he added.
Compliance through security
The Trustwave partnership is further evidence that First Data is intent on aligning itself as a flexible provider of merchant services, and not just a provider of transaction processing. Klotnia said the acquirer had an in-house compliance solution that relied on the check-box formula, and found more of the same when it looked for a partner to bolster its compliance services.
"I think they looked at compliance and what they saw was a lot of programs out there that were very effective at generating some baseline of compliance and driving some additional customer value," Klotnia added. "But what they weren't seeing were a lot of security enablement solutions."
Klotnia said the typical security inspection begins with the establishment of an informational baseline about a business, such as whether it is a brick-and-mortar outfit or an e-commerce site. From there, other general questions are asked concerning the merchant's POS environment and what security technology is being employed.
But the Trustwave service First Data ISOs can now offer is different. "The first thing we're going to say is, 'Install this piece of software in your point of sale system,'" Klotnia said. "And immediately that point of sale system is going to do some really, really important things."
Klotnia listed the actions TrustKeeper then will perform: mapping the network to determine what types of devices are plugged into the network; locating any unencrypted cardholder data being stored; and assessing complexity and strength of passwords. Trustwave then probes for information the technology doesn't address, such as how merchants handle or store physical receipts.
Trustwave's goal is for its clients to avoid that most catastrophic of events. "The most painful breaches, the most expensive ones that put a merchant in a position where they might go bankrupt and they might have to close their doors – this product is very effective in defending against those types of breaches," Klotnia said.
Burning down the house
Despite the prevalence of breaches that damage brand reputations and cost millions to repair, merchants still do not take security as seriously as they should. Klotnia called it an awareness challenge, especially among small merchants. "They still don't recognize the threat," he said. "They still don't understand that a significant card data breach is not a whole lot different than if their business burned down."
Klotnia noted that merchants are more aware of physical store security, such as locks on the doors and having a fire extinguisher handy. But they don't equate the damage of a physical break-in or a fire to the damage a data breach can cause. Klotnia said, "And that's our challenge: how do we get them to understand that they have to think of the risk the same way?"
Like making sure the door is locked when a business closes for the day, good data security means a focus on the fundamentals. Klotnia said the basics involve instituting layered security, which includes log management, anti-virus protection and firewalls. He called it the "blocking and tackling" of security techniques. "Just by doing those things, enabling those things, you're going to be in a lot better place than the guy next door," Klotnia said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.