ompliance with the card associations' regulations for securing transaction information-from where it originates, over the systems it travels, and on to its destinations-is the hot topic in payments. Acquirers, issuers, processors, hardware manufacturers, ISOs/MLSs and merchants are all concerned with not only meeting the new standards, but in keeping data out of the wrong hands.

What's the best way to approach the process of securing your company's financial data? Call in the experts.

A good choice would be Ambiron, a Chicago-based consulting firm with wide-ranging expertise in information security. The company specializes in making business systems safe in industries where the integrity of financial data is imperative. Ambiron offers a full suite of information security solutions covering everything from complex Virtual Private Networks (VPNs) and security management to relatively simple remote office firewalls.

Founded in 2002, Ambiron is an independent information security advisory firm providing enterprise information security and compliance solutions to large- and mid-sized businesses. The management team is composed of individuals who are experienced in information security with tenure at companies such as VeriSign, Sun Microsystems, Internet Security Systems, Accenture, Deloitte and Exodus.

Several vertical markets, including payments, securities trading and real estate have discovered that bringing in the experts at Ambiron to ensure the safety of their data makes sense.

But with so much attention being drawn to the protection of data in payment processing-and with compliance deadlines passing or on the horizon-Ambiron's services are more relevant than ever. As a result, the company has built a payment services practice that currently manages the compliance of thousands of payment-oriented businesses on an on-going basis.

"The need for compliance in the payments space is increasing," said Robert McCullen, Ambiron Co-founder and Managing Partner. "Financial losses resulting from identity theft and fraud, coupled with the possibility of association fines for non-compliance, have caused acquirers to mandate that their merchants become compliant."

Ambiron is a qualified Visa Cardholder Information Security Program (CISP) assessor and is also a qualified vendor for MasterCard's Site Data Protection (SDP) program; it is one of only a few assessors qualified for both. It also offers its own Multi-Card Compliance Program (MCCP) that enables businesses to comply with other card associations' information security regulations.

Additionally, Ambiron customizes compliance programs for acquirers, processors and other entities to help them manage their merchants and the implementation of the various industry data security requirements. McCullen said that despite the challenges in meeting compliance standards that everyone in payments faces, the programs that Visa introduced are meant to benefit acquirers and merchants. It's up to them to educate themselves on what it all means.

According to Visa's Web site, "Service providers are any Member or Non-member organization that processes, stores or transmits Visa cardholder data.

"Members are responsible to ensure that their merchants use service providers (that process, store, or transmit Visa cardholder data) that are CISP compliant. Merchants and service providers must contractually require all associated third parties with access to cardholder data to adhere to CISP data security requirements."

This means that everyone along the way has to take steps to ensure transaction data are secure. While it can seem overwhelming, seeking the advice of security specialists who bring the value proposition of "knowledge capital" to each client makes it easier to meet standards.

Acquirers, for instance, might seek help overseeing compliance programs throughout their portfolios. "They're looking for someone who can step in and manage thousands of merchants," McCullen said.

At the same time, "It's hard on merchants, too. They may think they're not at risk or that they're doing things the right way."

Ambiron has simplified a complicated process for acquirers and merchants through customized management programs and a new automated system. In January 2004, it introduced its trademarked Vital Signs system, a security tool designed specifically to address the compliance needs of the payments industry.

One key element of Vital Signs is that it integrates the regulations mandated by Visa USA, Visa Canada, MasterCard International and other card associations into a single Web-based interface. Each of the security requirements is embedded and users are able to run a self-assessment.

An integrated scanning feature gives Vital Signs subscribers monthly analyses of their environments and details areas where weak points might exist. After each self-assessment and vulnerability scan, remediation reports are generated and include step-by-step instructions to fix the security issues that were identified. Vital Signs subscribers also receive a cyber insurance policy issued by Lloyds of London to help offset expenses from forensic investigations and any necessary data repair and recovery.

When systems are compromised, Vital Signs subscribers have access to the experts at Ambiron's 24/7 help desk support through e-mail and a toll-free phone number. If on-site support is required, Ambiron has offices located throughout the United States and can respond quickly; industry-certified staff members are located in Chicago as well as Charlotte, N.C.; Dallas; Los Angeles; New York City; and Seattle. It also has offices in Toronto and London.

If cardholder data are accessed, Ambiron's Cyber Forensic team springs into action. Incident response and forensics support include assistance with containing, preserving and reporting details to the appropriate authorities.

When Ambiron is called in to conduct an assessment or audit for Vital Signs subscribers and other businesses, it follows a three-stage process to find holes in security systems, fix them and keep them resistant to future compromises.

In step one, the 'Discover' stage, scans and penetration tests are conducted to find and mark weaknesses and misconfigurations. Ambiron's 'Discover' services range in scope from reviewing the entire IT environment to a specific area.

In step two, 'Deploy,' based on thorough reviews of a client's IT system, solutions including firewalls, SSL, anti-virus and anti-spam software, and authentication are installed to negate those holes and shore up weak areas. Ambiron will train the client's personnel on the application and management of these solutions.

In step three, 'Defend,' the digital forensics work begins. Evidence must be collected and preserved properly and it must happen quickly for accurate remediation, including cleaning up disc drives and recovering data, as well as resulting prosecution and litigation to take place.

Ambiron has a direct sales force that contacts end-user consumers. The company also has strategic relationships with information security technology firms that provide avenues to market its services. And there has been a great deal of interest in security compliance recently coming from the payments industry. "We've seen a great deal of activity in this space lately," McCullen said. "Security is very hot."

Ambiron is a member of Electronic Transactions Association (ETA); representatives from the company will speak on data security issues as they apply to payments at the 2004 Annual Meeting and Expo in April. He said it's important for payment services providers-and their customers-to see where they fall within the big security picture.

"Many businesses-particularly small merchants-don't have a security professional or a security team on staff. Therefore, it's incumbent upon them to take charge of their own security," said McCullen. "Attending events, such as ETA, and interacting with security professionals can be a good first step in understanding how to secure their vital business information. An educated merchant is a secure merchant.

"Our clients consider Ambiron to be a 'trusted advisor' when it comes to information security. We have received positive feedback from merchant clients and prospects saying we make security easy to understand."