y now you have most certainly read about the various cardholder data security requirements, such as the card Associations' Payment Card Industry (PCI) Data Security Standard or Visa U.S.A.'s Cardholder Information Security Program (CISP).

We have learned, and some the hard way, that it is vital for merchants and processors to be in compliance with these requirements and to secure cardholder data. However, when it comes to liability, these rules protect the card Associations, not the ISOs, processors or merchants.

"The Associations, with CISP and PCI, have successfully created a liability barrier between themselves, merchant acquirers, ISOs and merchants," said Ray Ricks, Founder and Chief Executive Officer of eCenturion LLC.

"The rules have been clearly defined that in the event of a security breach they are blameless because the acquirer, ISO or merchant was acting outside the operating agreement. The liability will fall to the latter."

That is one reason that Ricks founded eCenturion, a security product and consulting company. ECenturion is a Managed Security Service Provider (MSSP) that offers businesses alternatives to the traditional network and Internet security methods that have failed to adequately protect information systems.

The company provides a security system for managing the risks associated with processing and collecting protected and confidential information, without the need for the client's active involvement.

ECenturion provides security solutions and consulting services for payment gateways, ISOs and merchants. The company is based in Huntington Beach, Calif. with an operations center in Salt Lake City, Utah. In November 2005, it expanded into Asia.

Decades of Experience

Ricks spent nearly two decades with Citibank's bankcard group. "I was the Chief Information Security Officer at bankcards before there was ever such a title," he said.

While at Citibank he was responsible for physical and logical security and data integrity.

He also directed the fraud investigations team and authored the first information security policy, which became a cornerstone of Citicorp's technology framework.

It's not only the recent media coverage or security breaches that have got Ricks involved in data security and protection; he has been involved in this arena for quite a while.

"Our core belief is there is only one way to protect businesses against vulnerabilities and attack," he said. "Effective security must be holistic. Defense systems must dynamically view the entire system's state of health 24/7.

"The only meaningful response to an attack is a strong, instantaneous defense. Consequently, the only way to outpace constantly evolving vulnerabilities and costly attacks is through instant detection, alerting and engaging a premier defense system, triggering an effective and appropriate response."

Do It Right the First Time

Ricks pointed out the confusion surrounding security solutions. "With the advent of the Internet, Internet connectivity to POS systems and the newly evolved security standards by the Associations, there is a convergence of security, privacy and payment processing at the merchant level," he said.

Such varied and continually evolving factors can lead to confusion and chaos when ISOs and merchants attempt to comply by the card Associations' rules while simultaneously protecting their business and running a successful company.

If business managers think that they cannot afford such a solution, Ricks urges them to rethink the total cost of ownership, which includes loss of reputation and strategic partner relationships and financial loss to litigation and penalties.

"They can do it the hard way and try to do it themselves and likely do it incorrectly, or they can spend less money and do it in a simple, elegant and effective way," he said.

ECenturion believes that the choice of a security solution is not only a technical decision but also a management decision. "If a breach occurs ... who do you want representing you and articulating the security measures taken to protect you? ECenturion with extensive security credentials or the software engineer in the corner operating as a security technician?" Ricks said.

Much More Than Compliance

ECenturion provides compliance audits, security products and support should any legal or rule issues arise. "As a consulting company we can certify merchant or ISO compliance to CISP and PCI standards," Ricks said.

"But, more importantly, we have a product we developed to protect information systems at the 2002 Winter Olympics, now available to businesses." That product is the Sentry with Managed Security.

The Sentry is a plug and play hardware-based security appliance. Don't let the simplicity fool you. ECenturion recognizes that security needs are different for each business, and the solution must meet those needs to adequately protect that business.

Therefore, the Sentry offers three standard configuration standards (open, controlled and restricted usage) and custom configuration. The company can custom-configure the product prior to shipping it to the merchant.

For those who believe they don't need such a solution because they have an existing firewall, Ricks said, "They are misinformed as to what a firewall does.

"It does nothing unless it is configured properly, securely and correctly to meet the business requirements. ECenturion provides to our clients a premier Defense in Depth system with multiple layers of protection to achieve security and privacy."

Some of the Sentry's features include a perimeter firewall to protect the internal network against external threats, an embedded firewall to protect against internal threats, and an intrusion detection and prevention system that blocks malicious network traffic or hacking attempts.

The Sentry also scans for viruses before they reach individual computers, scans for spyware before it reaches critical devices and stops SPAM.

The solution also performs network vulnerability scanning and reporting, a CISP and PCI requirement, as often as the user chooses.

It archives the scans, and the results remain available to use as evidence should it be needed. It also archives all network traffic for purposes of diagnostics and forensics.

"ECenturion's products and services meet or exceed the technical security requirements or safeguards of the CISP and PCI rules as well as GLBA [Gramm-Leach-Bliley Act of 1999].

"With our extensive experience and credentials, we are able to articulate measures taken and defend our security solution to the Associations, and others, if necessary," Ricks said.

Similar to home PC virus scans, the Sentry must be updated regularly. That's why the product features a secure remote administration tool to allow updates to the appliance without additional intervention. Client networks are monitored 24/7, and updates occur during non-business hours.

"We refresh the device at least once a day ... we do all of this automatically," Ricks said. "There is no one that does it better than we do or as simply as we do. Until now, that level of expertise and technology was only available to those that could afford it. We are talking Fortune-100 companies."

ECenturion also offers help-desk support from 6:00 a.m. to 5:00 p.m. PST.

Actively Recruiting ISOs

While ISOs can certainly benefit from using eCenturion's products and services, they also can benefit by becoming a reseller. The company is focusing its growth on thousands of channel partners selling eCenturion products; it is actively recruiting ISOs now.

It pays commissions on the sale of the Sentry security appliance and the monthly service fee. "The income potential for those selling early in the managed security adoption cycle is almost limitless," Ricks said.

The Sentry could be a solution for ISOs and merchant level salespeople (MLSs) to present to both new and existing merchants. Practically any merchant could benefit.

"They [merchants] are not going to benefit if they only have a POS terminal," Ricks said. "But if they collect, store or process data through a computer network then they definitely have to be protected."

Currently eCenturion is offering a special deal. For those who purchase an eCenturion product by Jan. 31, 2006, the company will provide them with a complimentary network vulnerability review. The company will collect data for analysis and forensics and provide the client with a report.

Sentry with Managed Security also helps healthcare providers become and remain compliant with the Health Insurance Portability and Accountability Act of 1996, or HIPPA. If you are an MLS or ISO serving the healthcare industry this is an opportunity worth pursuing.

Best Insurance a Business Can Have

It may seem that cardholder protections are the latest development in the payment card industry; however, card data protection has always been an important part of our industry. Only recently has the entire world been let in on the risks and breaches that have occurred.

For decades, professionals such as Ray Ricks have worked to make card processing as secure as possible. Now that information is available to processors and ISOs of all sizes for the purposes of protecting their clients and customers and their own businesses.

"The card Associations have built a wall between themselves and the merchant," Ricks said. "If there is evidence that the rules were not followed, they will leave the merchant hanging.

In today's carnivorous litigation environment you need a system that is defendable by experts who rank in the top percentile of subject matter experts.

"A business manager must implement the best security solution available. Failure to do so in today's environment could be a 'business ending' decision. The eCenturion solution is the best insurance a business can have," he said.