How To Sell PCI Security


It's no longer shocking to hear that a retail store has somehow lost the credit card numbers of thousands of its customers. Those types of thefts can cost business thousands of dollars in fines. Cybera's senior vice president of marketing discusses the importance of Payment Card Industry (PCI) security and how solution providers can ensure that customers in the retail and restaurant industries are equipped with a reliable, scalable and secure network solution.—Jennifer Bosavage, editor.

Complying with the Payment Card Industry Data Security Standard (PCI DSS), adopted by payment brands such as Visa, MasterCard and American Express to prevent fraud, is imperative for any merchant that stores, processes or transmits credit card information. That includes everyone from the smallest “mom and pop” stores to the largest international retail and restaurant chains.

For IT solution providers, the task of implementing the necessary technology infrastructure and application solutions to meet security and PCI compliance requirements can be daunting, especially if their clients are multi-site businesses such as convenience stores, retail specialty chains and restaurants. Many merchants are not taking the actions necessary to make certain that credit card information is secure. Others are unfamiliar with PCI compliance and how it relates to their businesses.

So, how can you familiarize merchants with PCI security and the steps required to ensure that they are equipped with a reliable, scalable and secure network solution? How can they avoid having one of the 10 biggest data breaches in 2011?

For starters, it is of the utmost importance that both your current and potential customers are aware of the downsides of data breaches.

All merchants are mandated by the payment card brands to implement security controls to comply with the PCI DSS or face the risk of fines, lawsuits, lost customers, brand damage or even losing the ability to process credit cards. Without compliance, if a merchant has credit card information stolen, PCI related fines can be as high as $500,000 per incident.

VARs' customers must understand the breadth of the PCI DSS as there are a number of different security technologies required to completely address all requirements. Understanding the merchants’ ability to address their security needs through assembling point solutions vs. implementing a comprehensive solution suite is another critical aspect of selling PCI security solutions.

When a merchant has a proficient IT organization that is knowledgeable in security and compliance, they may be able to handle the integration and management of multiple point solution vendors themselves. However, when a merchant has a limited IT staff focused on store applications and business operations (as opposed to security and compliance), they will more likely be interested in a comprehensive solution from a single solution provider.

Our experience shows most “big box” merchants—for example, Walmart—have substantial IT organizations and prefer to assemble their own security solutions. However, for a “small box” merchant, such as 7-Eleven convenience stores, there is often no security expertise or very limited staff available to address compliance requirements. These small box merchants require a managed solution that fully addresses their PCI and security needs. The distributed enterprises of this segment that are affiliated with a common brand are often interested in a standardized and comprehensive solution which can be easily deployed at all branded lcoations. When selling to the “small box” segment, you will want to make sure that they understand all the separate technologies they will have to integrate and all the multiple vendors they will have to manage. The bottom line is that you must understand the needs of your customer and tailor your solutions to their needs.

It’s also important to emphasize that the right technology can provide a superior experience for customers as well as enable secure, fast transaction processing to maintain a competitive edge. Traditionally, with the introduction of each new application, merchants have pieced-together various solution components from multiple providers, resulting in complex, expensive and often ineffective security solutions. That drives higher business costs and consumes staff time with compliance initiatives, rather than business operations and growth. In order to be equipped with a reliable, scalable and secure network solution, merchants will benefit from a complete portfolio of hosted security services. By pulling together all solution components, retailers will have an end-to-end solution that frees them to focus on their core business.

When it comes to PCI DSS compliance, there are three main ways in which a complete portfolio of hosted services meets merchants’ varying needs:

Solution Suite

A comprehensive solution suite means less complexity. Merchants and enterprises must address four critical areas of security to become PCI compliant: Firewall, Wireless IDS, Secure VPN, Security Information and Event Management (SIEM). Addressing each of these needs individually with point solutions drives greater complexity, ultimately slows overall compliance efforts and places greater burdens on the IT staff.

A comprehensive solution eliminates:

  • Integration of point solutions
  • On-going operation and maintenance of multiple point solutions
  • Management of multiple vendors

    Cloud-Based

    A cloud-based solution delivers a security and compliance solution more rapidly with better ability to grow with the merchant and enterprise’s needs. It also provides protection from obsolescence, because it's not dependent on specific customer hardware, and will evolve more rapidly with ever changing security requirements and threat environment.

    A cloud-based solution eliminates:

  • Time consuming design and build out of infrastructure (servers, storage, concentrators, etc.) to host and support the security applications
  • Fork lift upgrades of applications
  • Demands on the staff related to security and compliance instead of store support and business operations

    Total Cost of Compliance

    Point solutions and self-assembled solutions drive a significantly higher cost of becoming PCI compliant. Deploying a comprehensive, cloud-based solution suite can result in dramatic cost savings:

  • 80 percent on the initial costs of deployment / implementation
  • 70 percent on the on-going costs of operation and maintenance over the life of the solution

    As security breaches and identity theft cases continue to grow, protecting sensitive data is more important than ever. Today’s retail application and network environments are growing more and more complex. New users, additional locations and the ever-increasing demand for higher performance, tighter security and new services are making network and systems management more difficult and more critical to the success of the business.

    Data security and compliance requirements are critical concerns for business owners, with reporting and enforcement becoming more meticulous. PCI compliance protects merchants and enterprises from breaches of consumer credit card data that could wind up costing their businesses millions--if not billions--of dollars in data recovery, image control, and lost business.

    Cybera’s solutions serve customers ranging from small businesses to large multi-national corporations with locations numbering in the tens of thousands. For more information, visit http://www.cybera.com/.