SMBs Face Looming PCI Security Deadlines

On top of increasing business expenses and shrinking lines of credit in a weak economy, many small businesses will face one additional pressure in 2009: looming compliance deadlines for Payment Card Industry Data Security Standard requirements.

For many SMBs, adhering to impending PCI DSS deadlines will require major changes to enhancing security infrastructure. That means spending more money on technologies and services such as security assessments, application firewalls, auditing and threat scanning.

Solution providers will need to find economic ways for budget-crunched small and midsize businesses to achieve compliance.

Comprised of 12 requirements, PCI DSS was implemented by credit card companies as a baseline security standard for any business -- ranging from enterprises to SMBs -- that accepts customer credit card data. Compliance deadlines for larger merchants have already passed, but now smaller merchants will get their turn. Credit card companies such as MasterCard and Visa have each set their own deadlines for small businesses to start meeting the various requirements of PCI DSS compliance throughout 2009, first for Tier 3 businesses -- merchants that process between 1 million and 6 million credit card transactions annually -- and then Tier 4 businesses, which include "all others."

Security VARs said that in general SMBs are more susceptible to becoming the victim of a security attack than their larger peers.

"The SMBs don't have a dedicated staff for security. They also don't have the budget to make the necessary protection needed," said Todd Leidner, vice president of operations for Intelek Technologies, based in Norman, Okla. "There are some that definitely know what's at stake. But then there are others who think that it's not going to happen to them, so why spend the money."

"I don't even think [PCI compliance] is entering their radar now, or not yet," said Leidner. "They're more focused on trying to stay in business than be compliant."

While compliance can be expensive, non-compliance could be even more costly. Organizations that fail to adhere to PCI mandates face financial penalties of up to $500,000 if data is lost or stolen and risk losing credit card processing rights. Meanwhile, a Jan. 2009 study by the Ponemon Institute found that the annual cost of a data breach averages to $202 per record and an average cost of more than $6.6 million per breach, the most significant portion (60 percent) of those costs due to loss of business.

Experts said that these days, companies -- even small ones -- are increasingly vulnerable to sophisticated malware attacks that are designed to steal sensitive identifying and financial information. In early January, a malware attack on credit card processing company Heartland Payment Systems resulted in the possible compromise of more than 100 million customer accounts, in what appears to be one of the largest data breaches in history.

Industry observers say that the Heartland breach is the tip of the iceberg because threat risks increase as more companies conduct massive layoffs and outsource IT functions to third parties such as contractors and consultants.

"A bad economy can lead to an increase in this sort of activity," said Thom VanHorn, vice president of global marketing for database security vendor Application Security. "More people are getting laid off. You have more disgruntled employees. It doesn't take many of those [employees] to perpetrate a breach that can result in harvesting information."

With IT budgets being slashed, upgrading security infrastructure for PCI compliance will be a costly challenge for many SMBs just struggling to stay in businesses, experts say. As a result, SMBs with limited IT resources and staff might be even more susceptible to security threats, industry observers said.

"If [SMBs] are having a tough time, then survival becomes more important," said Deven Bhatt, board member of the PCI Security Alliance, an organization based in Fremont, Calif. that aims to help merchants and financial institutions achieve PCI compliance. "They may not have security departments and they may not have as much cash. They're not as much a target, but they can be easy to break into also."

Next: SMBs Look For Cost-Effective Security

One of the biggest hurdles for SMBs will be to find ways to fund costly -- but necessary -- security solutions. Mandatory PCI requirements such as application layer firewalls and two-factor authentication come with price tags that are out of reach for many small businesses, solution providers said.

"Application firewalls -- those are extremely expensive, especially for the small and medium businesses," said Allen Allison, vice president of managed services for managed security service provider NaviSite, based in Andover, Mass. "That's one of the things that's going to be a big fear."

As one answer to providing SMBs with both quality and cost-effective security, NaviSite offers several hosted offerings and professional services to help smaller customers to achieve PCI compliance objectives, Allison said.

Meanwhile, Allison said that as Tier 3 and Tier 4 PCI deadlines approach later this year, SMBs will increasingly invest in all-in-one security suites -- security products incorporating multiple functionality.

"In order to be PCI-certified, they have to have it all," said Allison. "In many cases you can put in place solutions that accomplish multiple things -- log aggregation and correlation, authentication requests -- those are the things that most people should focus on. The stone that could kill multiple birds."

Another challenge that SMBs face in achieving PCI compliance is the ability to determine exactly what their security infrastructure needs -- a problem due, in part, to the subjective nature of the requirements, industry observers said.

"There will be people who will implement it well and people who implement it to check it off," Application Security's VanHorn said. "They assume that compliance equals security. They look at the 12 requirements and figure once they did that, than they can kick back and have cocktails on the veranda because 'they're secure.'"

However, experts say that because PCI adherence is mandatory, "nice-to-have" IT purchases might go by the wayside to make room for essential PCI upgrades. For many SMBs, the first step in becoming PCI compliant is to complete a comprehensive assessment of their infrastructure, especially the pieces that house valuable data. Solution providers said SMBs will need to invest in assessments to determine where their sensitive data lives, and then prioritize the most important data in terms of risk and delete the unnecessary data that's eating bandwidth and compromising security. As a result, PCI will likely open up opportunities for the channel to embark on or expand numerous assessment and remediation services, which they can specifically tailor to their smaller customers.

"Find out where all the sensitive information is in your environment, then get rid of it. You reduce the risk so much," said PCI Security Alliance's Bhatt said. "If you don't store it, then you don't have to worry about it."

Also because PCI standards require all companies to scan for threats, solution providers will find additional opportunities in scanning services, as well as auditing and reporting services to prove PCI compliance.

"If you're a Level 1 [merchant], you have a structured IT department," said Cheryl Traverse, CEO of San Jose, Calif.-based Xceedium, a security vendor specializing in entitlement management security products. "The [Level] 2s and [Level] 3s really don't have this, they don't have the expertise to do this. They need to work with the reseller and manufacturer who have the expertise and can show them the way."