Updated PCI Regulations Creating Myriad VAR Opportunities


Solution providers are anticipating new opportunities in the trenches around the Payment Card Industry Data Security Standard (PCI DSS), which is expected to be more strictly enforced come early next year, as their clients try to navigate the choppy waters of credit card data and how to protect it.

PCI DSS provides an actionable framework for developing payment card data security processes -- including prevention, detection and appropriate reaction to security incidents. The security standard was updated to version 2.0 late last year and was to be adopted as of Jan. 1. And come Jan. 1, 2012 all assessments will be under version 2.0 of the PCI DSS standard. Non-compliance can result in hefty penalties.

The recent changes to the PCI DSS standard have many companies wondering what impact it will have on their businesses and their data security processes, which means more engagements for solution providers. At the same time, many companies haven't upgraded to comply with PCI DSS 2.0, which was released in October.

"Compliance and PCI are going to be like Y2K for VARs," Steven Harper, vice president of business development for StillSecure, a Superior, Colo.-based security vendor. "Eventually, there's going to be more and more and more dealing with what are the compliance issues."

The most dramatic change in the recent PCI DSS update is that the implementation, feedback, review and revision processes has been extended from a two-year to a three-year cycle. The majority of changes to the standard are billed as "clarifications," and are designed to ensure that security products and practices are up to date to protect against the evolving threat landscape, whether that means updated technology practices around firewalls, key management, documentation or other security processes.

And as tighter scrutiny around the storage and protection of payment card and financial transaction information at retailers, restaurants and anywhere a credit card can be swiped at a point of sale, will help VARs get their feet in new doors for consultative and upgrade opportunities.

"We're certainly seeing an uptick in questions about it," said Monty Blight, vice president of product management for Peak 10, a Charlotte, N.C.-based managed service provider. "And we're seeing that across the board, not just PCI, but HIPAA and Sarbanes-Oxley."

According to Blight, the industry is becoming much more aware of PCI, and where Peak 10 would once engage with customers around security as a best practice, PCI is leading them to have a new requirement for tightened security infrastructures.

"What is really happening is what our customers are asking for from us and requiring from us is changing," Blight said, adding that Peak 10 is realizing a new revenue stream from clients' PCI needs. "Their seeking more and more information about the potential financial implications and reputation implications they face if they don't secure that data."

NEXT: PCI DSS Hitting Smaller Companies

John Gapinski, president of Secured Retail Networks, an Irvine, Calif.-based solution provider, said ensuring PCI compliance requires a bit of effort on part of both VARs and their clients and recently the need to better lock down credit card and financial data has been pushed down to level two merchants. Merchant levels are determined by the amount of credit card swipes.

Gapinski said as compliance requirements move down market, they hit smaller organizations that have fewer resources to tackle a PCI program, creating a greater need to outsource or call in solution providers.

"It will definitely drive opportunities," he said, adding partners will be tapped to get businesses up to speed and build secured networks through technology, consulting and PCI assessments. "For us, it's the vast majority of what drives our business."

Patrick Bedwell, vice president of product marketing for Fortinet, a networks security vendor, said PCI requirements have evolved and it's becoming more of a hurdle for companies to ensure their in compliance and could pass an audit if necessary.

"The evolution of the PCI requirements over time is really making it more difficult for people in the trenches to comply," he said. "As threats are evolving, PCI requirements are evolving with them.

And for partners, that creates the opportunity to be a valuable trusted advisor and guide clients through the PCI maze.

"It's not about a partner parachuting in with a fix," Bedwell said. "It's essential for them to be up on the latest requirements."

For its part, Fortinet offers training and certification around PCI compliance for partners and is working to ensure its cadre of security VARs are armed with updated PCI knowledge.

"What's interesting about PCI is it's been placed for several years and there haven't been many penalties enforced," he said. "That's about to change. Time is running out and organizations have to put these mechanisms into place."

David Mandell, StillSecure CMO, said there is still a great deal of confusion involving compliance, which is also increasing the amount of opportunities for solution providers.

"The environment is too cloudy around compliance right now," which is opening doors for VARs to bring their clients up to speed and ensure they're lock down. "End users and IT managers don't understand. They don't get compliance."

Secured Retail Networks' Gapinski agreed.

"Most people that haven't gone though a PCI program don't know who difficult it can be," he said. It is up to solution providers to let their clients understand that any credit card data stored, transmitted and processed needs to be protected. It is also up to VARs to allay the misconception that if credit card data is encrypted at the time of the swipe that it's 100 percent secure. He said there's an "all I need to do is tokenize it and I'm done" mentality.

"There's plenty of opportunity," he said. "My hope is organizations don't just do the minimum to be PCI compliant and walk away."

Gapinski and StillSecure's Mandell agreed that now is the time for VARs to bring their customers on board with a true PCI program.

"Compliance is going to happen very quickly and they're going to wake up and realize they don't have a choice anymore," Mandell said. "This I going to trickle down and spread very quickly and create opportunities for VARs."