Updated PCI Regulations Creating Myriad VAR Opportunities


Solution providers are anticipating new opportunities in the trenches around the Payment Card Industry Data Security Standard (PCI DSS), which is expected to be more strictly enforced come early next year, as their clients try to navigate the choppy waters of credit card data and how to protect it.

PCI DSS provides an actionable framework for developing payment card data security processes -- including prevention, detection and appropriate reaction to security incidents. The security standard was updated to version 2.0 late last year and was to be adopted as of Jan. 1. And come Jan. 1, 2012 all assessments will be under version 2.0 of the PCI DSS standard. Non-compliance can result in hefty penalties.

The recent changes to the PCI DSS standard have many companies wondering what impact it will have on their businesses and their data security processes, which means more engagements for solution providers. At the same time, many companies haven't upgraded to comply with PCI DSS 2.0, which was released in October.

"Compliance and PCI are going to be like Y2K for VARs," Steven Harper, vice president of business development for StillSecure, a Superior, Colo.-based security vendor. "Eventually, there's going to be more and more and more dealing with what are the compliance issues."

The most dramatic change in the recent PCI DSS update is that the implementation, feedback, review and revision processes has been extended from a two-year to a three-year cycle. The majority of changes to the standard are billed as "clarifications," and are designed to ensure that security products and practices are up to date to protect against the evolving threat landscape, whether that means updated technology practices around firewalls, key management, documentation or other security processes.

And as tighter scrutiny around the storage and protection of payment card and financial transaction information at retailers, restaurants and anywhere a credit card can be swiped at a point of sale, will help VARs get their feet in new doors for consultative and upgrade opportunities.

"We're certainly seeing an uptick in questions about it," said Monty Blight, vice president of product management for Peak 10, a Charlotte, N.C.-based managed service provider. "And we're seeing that across the board, not just PCI, but HIPAA and Sarbanes-Oxley."

According to Blight, the industry is becoming much more aware of PCI, and where Peak 10 would once engage with customers around security as a best practice, PCI is leading them to have a new requirement for tightened security infrastructures.

"What is really happening is what our customers are asking for from us and requiring from us is changing," Blight said, adding that Peak 10 is realizing a new revenue stream from clients' PCI needs. "Their seeking more and more information about the potential financial implications and reputation implications they face if they don't secure that data."

NEXT: PCI DSS Hitting Smaller Companies