Page 2 of 2
John Gapinski, president of Secured Retail Networks, an Irvine, Calif.-based solution provider, said ensuring PCI compliance requires a bit of effort on part of both VARs and their clients and recently the need to better lock down credit card and financial data has been pushed down to level two merchants. Merchant levels are determined by the amount of credit card swipes.
Gapinski said as compliance requirements move down market, they hit smaller organizations that have fewer resources to tackle a PCI program, creating a greater need to outsource or call in solution providers.
"It will definitely drive opportunities," he said, adding partners will be tapped to get businesses up to speed and build secured networks through technology, consulting and PCI assessments. "For us, it's the vast majority of what drives our business."
Patrick Bedwell, vice president of product marketing for Fortinet, a networks security vendor, said PCI requirements have evolved and it's becoming more of a hurdle for companies to ensure their in compliance and could pass an audit if necessary.
"The evolution of the PCI requirements over time is really making it more difficult for people in the trenches to comply," he said. "As threats are evolving, PCI requirements are evolving with them.
And for partners, that creates the opportunity to be a valuable trusted advisor and guide clients through the PCI maze.
"It's not about a partner parachuting in with a fix," Bedwell said. "It's essential for them to be up on the latest requirements."
For its part, Fortinet offers training and certification around PCI compliance for partners and is working to ensure its cadre of security VARs are armed with updated PCI knowledge.
"What's interesting about PCI is it's been placed for several years and there haven't been many penalties enforced," he said. "That's about to change. Time is running out and organizations have to put these mechanisms into place."
David Mandell, StillSecure CMO, said there is still a great deal of confusion involving compliance, which is also increasing the amount of opportunities for solution providers.
"The environment is too cloudy around compliance right now," which is opening doors for VARs to bring their clients up to speed and ensure they're lock down. "End users and IT managers don't understand. They don't get compliance."
Secured Retail Networks' Gapinski agreed.
"Most people that haven't gone though a PCI program don't know who difficult it can be," he said. It is up to solution providers to let their clients understand that any credit card data stored, transmitted and processed needs to be protected. It is also up to VARs to allay the misconception that if credit card data is encrypted at the time of the swipe that it's 100 percent secure. He said there's an "all I need to do is tokenize it and I'm done" mentality.
"There's plenty of opportunity," he said. "My hope is organizations don't just do the minimum to be PCI compliant and walk away."
Gapinski and StillSecure's Mandell agreed that now is the time for VARs to bring their customers on board with a true PCI program.
"Compliance is going to happen very quickly and they're going to wake up and realize they don't have a choice anymore," Mandell said. "This I going to trickle down and spread very quickly and create opportunities for VARs."