How To Help Customers Secure Their Retail Sites


A hacker recently made his way into an online gold selling business, causing the e-tailer to lose not only $10,000 in sales, but also 57,000 credit card numbers. After being thankful that this wasn't your client, what lessons can you take from this unfortunate circumstance to apply to your own IT solution provider business?

Matt Malone, account manager at IT solution provider Vintage IT Services, Austin, Tex., was called in to help clean up that IT mess. And it'll be a costly job: The e-tailer could face $1.5 million in fines alone because it should have been PCI compliant – a requirement for any business accepting credit cards. "The customer told me, 'If only we'd called you first, we could have avoided this," Malone said. "Being PCI compliant is no joke."

Often, businesses don't understand the magnitude of their decisions regarding security from the get-go. Laying a strong security foundation for an online business from the beginning is crucial, but it doesn't necessarily have to account for every potentiality, he said. Have customers start by tackling the most likely "what-if" situations. Here are some tips from Malone on how to sell security services to prospective customers that sell products online.

1. Tell your customer that no matter what solution is chosen, after it has been implemented, it should be inspected by a third party. "Have a double-check of the work done," Malone said. "Security scans can cost as little as $50-$100 per quarter." Qualified and approved vendors that offer compliance assessments can be found at the PCI Web site. The PCI Security Standards Council operates a number of programs to train, test and certify organizations and individuals to assess and validate adherence to PCI Security Standards. Recommending that customers find an impartial third party conveys a confidence in your work, and also assures you that an unscrupulous competitor doesn't try to steal your customer.

2. Remind your customers that compliance is serious business. Remember the gold seller and that $1.5 million fine? If that business doesn't ante up, its privileges to accept credit cards could be revoked. Try doing online business withour credit cards. Unless you're an ebay store, it's not a lucrative model. Therefore, filling out the PCI forms correctly — not just answering "yes" to every question — is crucial. Some customers are intimidated by the questionnaire. "Where it says, 'Do you have an intrusion detection system?' Be honest. Say, 'No, we're too small and it's too expensive. But we plan on having one next year.' You can answer 'no' and still be in compliance," Malone says. "It's OK to tell truth."

3. Be sure customers understand the vulnerabilities of their systems. Anti-virus and firewalls should be put into place on day one. With PCs costing roughly $400 to $500, it can be cheaper to replace small business' machines rather than pay someone to clean up a virus that has wrecked havoc on a network. However, anything that's saved to a machine rather than a server, is lost, so strongly advise customers to set up a server and automate the backup procedure for all the PCs on a network.

4. Finally, position yourself as augmenting the current IT person or staff at an SMB. Many small businesses try to hire an all-in-one IT guy. You're not trying to replace the daily presence of this person. Rather, your company will be able to support him or her, so problems can be addressed more quickly. "Companies need a team. It's way more cost-effective. It's less costly to do managed services, and the customer gains a whole range of expertise. The best solution is to augment the IT guy with managed services. He lies awake at night wondering 'what if.' By using an MSP, we can provide security packages that cost half a million dollars to smaller firms for a fraction of he cost."