Credit-Card Data Breaches Drive Security Solutions Bonanza

David Sockol, president of Emagined Security, San Carlos, Calif., focuses on helping companies fix PCI-related issues that arise after PCI assessments. "We bring in compliance processes and tools that organizations can use to review each of their servers to see if they are in PCI compliance," he said.

The strategy, which has helped Emagined see triple-digit growth over the past year, is based on the fact that PCI remediation efforts are much larger and financially rewarding than PCI assessments, according to Sockol.

"We found there are better benefits for us and our customers in helping remediate PCI issues than in trying to assess their risk," he said.

The fact that some companies balk at the idea of one firm handling both PCI assessment and remediation has opened up a huge well of remediation opportunities for integrators, said Andrew Plato, president of Anitian Enterprise Security, Beaverton, Ore.

"Remediating PCI issues is a virtually unlimited business—there are all sorts of things you could end up doing," he said.

Does PCI Lack Teeth?
Companies that don't comply with PCI run the risk of having their merchant accounts canceled, but none of the solution providers CRN spoke with were aware of that actually happening. It's also unclear whether merchant companies are feeling the brunt of PCI-related fines.

MasterCard doesn't publish information on fines, and a spokesperson declined to comment on the TJX case, citing the ongoing legal investigation.

Visa said it levied $4.6 million in PCI-related fines in 2006, up from $3.4 million in 2005. However, these numbers pale in comparison to the $17.1 billion in credit-card penalty fees banks charged in 2006, according to R.K. Hammer, a privately held bank card advisory firm.

Visa last December introduced its Compliance Acceleration Program, which sets deadlines and penalties for noncompliance, but also spells out incentives for acquiring banks to get their merchants to comply with PCI. Accuvant's Tegethoff said PCI CAP has led to a spike in business as acquiring banks look to get their merchants up to speed.

"For people who have maybe back-burnered PCI, this is making them re-evaluate their priorities. For the channel, this translates into more PCI services and remediation dollars," Tegethoff said.

Still, unless PCI adoption picks up considerably, or credit-card firms begin to make examples of businesses such as TJX by slapping them with heavy fines, VARs in the assessment side could face a backlash from companies that have spent considerably to upgrade networks for PCI.

That's a big reason why Anitian's Plato said remediation is the sweet spot. "The beauty of being a remediator is that you're just selling products and doing integration," he said. "If you're the auditor, the challenge is greater, and I do think there could be a backlash."