Credit-Card Data Breaches Drive Security Solutions Bonanza

Security experts say every time a retailer ends up in the headlines for losing customer credit-card data, a PCI project gets its wings. And,as more companies look to the channel for help with securing their networks for PCI compliance, it's turning out to be a wonderful life for solution providers.

Companies are paying more attention to the PCI Data Security Standard (PCI DSS), a set of requirements drawn up by major credit-card companies for securing cardholder data. In PCI, liability for negligence rolls downhill—from the card companies to the banks that process credit-card transactions and, finally, to the merchants, who face fines, and even revocation of credit-card processing rights, if they don't comply.

The steady drumbeat of recent major credit-card information breaches has been keeping PCI in the spotlight. Last August, hackers got their hands on credit-card account data and personal information for approximately 19,000 customers of AT&T's e-commerce site, and then launched a targeted phishing campaign a few days later that was apparently designed to extract additional information from the affected customers.

In September, Chase Card Services, a division of JP Morgan ChaseCo. that handles credit-card transactions for Circuit City, informed 2.6 million current and former Circuit City credit-card holders that tapes containing their personal information had been accidentally dumped in a landfill.

Sponsored post

Then in January, TJX, the parent company of T.J. Maxx, Marshalls and several other retailers, revealed that hackers had broken into its network and accessed credit-card data and personal information of customers in the United States, Ireland, the United Kingdom and Canada.

Last month, TJX said credit-card information on at least 45.7 million customers had been stolen, making it the largest breach of customer data in history. Although the card companies haven't commented on the TJX breach due to the ongoing legal investigation, many security experts believe TJX violated the terms of PCI by improperly storing cardholder data on its network.

As PCI-related business begins to boom, security VARs and integrators find themselves in the enviable position of having almost too much work to handle. And there's plenty of room for the market to grow: Visa estimates that just 36 percent of Level 1 merchants (which process more than 6 million credit-card transactions annually) and 15 percent of Level 2 merchants (which process at least 1 million) have complied with PCI.

Making Hay While the Sun Shines

Solution providers can either handle PCI-related assessments of companies' networks and then recommend solutions to address holes, or provide the remediation services after an audit, which often requires companies to implement firewalls or encryption to their networks.

Integrators that have been certified to do PCI assessments include Accuvant, DynTek, FishNet Security and igxglobal.

To lessen the risk of credit-card data falling into the wrong hands, PCI forbids merchants from storing post-authorization data on credit-card sales, as well as magnetic strip data, card verification data (the three-digit code on the back of the card), and PINs, said Mark Carney, director of strategic solutions at Fishnet, Kansas City, Mo.

Customer data such as personal account numbers and expiration dates can be stored but have to be encrypted, said Carney. "PCI is all about trying to get prohibited data out of the merchant environment," he said.

Fishnet, which handles PCI assessments and remediation projects, saw top-line revenue for its PCI business grow 733 percent from 2005 to 2006, said Carney.

Quarterly vulnerability assessment scans were one of the first provisions of PCI, but this business has become commoditized as large vendors such as Symantec and Internet Security Systems (now part of IBM) have entered the PCI assessment market, said Evan Tegethoff, director of compliance services at solution provider Accuvant, Denver.

"The challenge of differentiating yourself in the PCI assessment market has gotten more extreme, and it's more difficult for new companies to come in and compete," Tegethoff said.

NEXT: PCI remediation; also, does PCI lack teeth?

Given the growing competition in PCI assessment, many solution providers have decided to focus on PCI remediation, where there's still plenty of work.

David Sockol, president of Emagined Security, San Carlos, Calif., focuses on helping companies fix PCI-related issues that arise after PCI assessments. "We bring in compliance processes and tools that organizations can use to review each of their servers to see if they are in PCI compliance," he said.

The strategy, which has helped Emagined see triple-digit growth over the past year, is based on the fact that PCI remediation efforts are much larger and financially rewarding than PCI assessments, according to Sockol.

"We found there are better benefits for us and our customers in helping remediate PCI issues than in trying to assess their risk," he said.

The fact that some companies balk at the idea of one firm handling both PCI assessment and remediation has opened up a huge well of remediation opportunities for integrators, said Andrew Plato, president of Anitian Enterprise Security, Beaverton, Ore.

"Remediating PCI issues is a virtually unlimited business—there are all sorts of things you could end up doing," he said.

Does PCI Lack Teeth?

Companies that don't comply with PCI run the risk of having their merchant accounts canceled, but none of the solution providers CRN spoke with were aware of that actually happening. It's also unclear whether merchant companies are feeling the brunt of PCI-related fines.

MasterCard doesn't publish information on fines, and a spokesperson declined to comment on the TJX case, citing the ongoing legal investigation.

Visa said it levied $4.6 million in PCI-related fines in 2006, up from $3.4 million in 2005. However, these numbers pale in comparison to the $17.1 billion in credit-card penalty fees banks charged in 2006, according to R.K. Hammer, a privately held bank card advisory firm.

Visa last December introduced its Compliance Acceleration Program, which sets deadlines and penalties for noncompliance, but also spells out incentives for acquiring banks to get their merchants to comply with PCI. Accuvant's Tegethoff said PCI CAP has led to a spike in business as acquiring banks look to get their merchants up to speed.

"For people who have maybe back-burnered PCI, this is making them re-evaluate their priorities. For the channel, this translates into more PCI services and remediation dollars," Tegethoff said.

Still, unless PCI adoption picks up considerably, or credit-card firms begin to make examples of businesses such as TJX by slapping them with heavy fines, VARs in the assessment side could face a backlash from companies that have spent considerably to upgrade networks for PCI.

That's a big reason why Anitian's Plato said remediation is the sweet spot. "The beauty of being a remediator is that you're just selling products and doing integration," he said. "If you're the auditor, the challenge is greater, and I do think there could be a backlash."