Security experts say every time a retailer ends up in the headlines for losing customer credit-card data, a PCI project gets its wings. And,as more companies look to the channel for help with securing their networks for PCI compliance, it's turning out to be a wonderful life for solution providers.
Companies are paying more attention to the PCI Data Security Standard (PCI DSS), a set of requirements drawn up by major credit-card companies for securing cardholder data. In PCI, liability for negligence rolls downhill—from the card companies to the banks that process credit-card transactions and, finally, to the merchants, who face fines, and even revocation of credit-card processing rights, if they don't comply.
The steady drumbeat of recent major credit-card information breaches has been keeping PCI in the spotlight. Last August, hackers got their hands on credit-card account data and personal information for approximately 19,000 customers of AT&T's e-commerce site, and then launched a targeted phishing campaign a few days later that was apparently designed to extract additional information from the affected customers.
In September, Chase Card Services, a division of JP Morgan ChaseCo. that handles credit-card transactions for Circuit City, informed 2.6 million current and former Circuit City credit-card holders that tapes containing their personal information had been accidentally dumped in a landfill.
Then in January, TJX, the parent company of T.J. Maxx, Marshalls and several other retailers, revealed that hackers had broken into its network and accessed credit-card data and personal information of customers in the United States, Ireland, the United Kingdom and Canada.
Last month, TJX said credit-card information on at least 45.7 million customers had been stolen, making it the largest breach of customer data in history. Although the card companies haven't commented on the TJX breach due to the ongoing legal investigation, many security experts believe TJX violated the terms of PCI by improperly storing cardholder data on its network.
As PCI-related business begins to boom, security VARs and integrators find themselves in the enviable position of having almost too much work to handle. And there's plenty of room for the market to grow: Visa estimates that just 36 percent of Level 1 merchants (which process more than 6 million credit-card transactions annually) and 15 percent of Level 2 merchants (which process at least 1 million) have complied with PCI.
Making Hay While the Sun Shines
Solution providers can either handle PCI-related assessments of companies' networks and then recommend solutions to address holes, or provide the remediation services after an audit, which often requires companies to implement firewalls or encryption to their networks.
Integrators that have been certified to do PCI assessments include Accuvant, DynTek, FishNet Security and igxglobal.
To lessen the risk of credit-card data falling into the wrong hands, PCI forbids merchants from storing post-authorization data on credit-card sales, as well as magnetic strip data, card verification data (the three-digit code on the back of the card), and PINs, said Mark Carney, director of strategic solutions at Fishnet, Kansas City, Mo.
Customer data such as personal account numbers and expiration dates can be stored but have to be encrypted, said Carney. "PCI is all about trying to get prohibited data out of the merchant environment," he said.
Fishnet, which handles PCI assessments and remediation projects, saw top-line revenue for its PCI business grow 733 percent from 2005 to 2006, said Carney.
Quarterly vulnerability assessment scans were one of the first provisions of PCI, but this business has become commoditized as large vendors such as Symantec and Internet Security Systems (now part of IBM) have entered the PCI assessment market, said Evan Tegethoff, director of compliance services at solution provider Accuvant, Denver.
"The challenge of differentiating yourself in the PCI assessment market has gotten more extreme, and it's more difficult for new companies to come in and compete," Tegethoff said.
NEXT: PCI remediation; also, does PCI lack teeth?