Magazine Article | October 16, 2008

Seize PCI Compliance Opportunities

This VAR estimates a 50% increase in revenue in 2009 due to sales of PCI (Payment Card Industry)-related security services.


Business Solutions, November 2008
Written by: Mike Monocello
Sell Security Solutions To Address Government Mandates

Cyberklix is a VAR specializing in security solutions. In recent years, the VAR has found success selling solutions to business entities required to comply with some form of mandate. In the case of merchants, Cyberklix has been successful selling services surrounding PCI (Payment Card Industry) compliance. However, the VAR also sells security solutions to healthcare organizations to ensure the facilities are meeting the legislative requirements of HIPAA (Health Insurance Portability and Accountability Act).

In a recent installation, Cyberklix performed a security upgrade at the University of Toronto, Sunnybrook. The research hospital has more than 11,000 staff, physicians, researchers, and students. John Menezes, president and CEO of Cyberklix, explains that Sunnybrook was facing a problem many hospitals face today. “With the increased demand for mobility, physicians were demanding wireless and remote access to secure information,” he says. “Specifically, the hospital has users who need to access information from home, wireless hotspots, and satellite offices.”
To ensure the private data being accessed was secure, Sunnybrook relied on Cyberklix’ services. For its solution, Cyberklix installed the SonicWALL Aventail SSL (secure sockets layer) VPN (virtual private network) solution. With the SonicWALL Aventail, physicians and administrators can securely and wirelessly access e-mail, the corporate intranet, financials, HR information, and electronic patient records remotely from their home computers. In addition, Sunnybrook IT can scan all remote devices for malware and system integrity using features of the SSL VPN. Finally, Sunnybrook’s IT staff are able to give their users mobile access without needing to perform a home installation on the remote computers. The total cost of the hardware solution was $32,000.

For VARs looking to get into HIPAA compliance work, Menezes says that the money is not in performing HIPAA audits, but rather in the remediation work. The hard part, according to him, is learning what the requirements of HIPAA are and how to solve the problems. Therefore, Menezes recommends you take advantage of your vendor partnerships. For instance, Cyberklix employees have gone through SonicWALL product training to learn about the SonicWALL hardware that is made to solve HIPAA-related problems. Until you become an expert, rely on your vendors to help you learn about, sell, and install security technologies.

www.sonicwall.com



PCI: The Source Of Your Next Lawsuit?

Despite all the best intentions of the Payment Card Industry (PCI) and its Security Standards Council, a merchant that has met all requirements of PCI compliance still can be compromised. In the event this happens, can the VAR who installed the system be held liable by the merchant?

“If there is a breach, the VAR, software developer, Internet provider, and anyone else that touches the merchant’s system is going to find themselves as a defendant in a lawsuit,” explains Robert Goldberg, an attorney at Schoenberg, Finkel, Newman & Rosenberg, Ltd. “If a company were to give a merchant a ‘passing grade’ in compliance and there is subsequently a breach, the company providing the grade could face liability.” So, what can you do to protect yourself? Ensure you have contractual wording to protect your company. RSPA (Retail Solutions Providers Association) members can protect themselves by using free legal form templates found on the organization’s Web site.

John Menezes, president and CEO of Cyberklix

As the reliability and prevalence of broadband Internet and wireless technologies have improved and increased over the years, more businesses have relied on these technologies to connect branch locations, tie mobile workforces into the company network, and convert traditional client/server-based software solutions to lucrative Web-based services. This changing landscape also has created new opportunities for criminals focused on stealing valuable corporate data. Here enters the opportunity for VARs. While some of your customers might not be willing to invest heavily in network security solutions, others might be obligated to do so. Indeed, three initiatives requiring a secure network infrastructure have made big headlines in recent years: PCI, Sarbanes-Oxley (SOX), and HIPAA (Health Insurance Portability and Accountability Act) compliance. Cyberklix is one VAR that has found success targeting business related to these types of initiatives. While the creation of managed security solutions to meet the requirements of all three initiatives is leading to 43% revenue growth in 2008 for the Cyberklix, PCI work is where the VAR finds its most success.

Why PCI Is An Easy Sell
In 2006, the major credit card companies joined forces and created the PCI Security Standards Council (PCI SSC, http://www.pcisecuritystandards.org/). The PCI SSC has set forth the various compliance requirements for retailers and established the certification programs VARs must complete to gain different certifications pertaining to PCI compliance work. PCI compliance boils down to this: The payment card industry (led by Visa, MasterCard, and American Express) is mandating that all merchants ensure that card data is secure within their respective IT infrastructure and as it is sent on to the processors. Failure to comply can lead to monetary penalties (up to $500,000 per incident) and even prohibition from processing credit cards. “It’s easy for companies to delay buying your value-added services if there isn’t a strong business case,” says John Menezes, president and CEO of Cyberklix. “PCI compliance has created a business problem that has merchants willing to make a technology investment.” The trick then, as a VAR, is figuring out how to tap into this opportunity. According to Menezes, there are two ways VARs can land PCI-related business: performing security assessments and completing the actual remediation work.

PCI Audits Lead To Big Security, Networking Sales
Menezes says that the certification that has been most beneficial to Cyberklix is known as QSA, or Qualified Security Assessor. QSAs commonly are hired by merchants to perform PCI compliance audits. Nevertheless, Menezes warns that becoming a QSA isn’t a cheap investment.

First, it’s important to note that while it is an employee who ultimately becomes a QSA, your organization will need to be qualified before anything else can happen. The good news is that the PCI SSC has all the requirements listed on its Web site. All the information is also pretty easy to understand. The bad news is in the associated expenses. The PCI SSC has set fees specific to each market you plan on servicing. For instance, VARs looking to service the United States or Canada have to pay a $20,000 qualification fee for each country. The annual requalification fees for both countries is $10,000.

If you’re still reading this article, you should know that the PCI SSC also requires a certain amount of insurance coverage for your company — specifically, Workers’ Compensation, Employer’s Liability, Commercial General Liability, Commercial Automotive Insurance, Crime/Fidelity Bond, Technology Errors & Omissions, Cyber-Risk, and Privacy Liability Insurance. Some of that insurance you should already have, although the limits might not meet the PCI SSC’s standards. Still, it’s probable that you’ll need to make some changes to your insurance coverage.
Once your organization meets the requirements, you can have employees train and earn QSA status. Menezes shares that Cyberklix currently has three employees who are QSAs. The training was approximately $1,200 per QSA and took place over a few days. In all, Menezes says that the process of becoming a QSA took Cyberklix nearly 8 months at a cost of about $50,000. “It was worth every penny,” he quickly adds. According to him, the value of being a QSA isn’t in performing assessments; it’s in the remediation work that follows. “Performing assessments as a QSA gets us in on the ground floor of PCI work that may need to be performed for a retailer to be compliant,” says Menezes. “Since becoming a PCI QSA, we’ve landed hundreds of thousands of dollars in PCI remediation work.”

PCI = Recurring Security Revenue
PCI has some requirements concerning conflict of interest with regards to assessment and remediation work. The PCI SSC states that while the actual QSA cannot perform the remediation work, other employees within the approved organization can. According to Menezes, the work is pretty straightforward. “Unlike SOX and HIPAA compliance, PCI is very prescriptive in its requirements,” says Menezes. “They explain exactly what you need to do and how you need to do it; they just don’t tell you what products to use.” While there are many areas where remediation work might exist, Menezes says there are a few areas commonly requiring attention. Simplified, one aspect of PCI requires that merchants must encrypt cardholder data being sent from point A to point B.

More Info For more detail about PCI compliance, go to BSMinfo.com/jp/3470.

Cyberklix relies on SonicWALL for its VPN (virtual private network) solutions that inherently encrypt information being transferred, whether across a LAN, WAN, or the Internet (see the sidebar on Cyberklix’ relationship with SonicWALL on page 38). PCI compliance also requires that computers holding card information be segmented from other areas of the enterprise. In essence, this means creating PCI and non-PCI zones using firewalls. While those two examples might seem rather rudimentary, Menezes warns that not all requirements can be met so easily.

Indeed, there also is a need to consolidate and regularly monitor logs and security event data. Basically, every device that transmits and receives card information needs to be monitored on an ongoing basis. A common roadblock can occur if a merchant is using different devices throughout its card processing network. For example, Cisco equipment can be monitored using Cisco’s own software. UNIX-based servers can be monitored using UNIX-based software. The same goes with Microsoft. If a merchant is using a mix of equipment and software, consolidating all the required event information can be a huge undertaking. Cyberklix uses the RSA enVision platform to monitor 10,000 customer devices and collect more than 40,000 events per second. The VAR has increased the effectiveness of the RSA appliance by adding its own custom programming that consolidates data from disparate devices. The end result is a managed security service offering that now makes up 25% of Cyberklix’ annual revenue, with the average customer paying $20,000 a month. The VAR has been able to turn initial QSA audits into recurring revenue for one reason. “PCI isn’t like Y2K,” says Menezes. “It’s not a one-time upgrade, and then the merchant is done. Merchants have to constantly ensure compliance by on-going monitoring, reporting, and alerting.”

So which merchants are in need of these services? Many. While initial deadlines have passed, new ones now exist, and the majority of merchants still fall short of meeting compliance requirements. Indeed, according to an ongoing poll being held at online PCI resource center pcicomplianceguide.org, only 17% of those surveyed state their organizations are fully PCI compliant. Menezes explains, “Initially, there was a certain amount of urgency among merchants concerning the deadlines. However, the card companies (who set the deadlines) have accepted that the tasks required to become PCI compliant are very complex, costly, and time-consuming.” In short, you still have time to take advantage of this need. In fact, Menezes will tell you that the need for QSAs and remediation work is increasing. It’s up to you to determine whether the initial investment is worth the potential payoff.