By Simon Gamble is a co-founder and Business Development Director of Mako Networks, a supplier of PCI DSS compliance and network management solutions.
Credit card fraud is one of the most profitable security exploits, and well on the rise globally. Reports have placed the total losses from card fraud into the trillions of pounds per year exceeding even the drug trade in profitability and scope by some estimates.
Here in the UK, most business owners and consumers feel relatively safe from the threat of fraud. But the fact is that even here, we're not immune from fraudsters.
Debit and credit card fraud does happen and happens often, recent examples show that even the biggest organisations aren't immune to the risks. For example, in May 2011 Sony admitted that it had lost the details of 12,700 credit card account numbers and a recent report revealed that the cost of the average data breach incident in the UK is on the rise for the third year running. Last year is cost UK organisations 1.9 million or 71 per record for every data breach incident.
Selling Security: The Opportunity
Most business owners are interested in reducing risk. But there's a fine line between offering customers a solution that can protect their operation, versus scaring them into a purchase under the threat of crime. The fact is that holistic security should be a part of every business, so that they're not reliant on any one system for protection from threats. So while physical security systems are a start, and firewalls are a better step yet, a total network security solution is one that will actually protect businesses from the threats they face and reduce their overall risk profile.
Network management is one such service that can simultaneously protect businesses and deliver revenue for resellers. By taking the day-to-day operation and management of a network off the hands of a customer, resellers can offer a layered plan that is actually resilient enough to protect a business and still delivers value for a monthly service fee. This security approach can substantially reduce an organisation's risk exposure in the form of penalties and fees in the event of a data loss or breach.
Network management offers a 'sticky' solution for customers that opens the door to recurring revenue streams at resellers. Once a business is protected, chances are good that they'll never be without security protection again and incur the same risk as before. The opportunity and challenge for resellers is to be the first to institute a solution that secures their customers.
Businesses that accept credit cards must have network security that is continuously kept up to date as part of the mandated Payment Card Industry Data Security Standards.
The Payment Card Industry Data Security Standards
In 2006, the five major credit card companies (Visa, MasterCard, American Express, Discover and JCB) came together to develop a set of common security guidelines that would help reduce the risk of credit card fraud. They created the Payment Card Industry Data Security Standards (PCI DSS), which set a minimum standard of security practices that must be met by any company that processes, stores or transmits credit card data. While these rules can be very effective in reducing the threat of fraud, they're notoriously difficult for most small businesses to meet on their own.
The PCI DSS consist of 12 categories of security protocols, totalling 212 individual criteria that must be met by businesses each year. Many of these criteria are also quite technical and specific, well beyond the knowledge and expertise of most small business owners.
Yet PCI DSS mandates that the criteria must be audited annually, supplemented by regular network testing, patching and updating to keep everything up to scratch. For example, passwords must be changed at least every 90 days, and all system changes must be carefully recorded and logged.
It all adds up to a lot of time, trouble and effort that most business owners don't have to spare. That's why many simply ignore the obligations of PCI DSS, continuing their path of non-compliance. Others use the expertise of consultants to achieve PCI DSS compliance, but often at great cost.
The penalties of non-compliance are real and significant. If card fraud occurs at a business, unless the owner can prove that they were PCI DSS-compliant, merchants can be held liable for the cost of the fraud, an investigation to determine how the fraud occurred, remedial costs to become compliant, and an additional punitive fine for non-compliance. That's to say nothing of the cost of reputational damage and loss of customer confidence, two effects that can linger for years afterward.
That's why compliance as a managed service presents enormous opportunity for resellers. Using new tools and technologies, resellers can help businesses achieve and maintain compliance for a reasonable, recurring monthly fee that's well below the cost of hiring an independent consultant.
Networking for Payments
While payment networks and standard computer networks both operate on the same basic principles, there are distinct differences that warrant special attention and scrutiny.
For starters, let's look at the two primary access methods. Until recently, most merchant payment systems connected to banks using a dial-up connection, just the same as you used at home 10 years ago to get online. There's a delay to dial an access number, time to establish a connection, and then the data exchange actually occurs.
But today, that's starting to change. You've probably been using an ADSL or broadband Internet connection at your home for years now, and payment networks are finally making the change as well.
Broadband connections operate at far higher speed because they can carry much more data, reducing that lag time to only a second or two.
Moreover, each dial-up terminal requires a separate phone line, incurring a monthly charge for each connection. Broadband can consolidate the terminals into one connection, reducing costs for customers. So for merchants and resellers, there's serious incentive to swap onto a faster, always-on broadband connection.
But as most savvy Internet users know, the instant you connect to the Internet, you're also open to the threats it contains. Viruses, hackers and other nasties can now access your machines if they're not protected. If it's a payment network with credit card data flowing through it, the stakes are much higher.
Connections need to be secured using a layered approach so that there's no single line of defence. It starts with robust firewalls to keep out unwanted traffic, but payment security needs to go several steps farther to meet the PCI DSS standards we've talked about.
Security can be a difficult solution to sell, and requires commitment on behalf of channel partners to stay updated regarding current regulations and compliance requirements such as PCI DSS. But for those that accept the challenge, the opportunity is great: there are several thousand merchants in the UK that are yet to meet the requirements of PCI DSS, waiting for a partner like you to help them achieve total network security.
 Symantec-Ponemon Report 2011