The Payment Card Industry's Data Security Standard (PCI DSS) has given hope to all those security manufacturers trying to figure out how to extract more money from the regulatory compliance opportunity, given the general lack of enforcement of HIPAA, GLBA and Sarbanes-Oxley. Just go around any security conference or take a look at any security magazine, and you'll see that PCI is everywhere. So let's take a look at where you fit in as a security reseller.
Since any business accepting any kind of credit card information is subject to PCI compliance, you're likely to find that the majority of your customers fit somewhere in Visa's four levels of covered entities. You'll also find that many of your customers are blissfully unaware of PCI's requirements, which leads us to your first opportunity as their trusted adviser: PCI education. What does it mean, what do they have to do, and what are the consequences if they don't?
PCI data security requires fairly standard controls that you should already be working on with your customers. For example, the network requirements include having a firewall and changing default passwords on network devices. PCI also requires cardholder data to be protected and communications to be encrypted.
Pretty much any organization that has been paying attention to security over the past five years should have many of the PCI basics in pretty good shape. Yet, many of the smaller nuances will be problematic for quite a while. A big value-add that you can bring is to help the customer build PCI-appropriate policies, especially in the areas of data handling and archiving. Walking customers through those first couple of steps can help them overcome the inevitable analysis/paralysis that accompanies trying to understand any new regulation.
The quickest path to the PCI market is to resell a PCI "service" from the likes of a managed scanning vendor, such as Qualys or HackerSafe. These folks offer an online questionnaire and a remote scan to pinpoint where some of the more obvious holes are. There's certainly some attraction for a reseller to look at one of these "PCI in a box" solutions to kick start efforts. But while you wouldn't be reinventing the wheel, you'd obviously be giving most of the revenue to the manufacturer.
Once the big holes are identified, you can work with the customers to fix them. Solutions like application scanning, database security and log management can address a lot of the issues commonly pinpointed in a PCI examination. You can also work with the customer to build some acceptable "compensating controls," which provide defendable alternatives to things like database encryption, as long as the data is adequately protected.
Finally, you can go all-in with PCI and become a "Qualified Security Assessor" in PCI lingo. These are folks that go through a training and certification process with the PCI Security Standards Council. Then you can more formally assess the customer's environment for PCI compliance. QSA certification involves filling out some forms, taking some training and writing a big check (US$20,000 for the first year). This allows you to officially test your customers for PCI compliance and then provide recommendations for how they can fix the issues you uncover.
If we go back to the level of merchants specified by Visa, you'll see that only the top two classes are required to engage with a QSA. So take a look at your customer base (or the customer base you'd like to penetrate) and get a feel for whether that is your target market. That will drive whether you make the investment to become formally QSA certified. Since the bulk of the companies out there are smaller organizations, being able to do the scan and document the PCI compliance efforts may suffice for your customers, and therefore being able to offer those services may suffice for you.
One more thing to keep in mind is that there is some of the fox guarding the henhouse going on here, since your organization would be in a good position to help the customer become compliant after the assessment. There's an independence clause in the PCI documentation as to what needs to be disclosed relative to customers you have assessed and whom also use your products or managed services. Since this is an ethically murky area, make sure you are on the right side when bidding work on the heels of a poor PCI assessment.
About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.