Sunday, September 20, 2009

PCI Compliance - Driving Future Security Spend


Summary

Retailers and other organizations are waking up to the need to become compliant with the PCI Data Security Standards imposed by the credit card companies. While awareness is a good thing, there is still a huge gap in both understanding of what the regulations mean and a trailing impact on security spend - especially in a few key areas. There is opportunity here for Symantec, Mcafee, Websense, Attachmate, EMC, and many other public and private security firms.

Analysis

Compliance with the Payment Card Industry (PCI) Data Security Standard is a contractual requirement to do business with the credit card companies. Until now, enforcement has mainly focused on larger retailers and card processors however the standard applies to anyone who receives, stores, or transmits the 16 digit credit card number. This includes retailers, banks, credit unions, and other service providers. Awareness is increasing, and initiatives to comply will also increase - especially at the small and medium organizations.

Obtaining compliance means running through a gauntlet of detailed requirements and potentially also passing a formal on-site audit on an annual basis. PCI is a black and white all-or-nothing standard with fairly rigid requirements: if you comply with 99/100 items, you fail.

Based on a broad view of the security product market, there are three specific requirements of PCI that I believe will drive future security spending. This is based on many companies not having internal technology today to support these needs.

1) Encryption of data at rest. Wherever the 16 digit card number goes, it must be encrypted. Generally companies are good at encrypting data in motion on a network, but encrypting it inside of a database or on a filesystem is a different proposition with a different set of products. The more data you are dealing with in terms of storage size, the bigger the vendor opportunity. If the data is inside a SQL database, there are a set of products to address this and a consulting opportunity to integrate them. This also includes a potential to drive spend for license upgrades to Microsoft SQL Server Enterprise licenses to obtain encryption features. The other set of products are SAN-level encryption solutions - perhaps provided directly by an EMC or Safenet. Speaking from personal experience, this is one of the highest potential compliance costs.

2) Security Information and Event Management (SIEM). This space includes the larger players from Arcsight through EMC's Network Intelligence and Attachmate's NetIQ offering through mid-size solutions from companies such as Trigeo. Many organizations - especially smaller/midsize firms - may not have this in place. Part of the PCI requirement is to log all access to the data and review it on a very regular basis. There is a large opportunity to expand security monitoring from simply looking for network or server attacks into tracking access and movement of credit card data. My view is companies that have easy-to-deploy solutions for the middle-market and smaller companies will pick up an influx of business in the next 24-36 months. There is also a managed services play here for Symantec, SecureWorks, IBM, AT&T, and the other MSSPs.

3) Web Application Firewalling. The latest PCI specification details a need to examine, log, and actively block web-based attacks. This is backed up by research from the nonprofit SANS organization that demonstrates organizations are not focused enough on this threat. Vendors in this space that could pick up business include Imperva, Breach Security, Cisco, and others.

There are many other areas of PCI that could impact spend, but in my conversations with other CISOS these three specific topics seem to be a recurring theme. The need to comply will necessitate finding products to meet these needs, which will in turn drive budget and future deployment.
GL Group

No comments:

Post a Comment