From The Editor | April 9, 2018

Has Payment Security Become A Commodity?

Matt Pillar

By Matt Pillar, chief editor

New Security Awareness Guidance

The PCI Security Standards Council’s announcement of plans to strategically drive its QIR (Qualified Integrators and Resellers) program deeper into the SMB retail market is by most counts a positive thing for the industry. Retail’s besiegement by hackers can’t be overstated, and there’s no question that the threat is moving downstream toward under protected and underserved small and mid-sized merchants.

In response, the PCI SSC has lowered a few barriers to QIR certification in an attempt to individualize the accreditation, clearing the way for the sole proprietors that often serve the IT needs of the small market to add QIR designation to their shingles. Those changes include:

  • A lower cost of certification: It’s plummeted from nearly $400 to just $100, making the effort far more financially palatable to individual solution providers.
  • More frequent recertification: QIRs will need to be recertified annually, as opposed to every three years. Given the speed at which new threats come on the scene, this change is most certainly long overdue.
  • Certification portability: Previously, the QIR credential was an organizational one. Now, it travels with the individual, even if the individual changes his or her employment.
  • Refined focus: Those seeking QIR status will need to focus more concertedly on the three areas that the PCI SSC contends could have prevented most breaches; secure remote access, password management and software patches/updates.  

For the channel, this is a tricky one to suss out. For the greater good of data security, it’s hard to muster a qualm about moves like these. They’re like trickle-down economics, carefully architected to filter payment security into the tier 3 and 4 retail cracks, where too many merchants suffer ignorance at their own peril and that of their consumers, get raked over the coals by larger solutions providers, or worse, forgotten by them altogether. The industry needs to instigate moves like this for the protection of consumers and businesses alike.

It’s a little easier to be annoyed by these changes if you run a security-focused POS VAR or ISO, especially if you’ve been going out of your way for the past few years to differentiate your business via a payment security consultancy. When standards bodies make it easier for their standards to be reached, the diamond loses a bit of its shine. The uniqueness of meeting that standard, and any real or perceived market advantage it gave you, goes out the window. The risk of commoditization creeps in.

Certified P2PE Systems Top 200

The commoditization risk is exacerbated when the vendor logos on the shirts of your QIR-certified competitors are all compliant with their own vendor-level payment security requirements, such as the PCI P2PE (point-to-point encryption) Standard. According to stats gathered by QSA (qualified security assessor) Foregenix, the number of vendors achieving PCI P2PE-certified status recently topped 200 for the first time since its 2011 inception.

With this kind of penetration and influence, coupled with the increasing ubiquity of the EMV standard, payment security is becoming a simple expectation of the merchant and hospitality markets. Soon, not only will there be no premium paid for your security credentials, those credentials won’t even distinguish you enough to get a foot in the door first.

What’s a security-minded VAR or MSP to do if it wants to rise above the noise and differentiate its security offering? In a column written for an upcoming issue of Channel Executive magazine, Breadcrumb Cybersecurity CEO Brian Horton offers some pointed advice. Unlike the commodity products you rely on the vendor community to tee up for sale, stuff like e-mail, disaster recovery, POS, and VoIP, for instance, “your security offering is not born with a white-label agreement,” he writes. “Legitimately aligning your brand within the security space requires differentiation – both inside and outside your organization.” He suggests that rather than focusing on a vendor-offered solution to acquire that differentiation—which is a fool’s errand given the homogenization of the payment security space—you look inward. “Your processes, work flows, staffing, and expertise all must be evaluated and re-tooled for the market.” Among the ten points Horton suggests you ponder are alignment with standards beyond the obvious, hiring and training for a specific and unique skill set, getting intimate with the laws governing the data your clients deal in, and revisiting your insurance policies to ensure they align with the liabilities you’re assuming.

As it relates to the refined focus of QIR certification, Horton’s advice is timely. Any number of off-the-shelf software and payment entry devices might allow you to check all the right boxes on your QIR certification. It’s the preparation and intellectual work you put into your organization that will differentiate what you put out to market.

Of course, Horton acknowledges that once your internal approach to data/payment security is ironed out, you’ll need support from the vendor community. Here, he offers caution. “It’s becoming difficult to discern the small shop with some venture capital from the legitimate players,” he writes. “Conversely, there are some legitimate players that are just plain horrible. When selecting manufacturers to partner with, do so slowly and very intentionally. Cool features, awesome reporting, and amazing dashboards are otherwise meaningless if they can’t spot routine threats. Test drive every product, validating the features important to your organization. The last thing you want to do is position a product that simply doesn’t work.”

Look for Horton’s full ten-point list of security offering considerations in the May/June issue of Channel Executive, due out May 1.