Thursday , March 28, 2024

Ambiron-TrustWave Merger Comes As Data-Security Issues Peak

With transaction-data security a top-of-mind concern these days in the wake of such breaches as the ChoicePoint case and the theft of card data from the DSW Shoe Warehouse chain, executives for two leading security-audit firms say their merger couldn't have come at a more propitious time. Chicago-based Ambiron LLC and TrustWave Corp., Annapolis, Md., announced last week they were combining their companies to form by far the largest audit company for card-data security. The combined companies account for more than 200 data-security audits yearly among the largest e-commerce merchants, officials say. In an exclusive interview with Digital Transactions, the leading executives for the two companies explain the merger allows the two companies to offer services they couldn't offer before, and allows them to conduct more local audits for banks and merchants. “Being able to serve merchants and banks in their own locality is important to them, so we've increased our footprint,” says Robert J. McCullen, managing partner at Ambiron and now chief executive of the merged company, which will operate under the Ambiron name in the payments business. The merger leaves the company with a head count of 74, McCullen says. He adds that TrustWave brings strengths in certain audit activity?for example, that related to the Sarbanes Oxley (SOX) law?that Ambiron lacked. The combination will also beef up the company's ability to not only audit compliance with security rules but also help clients change or add procedures to come into compliance, says Joseph L. Patanella, founder of TrustWave and now president of the combined company. “There are a lot of remediation efforts we can do,” he says. At times these efforts can be fairly elementary. “A lot of organizations still don't have a written policy,” Patanella says. “We still see unpatched systems, vulnerable systems with no standard hardening procedures.” Ironically, though the most publicized cases of stolen data lately have to do with brick-and-mortar merchants, the card networks' Payment Card Industry Data Security Standards (PCI)?which were introduced in January and represent a harmonization of data protocols from Visa, MasterCard, American Express, Discover, and other card networks?apply primarily to the practices of online merchants. The very largest merchants?whether brick-and-mortar or online?were required to show compliance by last Sept.30, but audit deadlines otherwise have been set only for e-commerce retailers. The deadline for most merchants is June 30. “PCI is explicitly for e-commerce merchants,” says McCullen, even though “the majority of cases [of data breaches] are at physical-world merchants.” He expects audit work for PCI will keep the new Ambiron busy enough, but he remains concerned about the need to audit data practices at all merchant locations. “Look at all the IP terminals being installed now,” he says, pointing to a rapidly growing trend among merchants to install Internet-connected card terminals at the point of sale. “IP means being connected to the Internet, so hackers can scan terminals not protected by passwords.”

Check Also

Buying Groups Might—or Might Not—Give Merchants More Negotiating Power with the Card Networks

Card-acceptance costs and network rules weren’t the only subjects covered by the sweeping settlement revealed …

Digital Transactions