The firewall people

[Editor's Note: VendorSafe is now Netsurion.] Vendor Safe Technologies has a motto: Security first, PCI second. The information technology (IT) security vendor specializes in merchant compliance with the Payment Card Industry (PCI) Data Security Standard (DSS), deploying comprehensive firewalling programs and other intricate security measures to get them there.

But its representatives also take pride in offering a package that goes well beyond the standard to ensure that merchants are carefully safeguarded from cyber criminals nearby and the world over.

The company, headquartered in Houston, Texas, was founded in 1989 by two brothers, Mark and Brad Cyprus. Today, Brad is the company's Senior Security Architect; Mark is the Chief Technology Officer.

Both are exceptionally smart "in different ways," according to Bill Pickard, Vendor Safe's Chief Operating Officer. Mark, who sits on several industry oversight bodies, including the PCI committee of the Retail Solutions Providers Association, is the "world's expert on Level 4 merchant PCI compliance," Pickard said. "He's unbelievable.

"I worked for Sprint, which is a Fortune 100 company, and he is as smart, if not smarter, than the smartest guy we had at Sprint."

Pickard joined Vendor Safe in 2007, around the same time the company hired its current Chief Executive Officer, Chris Melson. Both were recruited to help the company develop and market what has become its signature technology - what Vendor Safe calls its "self-configuring firewall architecture," a remotely configured and operated firewall for POS environments.

The technology, the brainchild of Mark Cyprus, is patent pending. Pickard noted that Vendor Safe is the only company that has it. POS firewall implementation normally entails an extensive on-site installation process. Vendor Safe's firewall, and the PCI Managed Security Suite package within which it's contained, can be installed in minutes, Melson said.

"When we send out the firewall we tell the customer to go to a location on our website and click a link," Melson said. "That's all they have to do is click this link, some software gets installed on their system that allows us to understand their network topology, and then it sends them a firewall.

Then we can talk them through installing the Ethernet cable on the fire-wall: they just have to plug in the cable; then they walk away, and we do everything remotely."

Focusing on the Level 4's

The package is aimed primarily at Level 4 merchants (those processing fewer than 1 million transactions per year), who are most in need of a relatively cheap solution that's automated and doesn't demand technological savvy from its user.

"The systems are very automated, which allows us to keep our cost down, which we pass on to them in the form of a low monthly fee to keep them PCI compliant," Melson said. "The guy that has a sandwich shop can't afford $25,000 to do a gap analysis or even $10,000 a year for security. But he can afford $50, $60 or $70 a month."

Pickard said merchants of all sizes subscribe to the service, but that its biggest customers are Level 4 merchants with "geographically distributed offices and small IT staffs." He added that Vendor Safe's products are sold almost entirely through reseller channels.

Vendor Safe's self-configuring security network automatically tailors itself to fit the differently configured environments of multilocation merchants, Pickard said. That ensures that networks are fully segmented, with the POS system sealed off from all proximate digital entryways.

"You have a market that is huge and underserved and has a need for security measures that are mandated not only by the Payment Card Industry, but also by a number of state governments that have passed the PCI DSS or some separate standard to protect credit card data," Melson said. "We have a solution that meets that need."

Pickard said the PCI management system allows merchants to skip over about two-thirds of the questions on the PCI compliance questionnaire, which contains 225 questions for merchants who store card information. "Think of those questions as requirements," Pickard said. "We're providing a service that allows you to answer positively that 'we are fulfilling these following requirements.'"

Melson added that merchants whose networks run over a dedicated phone line use Vendor Safe's PCI Compliance Reporting Suite, a less expensive option.

But those who process transactions over public data networks using, for example, a DSL or cable modem to route transactions over the Internet use the company's PCI Compliance Managed Security Suite, a more tightly controlled and monitored option.

"It's much more difficult to hack into a traditional phone line that's a dedicated point to point connection," Melson said.

Unrivaled patent-pending product

Pickard said that when the company applied for insurance on its patent, the insurer couldn't find a single company that had patented anything remotely similar (patent insurance rates are based largely on the insurer's assessment of the probability of litigation by companies that have patented similar products). To the company's knowledge, its self-configuring firewall is unique and novel.

Pickard said Vendor Safe's firewall and accompanying PCI program can be installed with a simple plug-in and a few clicks of the mouse. The bulk of the installation and operation is performed remotely by Vendor Safe - although the package is, as advertised, largely "self-configuring," meaning it largely installs itself by forming around the existing contours of a given merchant's digital layout.

"The differentiator for us is we do compliance for a fixed monthly fee," Pickard said. "Other companies bring out security analyzers and tell merchants exactly how to build a specific solution. ... We have a standard solution delivered via managed service.

"All our customers look the same to us: they all get a firewall; we manage that firewall 24/7 without sending somebody on site, and we don't make them change their IP address at the local land level."

Melson said the company's firewall automatically segments a merchant's POS system to keep it separated from other media channels that can function as gateways for hackers.

"Part of our service is to set the firewall up so [different networks] are zoned off," Melson said. He noted that typically, digital video recorders (DVRs), for example, have to be open to the Internet so they can be accessed remotely by managers monitoring stores from off premise locations.

"We don't want that Internet opening to migrate its way over to your point of sale network," he said. "Otherwise, the hole you might leave that allows you to access the DVR remotely might be accessed by a hacker to get into your point of sale system.

"If he's only accessing the DVR that's not a big deal, but if he found his way into your point of sale system and could access your credit card data, that's a serious problem. If you have a sophisticated firewall in place, you can fix it so that those are on completely separate networks.

So even though he's [hacked into] the DVR he still can't get into the point of sale system."

Rogue device detection

In addition to the firewall, the company's PCI compliance package comes with a rogue device detector meant to monitor on-site criminals who try to siphon card numbers with malware that's injected using a laptop or skimmer.

"People in Russia and China are really good at accessing networks from afar, but there is also the threat that someone could walk into your restaurant and get into your system internally, whether through your wireless network or even walking up and maybe plugging an Ethernet cable into your switch," Melson said.

"Our system protects against that as well. If somebody plugs a rogue device into the network, we can detect it and block it. We have a 24-hour monitoring system. If we detect suspicious behavior, we'll alert the merchant."

Pickard added that somebody trying to gain external access could try to log on to the network 50 times in 20 minutes. "That's a machine trying to log on, not a person," he said. "And we would detect that something was wrong. Or there are man-in-the-middle attacks. ... All the ways that hackers try to penetrate a system we are on the lookout for."

Pickard said the company's PCI compliance programs also include mechanisms for encrypting data and regulating its transmission. When a merchant registers with Vendor Safe, it is required to list the parties that it communicates with - such as vendors, processors and other business partners.

The IP addresses of those workplaces are then noted by Vendor Safe, and any attempts at digitally communicating with IP addresses outside of those listed are blocked. That prevents hackers from sending card information to external sources.

Clients all over the continent

Vendor Safe services over 20,000 store locations in every state but Hawaii, as well as in Canada and Mexico. Pickard said the company tends to tackle client problems as if they were its own, adding that the company insures merchants for breach costs up to $50,000. "This company was built around designing and managing data networks, and it's still that way today," Pickard said. "When you manage data networks, security is the major focus. ... If you want to be PCI compliant, first and foremost you need to worry about security.

So that's what we do every day - 24 hours a day, eight days a week. You worry about security and PCI tends to fall into place."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.