Recent Breaches Could Be a Bonanza for a Startup Security Vendor

Recent cases of card-data theft from retailers?and the publicity surrounding them?are apparently generating opportunity for startup security-software companies. “More and more retailers are looking for ways to prevent breaches,” says Mark Buczynski, vice president of marketing at BitArmor Systems Inc., a 4-year-old, Pittsburgh-based company that markets encryption software it has tailored to point-of-sale transactions. The surge in interest among merchants to find solutions that will protect transaction data comes after long months of efforts by acquirers and the card associations to boost compliance with the Payment Card Industry data-security standard, a 2-year-old code that mandates steps such as firewalls, anti-virus protection, data encryption, and destruction of certain mag-stripe data. Many merchants have remained unaware of PCI, and some have found after installing it that their POS software stores card data in violation of PCI. Others have complained that PCI is too rigid and is inconsistently enforced (Digital Transactions News, June 15, 2006). Now, after the headlines generated this year by the TJX Cos. Inc. and Stop & Shop Supermarket Cos. breach cases, the tide may be turning as merchants rush to find ways to lock up data. “Companies don't want to see their names in the press,” says Buczynski. Now, he says, “people are coming to us. We are finding we are getting the majority of our interest from the retail space.” The privately held company, which has a head count of just under 20, does not release its revenues or how many clients it has. One factor that has slowed down compliance is the expense of installing PCI-compliant security systems, including the perceived need to swap out existing POS software and gear that hasn't been fully depreciated. That has presented a challenge to small companies like BitArmor, which spent three years developing its new encryption product, launched in September. Buczynksi says the product requires no replacement of existing software or hardware. The BitArmor software comes in two components, a centralized key server that resides at the retailer's data center, and a module that resides on the POS registers or the in-store processor. Buczynski says the system is compatible with the 90% of POS systems that are based on the Microsoft Windows operating system. The system encrypts card data at the moment it is swiped, and can automate data destruction in compliance with PCI. This automation, Buczynksi says, is crucial. “Companies are struggling with how to do this on an automated basis,” he says. Immediate encryption prevents access by store employees who may have been compromised by hackers. The system also detects missing terminals, protecting against situations like that which happened at a handful of Stop & Shop stores earlier this year when thieves swapped out existing PIN pads with ones they had rigged to collect card information. A factor deterring interest in encryption has been the management of the multiple keys used to mask and then decrypt card data. “Key management becomes a nightmare,” notes Buczynski. “It becomes exponentially hard to manage. If you have 10 million files, you have 10 million keys. Keys have to be rotated, and then revocated if compromised. It gets very ugly.” A feature of BitArmor's software is that it automates this function, as well, he says. Buczynski will not discuss pricing for the system. He cites a recent estimate by Gartner Group that data protection costs companies with at least 100,000 accounts from $6 to $16 per account, ranging from basic encryption up to encryption with host-based intrusion prevention and security audits. By contrast, the Gartner research indicates a data compromise costs around $90 per account in customer notification and other so-called clean-up measures. Then there's the cost to a company's standing with customers. “Data protection is the key to the kingdom for risk mitigation and to keep your name out of the press,” says Buczynski.