ETA 2012 Strategic Leadership Forum – Round Table Discussion

Published on October 31, 2012 in Events and PCI Compliance. Closed
Posted by

SLF12-LOGOI was very fortunate to be on the ETA Technology Committee who led the Round Table Discussion this year at the 2012 Strategic Leadership Forum, held at the Breakers Hotel in West Palm Beach.  The participants included notable thought leaders and entrepreneurs who provided great insight into this topic which is evolving rapidly.  It is remarkable to see how the aggregator/ “micro” merchant model, through the convergence of technology, is forever changing the industry.  It will be interesting to see how providers respond to this new challenge, and potential opportunity, as they adapt their offerings.

Thanks to ETA for another great forum and we are looking forward to the 2013 Strategic Leadership Forum in Scottsdale, AZ!

Steve Chu, Regional Sales ManagerAbout the Author: As Regional Sales Manager for Layered Tech, Steve Chu (@stevendkchu), brings over 9 years of experience to the Payment and PCI Compliant Hosting industry.  His background prior to Layered Tech was with HMS/Micros Systems, which provides a point-of-sale solution for the hospitality industry, and also with global IT consulting firm, Sogeti Capgemini.

Cost of Data Breach Review

Published on October 23, 2012 in Security. Closed
Posted by

Cost of BreachRecognition of information security responsibility is reducing costs of breaches.

From time to time I look over the Ponemon Institute reports related to data breach costs to get a feel for the business value of securing data.  After reading the most recent Ponemon Institute report, I want to talk about the interesting executive summary highlights.

The cost of data breach declined in 2011.

  • Opinions vary on why costs would decline, but the decline can be generally attributed to both company preparation prior to breach and a lower customer churn value.  When companies can take advantage of preparedness and mature response facilities the costs of the breach are spread out.  It is also noted that a non-panic or hurried response promotes less spending after a breach.

More customers remain loyal following the data breach.

  • I think two factors relate to this point.  The prepared are forgiven and exposure teaches.  Customers seeing a company with security features in place and one prepared to deal with a breach will readily stay with that company.  This reduces churn and therefore cost of a breach.  Companies have learned how to successfully deal with relations from previous public exposure events.  We have learned that concentrated and deliberate attacks are unlikely to be rebuffed, but our direct and honest response can score points with consumers and regulators.

Negligent insiders and malicious attacks are the main causes of data breach.

  • This makes sense on a fundamental level.  How else could data be lost?  It must be negligence or maliciousness.  I’ll contend that the one allows the other.

Certain organizational factors reduce the overall cost.

  • Organizations with direct Information Security leadership showed lower cost of breach metrics.  This means the company has focus at the top for information security issues including breach response efforts.  The role is described as a CISO, but the representation could take many forms.  It is the assigning of the responsibility with corresponding resources which is important.  There is also a note that engaging experienced third parties during a breach event can reduce the loss.

Detection and escalation costs declined but notification costs increased.

  • Regulations and mandatory standards for information security practices relating to specific types of data are responsible for this point.  The mandatory requirements allow companies to prepare and budget for the tools which provide detection.  The requirements also inform companies on proper methods or processes to escalate.  At the same time stronger notification laws have enforced more frequent notification activities increasing how much companies spend.

Breach costs are being reduced, but only for organizations that are prepared and that have assigned a direct leadership role for information security.  As with most things in IT, preparedness results in the most cost effective outcomes when negative events are experienced.  Assigning focus via a dedicated leadership position is the most important step a company can take.

Image Credit: Don Hankins

 About the Author:  As Director of Compliance and Security services, Ed Welsh maintains and guides a dedicated team in the delivery of Layered Tech’s compliance and audit services.  Ed’s 16 years in IT security includes network and web application security experience from positions in the Financial Industry, HRBlock, Fishnet Security, and independent contracting.  He holds a CISSP certification and has been successfully implementing PCI compliant hosting solutions for the last 5 years.

Mixing Clients in the Cloud

Published on October 17, 2012 in Cloud Computing, HIPAA Compliance and PCI Compliance. Closed
Posted by

The recently announced Layered Tech Cloud Data Center platform extends our experience in delivering secure and compliance solutions to the cloud, without sacrificing business agility. We have operated secure multi-tenant virtualized platforms for many years including our virtual private server (VPS) platform (since 2007) and our Matrix community cloud (since 2009). Now we offer a completely virtualized cloud data centers environment with optional PCI and HIPAA compliance service and guarantee.

We operate our Cloud Data Center platform in “mixed mode” which means we enable clients with internal or regulatory compliance requirements like PCI-DSS, HIPAA or ISO27001 as well as clients that do not have this requirement. What “mixed mode” means is that we manage the entire environment to meet our highest level of compliance, but enable our customers to select services for each workload based upon their desire for additional preventative services, reporting and audit assistance. Clients do this with a drop down menu selection when ordering their environment or virtual machine. It pretty simple for clients to add and we automate over 200 steps to build that environment in just minutes.

Figure 1: Selecting Compliance Management when configuring your Cloud Data Center.

The benefit of running in a secure cloud platform is a higher degree of isolation between clients and workloads along with greater protection from external and internal threats of a hack or data breach.

What differentiates a compliant cloud platform from other clouds is our ability to ensure that our clients’ environments are isolated, secure, and protected. But it does not stop there; achieving compliance involves a higher degree of planning, management and transparency. Not only do we collect and share data, we analyze the data and proactively involve the client when potential issues are discovered.

The term ‘compliant cloud’ has actually been circulating for some time. Unfortunately, many cloud providers that claim to offer a compliant cloud are just making log data available but requiring that the client do the analysis. Layered Tech actively manages compliance and offers a 100% compliance guarantee to pass every IT audit for PCI DSS compliant hosting or HIPAA/HITECH compliant hosting.

Learn more about compliant clouds by reading our white paper, “Reducing Risk and Increasing Marketability with PCI-Compliant Community Clouds”.

Kevin Van Mondfrans, VP of Product ManagementAbout the Author: As Vice President of Product Management at Layered Tech, Kevin Van Mondfrans (@VANMONDFRANS | +Kevin Van Mondfrans) is responsible for driving the Layered Tech portfolio of infrastructure as a service (IaaS) and managed service offerings. With more than 20 years of experience product development and marketing, Kevin has been delivering innovative computing, storage, cloud and service offering with companies such as HP, Dell, and Savvis.



cta-whitepaper-2



ETA Round Table Will Discuss Emergence of Micro Merchants and Aggregators

Published on October 11, 2012 in Events. 3 Comments
Posted by

The payment industry is now seeing many new Payments Service Providers (PSP’s), also called Merchant Aggregators, entering the market to serve small “micro” merchants who have payment card transactions processing needs. This year Electronic Transactions Association’s Technology Committee is conducting a Round Table discussion at the ETA’s annual Strategic Leadership Forum.  The focus of the discussion will be on the Emergence of Micro Merchants and Aggregators, and the Effects on Traditional Payments Business Models.

In this session, participants from across the industry will discuss the impact of merchant aggregation on the traditional merchant acquiring business model, new rules for PSP’s and iPSP’s, and how acquirers and ISO’s will compete and/or cooperate with new market entrants.

Some of the questions that will be discussed include:

  • Is there an increased risk of data breaches since just about anyone can now become a merchant?  If so, how does the industry address this?
  • How solid is the strategy of Square and other similar companies who have made a quick entry into the marketplace?
  • How can an ISO offer a competitive solution to a PSP?
  • Is the recent announcement by Starbucks and Square seen as an opportunity or threat by ISO’s?

The Technology Committee is responsible for identifying current and emerging technology-related issues and assisting with communication of these issues to the membership. The committee provides information on technology trends and applications to ensure that the ETA is established as a valued information source for members and for the industry.  At the 2011 SLF, the Technology Committee conducted a Round Table discussion on Connected Commerce which addressed the merchant’s ability to connect with consumers whenever and wherever using mobile applications, loyalty, and social media to facilitate transactions.  During the 2011 ETA Annual Meeting, the Technology Committee held a Technology Showcase where technology companies exhibited the latest POS innovations in a hospitality setting.   In addition, the Technology Committee put on a Showcase during the 2012 ETA Annual Meeting where providers demonstrated innovative technology that enables merchants to sell more at the POS.

I am pleased to be part of the ETA’s Technology Committee.  I look forward to moderating this session along with other members of the Technology Committee.

Steve Chu, Regional Sales ManagerAbout the Author: As Regional Sales Manager for Layered Tech, Steve Chu (@stevendkchu) brings over 9 years of experience to the Payment and PCI Compliant Hosting industry.  His background prior to Layered Tech was with HMS/Micros Systems, which provides a point-of-sale solution for the hospitality industry, and also with global IT consulting firm, Sogeti Capgemini.

Verizon Enters HIPAA Compliance Market

Published on October 4, 2012 in HIPAA Compliance. Closed
Posted by

Layered Tech was excited to see Verizon’s October 1 announcement highlighting their new cloud portfolio supporting the Healthcare security requirements, because it provides further validation that the Healthcare industry is rapidly growing and truly needs solutions to meet the stringent HIPAA compliance regulations.

We welcome them to the market, and wanted to highlight some critical advantages Layered Tech offers over Verizon and other major service providers that are new entrants. Layered Tech has gained a unique understanding and reputation as the “service provider to the service provider,” becoming highly valued partners to software developers (ISV’s) that are building SAAS or hosted solutions to support the healthcare providers. In addition, we continue to provide secure and compliant solutions directly to the broader Healthcare ecosystem, such as Accountable Care Organizations and Payer Networks.   Further, most of these solutions are delivered in secure and compliant cloud environments, for which we are the leader.

Layered Tech has been supporting secure and compliant cloud and hosting solutions for the Healthcare (HIPAA Compliance), Payment Card Industry (PCI Compliance), and Federal (FISMA Compliance) markets for many years. This means that we not only provide all of the key infrastructure, security and compliance capabilities, but we have actually passed hundreds of audits allowing our customers to be fully compliant.

Despite all of the hype around their announcement, Verizon actually said in the press release that “each client remains responsible for ensuring that it complies with HIPAA and regulations.”  At Layered Tech, we fully manage the compliance requirements of our customers to the extent of actually providing a Compliance Guarantee.  We do not leave it up to our clients to manage their own compliance needs.

Our leadership was recently reinforced with the launch of our next generation Cloud Data Center platform that has automated all of the security and compliant tools required to meet the industry and federal regulations for HIPAA and PCI.  The new Layered Tech Cloud Data Center platform also comes with the same Compliance Guarantee, so you can trust Layered Tech to manage this for you.

Great to see some bigger players like Verizon entering the HIPAA compliant hosting market, but we encourage healthcare companies to look to the true security and compliance experts at Layered Tech to solve their needs.

Brad Hokamp, Layered Tech PresidentAbout the Author: As President of Layered Tech, Brad Hokamp (@bradhokamp) brings over 26 years experience working in the IT and networking industry to his role.  His responsibilities include leading our sales and marketing efforts, as well as product management, customer service and business development initiatives.