Archives For PCI

executive-1Three Things You Can Do To Earn A Seat At The Table

Continuing from yesterday’s topic on, Things Sales People Do That CIOs Hate, last week’s keynote also covered three things CIOs really need…and can’t easily get internally.

  • Security Intelligence.  Intelligence is the new security buzzword. Not that it’s new. But for years people have talked about “Defense in Depth”, “Zero Day Response”, “Layered Security,” etc.  Recent WSJ reports are telling us that just about every board meeting agenda allots about 30 minutes to security.  What do the leaders of that meeting want to know? They want a measure of risk – “What are the odds our company will get hit this year?”  Who, besides you can give them that information?
  • Advice on leveraging new technologies. In the interview I referenced yesterday, the CISO I was meeting with talked about his need for advisors. He can’t know everything, and his team is heads down on support issues, project implementations, and daily operations. They don’t have time to keep up with technology the way you do.  So rather than showing up with your corporate presentation, show up with research and examples. Knowing what other “like” companies are doing to compete will go a long way.  In the Interview he mentioned compliance as an area they constantly need more advice on…can you advise your clients on HIPAA, GLBA, PCI, etc.compliancy group
  • Trust. Most of the sales people out there are just trying to sell. Is that you? Do you care whether your product actually works, or delivers a benefit this client needs? If you do, and I hope you really do, you’re a minority. The great thing about security is, just about everyone needs new security. As threats evolve, and IT moves toward new disruptive technologies, the security strategy is constantly evolving. It’s safe to say that, regardless of who they end up buying from, they do need security. Make sure you are doing the things that earn that trusted advisor status. Security is a great place to start.

Copyright, 2016 David Stelzl

PS. Check out what Compliancy Group has to offer resellers…compliance offerings without going back to school for four years.

In case you missed my recent interview with Marc Haskelson

Here’s a short clip on the difference between security and compliance (Specially HIPAA, but Marc’s answer applies to just about every compliance regulation I can think of – PCI, GLBA, SOX, etc). The gap is big and healthcare companies are paying for their lack of knowledge on this subject! When there’s confusion in the marketplace, there’s also opportunity. You can learn more about how to tap this market right here.  Just click the Compliancy Box.

© 2015, David Stelzl

compliancy group

I’ve been saying this for years – detection is the most important part, and your managed services program is a critical component of the detection strategy.  I just finished up today’s webinar – the second session of, Accelerating Managed Services Sales.  Both sessions, March and April, where full, with a waiting list.  This article on Global Payments underscores the problem with most security problems – if you read the quotes from the experts cited in this article you will see the recurring theme, Firewalls and Perimeter security don’t do it.

In today’s session on managed services sales I presented several mistakes being made in the sale of managed services offerings. The biggest one is putting the focus on ROI – Return on Investment, or TCO – total cost of ownership.  Is there a TCO savings?  Probably – or maybe even a forceful “YES”, but don’t lead managed services sales with this.  Risk is the motivator here, and companies are losing the battle according to last week’s FBI reports.  If you’ve read my book, From Vendor to Adviser, some sound bites worth remembering from the above article include:

  1. The Heartland Payment Systems breach exposed 130 million credit card numbers – credit card data is still vulnerable.
  2. The Payment Card Industry Data Security Standard (PCI DSS) is highly prescriptive in nature, but simply complying does not ensure credit card security.
  3. The perimeter-based approach is not sufficient and fails to protect critical data and internal resources that bypass these point solutions.
  4. Firewalls, antivirus and [intrusion detection and prevention systems] are no longer enough to protect against rapidly evolving zero-day and insider attacks.

Remember, sound bites build credibility, however, as I explain in my book From Vendor to Adviser, they do not sell.  They help you relate to executives as long as the source is credible in the eyes of the buyer – so steer away from Infoweek type sources when gathering these sound bites.

Join me on April 9th – 11th for a deep dive into the world of selling highly profitable security solutions and you’ll also get a one hour one-on-one session with me to review your business and create a more effective strategy for selling more profitable solutions.

Sign up here! Making Money w/ Security (just 5 seats left)

© 2012, David Stelzl


Heartland is working on security – comments from the top may help you as you talk security with the business leaders running the accounts you call on…Some great sound bites sent over by a recent workshop attendee – thanks Tim!

COMMENT: Notice PCI isn’t enough.  It’s interesting that Heartland was considered compliant before the breach, but not after.  No change to the security system, just a failure to protect the data (something not listed in the PCI standards).

“Carr says that one lesson he’s learned from the breach is that the industry’s security standard, called Payment Card Industry or PCI, doesn’t go far enough. It’s the “lowest common denominator,” he says, adding that the audit didn’t detect the vulnerability that led to the hack even though it had existed for years.”

COMMENT: Heartland was not required to disclose this breach…read why!

“The laws typically cover so-called personally-identifiable information, which includes some sort of number in combination with a name. The data the hacker stole from Heartland only included credit-card numbers and bank codes. That was enough for the hacker to steal money from card holders’ accounts, but because there was no way for the bad guy to learn the identities of the card holders, Heartland wasn’t required under state laws to disclose the breach.”

COMMENT: Heartland’s voluntary response goes beyond PCI.  Remember Tylenol and the Solid Come Back?  I was there…working with McNeil at the time.  The proper response makes all the difference.

“Heartland is getting ready to roll out a more secure credit-card processing system for its customers. The new system, which will be available on a trial basis starting in the third quarter, will encrypt credit-card data from the time cards are swiped at a store until the data are delivered to the issuing bank.”

(Quotes from:

© David Stelzl 2009

This week the PCI council has posted updates to implementing PCI compliance.  As a solution provider you should be aware of the 12 areas for PCI DSS compliance and the council’s recommended approach.  As you review this remember that Heartland was compliant, yet vulnerable.  PCI compliance does not mean a company is secure.  In fact you’ll notice that the end-node security requirements don’t necessarily stop computers from being part of P2P networks (note: we’re not saying it would be in compliance, but taking these steps won’t prevent it).  As a sales person selling high-tech solutions, you should know the 12 points if you call on anyone taking credit cards.  The first PDF link on the PCI council site explains the 12 steps, the excel sheet then elaborates on the recommended process.