Small company, big ambitions. Sounds like the classic entrepreneurial dream—but what if it means you bear the burden of big-company regulatory or standards compliance?
Linkable Networks is a Boston-based startup that provides technology-based services that allow consumers to link store-level and item-level discount offers directly to their credit or debit card of choice—without requiring point-of-sale integration, mail-in rebates, or paper coupons. The company sees itself as bridging the gap between advertisers, brands, consumers and financial institutions.
Linkable was formed in September 2010 and currently has fewer than 50 employee. But with the goal of building a highly scalable infrastructure for this spectrum of customers, the company decided it would need security controls for Level-1 PCI DSS compliance, the high-end requirements typically applied to businesses processing more than six million transactions per year.
And if that challenge weren't complicated enough: Linkable's entire technical infrastructure, aside for an office switch, firewall and individual laptops, is cloud-based, with all the audit uncertainty that comes along.
Investing in security
"The needs are primarily about protecting our customers' privacy and securely providing our business value," says Chip Correra, CTO for Linkable Networks. Correra says all major investment decisions are discussed with the company's investors. The basic justification for the extra security spending "was that nearly everyone that we are doing business with is requiring a high level of security/privacy protection," he says. "It was a strategic investment decision that can easily be cost-justified" given the nature of the business and customer base.
However, while it may be obvious that security and privacy should be high-priority investments, Correra notes, "There is a wide spectrum of investments that you can make in [security] and a non-linear curve associated with cost versus value."
"Once we decided to invest significantly more than the typical startup might, it was an easy decision to pick PCI compliance as the standard because it is pervasive and familiar to other companies that we work with," he says.
The company contracted with a locally-based, international information security consulting and services company, TBG Security, to help build the security and PCI compliance program. Linkable began the project in September 2011 with an initial assessment and gap analysis. "We've spent the past two months improving existing policies, standards, awareness, training and technical enablement of our security program," Correra says.
Two elements of the program worth extra emphasis are flexibility and training.
Kevin Gorsline, vice president of Compliance Services at TBG, notes that PCI DSS is an evolving standard, so the security framework has to allow for changes in future requirements.
And Correra notes that improvements in training have been especially important for Linkable. "Most subject matter experts are quick to point out that people, not technology, are the riskiest part of most security programs," he says. "Lack of training leaves security programs very vulnerable, but elaborate training programs can be very, very expensive. TBG was very helpful in guiding us to implement a training program that is appropriate and cost effective for our business."
Sign up for Computerworld eNewsletters.