In 2006, the five major credit card companies created a set of security standards to help reduce the risk of credit card fraud at businesses. The Payment Card Industry Data Security Standards (PCI DSS) are a set of rules designed by the card schemes to ensure that a baseline of security is in place at businesses that process, store or transmit credit card data.
For merchants, this means that they now have certain obligations to protect their payment systems from the risk of fraud, or be at risk of serious fines and penalties. But becoming PCI DSS-compliant can be a tricky and expensive process without the right partners on your side.
Mako Networks manufactures a system that can address 100 percent of a merchant’s PCI DSS network security requirements quickly, easily and cost effectively. The Mako system is certified by ICSA Labs, the world’s leading independent certifier of firewall security.
Headquartered in New Zealand, Mako Networks has offices globally in the UK and Ireland, Australia and the Middle East. Bill Farmer, Chief Executive Officer of Mako Networks, spoke to The Grocery Trader.
GT – Bill, first of all, to set the scene, when did you join Mako Networks? What were you doing before that?
I joined Mako Networks as CEO in March 2002. I previously built and sold two successful companies, starting in 1980. Both companies employed over 100 people before being sold.
GT – What does your role as CEO involve?
I operate across all divisions of the Mako business and maintain the vision for the company’s growth. I’m responsible for our group operations across the globe.
GT – How much time do you spend in the UK?
I typically spend two weeks here out of every six. The UK is an extremely important market for the company’s future growth.
GT – Who else is on your UK team?
We have a UK General Manager, Chris Nation, supported by local development and support staff. We’ll open a new London office later this year.
GT – Do you personally get involved in talking to major customers?
Personal contact is extremely important, especially for retailers. I’m old school and believe nothing works better than a face-to-face meeting and a handshake, so yes, I talk to our major UK customers. My role is to give them a broad international understanding of what we do.
GT – I gather Mako Networks is the world’s only certified PCI DSS Level One Service Provider for card-present payment services over an Internet Protocol (IP) connection. Are you certified by the PCI Council, or someone else acting on their behalf?
There are lots of different categories of certification that PCI authorise, for software, service providers and so on. Each year we’re certified by an independent PCI DSS auditor, known as a Qualified Security Assessor (QSA). They’re independent of the PCI Council, but are quite knowledgeable in the PCI criteria and stipulations.
GT – In our era of hacked phone calls and so on, how secure is ‘the cloud’?
The cloud is as secure as people choose to make it. Though the cloud itself is an open network, our part of it has robust security in place. Security is absolutely paramount for us, and we have myriad security systems in place to ensure the integrity of our system.
GT – Who are your auditors for PCI DSS and so on?
Our auditors are Verizon Business International. They provide a complete international service, so our certificate will cover a retailer with offices in the UK or around the world.
GT – There are all kinds of companies in the market saying they offer PCI DSS solutions. How are you different?
Every other PCI DSS solution involves a high degree of consulting, which can be a very lengthy and expensive way to achieve compliance.
If you use a conventional vendor, you need to bring in a consultant to put things in place, even for smaller sites. By contrast we’re totally plug and play: you just connect to our system and it looks after itself, including automatic alerts to ensure compliance. It delineates between your card payment network and public network; there’s online reporting, and you can drill down for reports on individual devices. No payment card transactions go through our system: we transact across the public Internet.
GT – When was Mako Networks founded, and who by? Who owns it now?
Simon Gamble and Chris Massam, both of whom still work for the company, founded Mako in New Zealand in 2000. Mako is still privately owned, with operations in Australasia, the Middle East and UK, and are about to launch in the US. Simon is heading up our US initiative and Chris Nation runs the UK and Europe.
GT – How big is Mako Networks globally?
We have a total of 40 employees and support thousands of devices in 18 countries around the world.
GT – How fast are you growing?
We’re growing exponentially, and are presently in a period of rapid expansion.
GT – How important is the UK in your business? How does Britain stand out as a marketplace for your services?
The UK is very important to us. The northern hemisphere countries are generally much more concerned about PCI DSS compliance, whereas in the south, adoption isn’t nearly as robust. The US and Europe have much stronger disclosure laws and regulations, so when card data breaches happen, people hear about it. That’s great incentive for companies to become compliant – so they don’t end up in news headlines. Mako has invested heavily in PCI, and we are targeting places where there’s the greatest opportunity.
The UK is particularly cognisant of PCI, but is currently only 70% educated at a retail level compared to the US. The US is a pretty regulated and disciplined environment, the UK is a bit less so, but there’s a significant amount of credit card fraud going on in Europe and we want to address it. The biggest problem is, as larger merchants get more compliant, fraud is going to easier targets like online and small businesses. We can help.
GT – If we can look at the big picture, how important is it for retailers to take a holistic approach to their data protection?
A holistic approach to security is essential – you can have the best firewall around but if your staff is writing down customers’ card numbers, it’s no use! There need to be different layers and methods of protection, one of which is a secure network environment.
GT – How can Mako help with this process?
We come in and help the client analyse all the different issues facing them.
When you start to put in security, first you build a fence around the business: in our field we get the network secure before companies come into it. What we do for each client varies depending on what needs doing, be it a terminal, EPOS systems, multiple sites or bespoke solutions. Mako and our partners work with the merchants at the appropriate level. Typically the channel partners we work with will have their own evaluation procedures as well.
We work with a lot of consultants, and you get to the stage where they’re cost prohibitive. We save our clients the cost of consultants. Our solutions are sold by channel partners – whereas consultants cost a fortune, we do all the networking.
GT – You mention you save your customers the costs of consultants. What are the cost savings with a Mako solution?
The cost savings with the Mako System are significant. For example, PCI compliance for a small store using a consultant can cost several thousand pounds, whereas our solution costs hundreds. I know of one retailer where the scoping alone cost a million pounds. You can’t do it as cost effectively using people as you can using computers; this is what network management is all about.
GT – How prone are the current generation of card payment terminals to being compromised?
There’s been a lot of work done in anti-tampering technology with terminals and sophisticated point-to-point encryption, but network security is about never having just one part of the business being protected. It should work like an onion, with multiple layers of security.
We register all the client’s payment terminals onto our Central Management System so no one can come along with rogue terminals that could be compromised or manipulated to steal card data. We can tell if individual terminals have been disconnected at any time. Every terminal is registered on the system, so someone in the company gets an alert if anything changes that might indicate a potential breach.
GT – Can you talk us through the PCI DSS network security system you provide for merchants, and how it works?
The Mako System is a combination of Customer Premise Equipment (CPE) and our Hosted Central Management System (CMS) that work together to provide a complete network connectivity and management solution. All configuration and appliance interaction takes place via a secure website on the CMS, which is accessed over any Internet connection. No configuration takes place on the CPE.
GT – What kinds of organisations are your systems aimed at?
Our solutions are designed for small businesses and branch offices of large organisations. Our clients include both C-stores and some of the biggest high street retailers around the world. In New Zealand we’re also the singe largest provider of single site security for the Ministry of Health. Security is already built into our systems: payment card security is just one more function.
GT – What specific systems and services do you provide which are designed for retailers?
All our systems are designed for retailers with different capacities available depending on the organisation where they’re deployed. The management system stays the same but CPE varies according to the need in terms of the device doing the work and the applications.
GT – Do you offer any solutions specifically for protecting contactless payment and ‘near field communications’ (mobile) terminals?
Yes, we do, but I would emphasise that from our perspective Near Field Communications (NFC) is just another set of devices: everything in the business should be within a payment card protected network environment. When you bring in NFC, the network remains the same.
GT – Do your systems help ensure security for non payments transactions as well?
Yes they do. Our equipment connects businesses to the Internet, but also gives complete control over access and use. We can filter and block content, prevent dangerous files from being downloaded, and include detailed reporting about how the Internet is being used. Our original business was based on giving small sites ownership of what was going on within their operations.
GT – What does PCI DSS Level One cover?
Level One covers businesses processing 6 million or more transactions per year. The other PCI DSS levels are Level 2, businesses processing 1 to 6 million transactions per year, Level 3, businesses processing 20,000 to 1 million transactions per year and Level 4, businesses processing less than 20,000 transactions per year.
GT – In simple terms, what is involved in a retailer achieving PCI DSS compliance?
That’s really something for retailers to talk to their QSA about, but simply stated, PCI compliance is about ensuring a basic level of security is in place that can help prevent credit card fraud.
GT – If a merchant is signed up to a payment system via their bank, aren’t their payments already secured? Aren’t they already PCI DSS-compliant?
Not necessarily. Their transaction might be secure but their network isn’t compliant. PCI requires merchants and their bank to both be compliant, and for various reasons, people quite regularly won’t do anything about security or compliance until after it goes wrong.
GT – Where do you come in?
We get recommended by different people – banks, IT resellers, channel partners and so on, and come in at the stage where the retailer is looking at their annual PCI DSS self-assessment questionnaire, or the bank has put them in touch with us.
GT – What are the benefits of working with an external service provider?
Quite simply, we shoulder the burden for you. Merchants who accept credit and debit card payments in-store and wish to use broadband to transport data must adhere to the new global security standards set by the PCI Security Standards Council to fight payment card fraud. Of the 12 key requirements of PCI DSS, a significant percentage relate to technical details that a merchant trying to manage the day-to-day running of a business is unlikely to understand or have the time to manage. Mako has invested heavily to achieve its unique accreditation that, for the first time, enforces data security of the highest standard on public broadband connections and saves retailers the worry about exposure to data theft relating to both payment and non-payment activity.
GT – In which countries are you certified to be a service provider for on-line businesses?
We have worldwide certification, covering every country.
GT – What do customers get ‘in the box’ with your systems? What specific end-user appliances do you supply?
For most retailers and grocers, they’ll get a Mako 6500, our flagship device. It’s a well-designed piece of equipment that replaces the router they have installed at their business. While it has the same basic capability as a router, to connect to the Internet, it also has a highly secure firewall built-in, and comes with instruction book and cables.
The second half, our Central Management System, is provided online through our secure website. It really is plug and play – connect the cables, log in, and you’re away.
GT – What’s your latest device, and how does it take the technology forward?
Our latest network appliance is the Mako 6500. It’s specially developed for the retail environment, with tamper proofing, rugged construction and the ability to withstand a wide range of temperatures. It’s compact and can be mounted vertically or flat, so it can sit in the back office or under the point of sale.
GT – Is it available now?
Yes, we started shipping the Mako 6500 in late 2010.
GT – What security verification does it have?
The Mako 6500 has received certification from ICSA Labs, an independent division of Verizon. The certification in the SMB Network Firewall category recognises the Mako 6500 as meeting a high firewall security standard, joining an elite group of technology industry heavyweights celebrating such an achievement.
GT – Do you have any offices in the US?
We’re negotiating with potential partners in North America that could lead to the establishment of our first US office by the end of this year. A mandate for securing transactions over IP has helped drive us to expand our channel there and in other parts of the world, in anticipation of increased demand for our security service.
GT – Do you supply your devices to distributors and third party integrators?
We primarily work through distributors and systems integrators. Some of the very large integrators we work with are subsidiaries of telecoms companies.
GT – Can you name any of your retail clients around the world?
We’re working with the four major oil companies in a number of international jurisdictions.
GT – Do you publish customer case studies?
We’re in the process now of writing up some recent case studies – including some interesting deployments here in the UK.
GT – Do you keep retailers up to date as payment security regulations change?
It’s quite easy to do it for PCI, which is administered from one body. We have a continual upgrade process and have time to make the change before the new version comes out.
GT – How quickly can you come in and set up your systems for a retailer?
It depends how complex the setup is – the customer needs to have all their information online first, and then it’s a matter of device selection and setting up their network connections. But if you’re a small shop with one or two payment terminals, it could only take an hour or two.
GT – Are you exhibiting at any UK retail IT shows?
We attend PCI conferences and major risk management conferences around the world, including in the UK and Europe.
GT – Finally what are your ambitions for the UK? Where do you see Mako’s technology and solutions going from here?
We plan to become the preeminent supplier of network management systems across Europe. Though that may seem like an ambitious goal, I believe we’ve got an excellent solution to a growing problem. We will go on adding functionality to assist merchants in the different parts of their business: for example in the fuel sector, we will integrate our systems with fuel management systems so head offices can see what’s in the tank at individual forecourts.
The bottom line is that we’ll continue to provide an absolutely essential and excellent service to our customers.
Tel: 01483 270130