Headshot of Key Person: 

Panoptic Security is a technology security company that specializes in PCI compliance programs for small and mid-size merchants. Its ExpertPCI™ online Web application enables merchants to assess their PCI compliance and acquire the PCI compliance documents needed for validation. Its solutions make PCI assessment and compliance more understandable and affordable for any business owner or manager, ensuring they can mitigate data breaches and securely handle credit card transactions. Panoptic Security supports merchant PCI needs directly and through relationships with merchant service providers, ISOs, credit card processors and acquiring banks. PCI compliance is required for all businesses that do credit card transactions with their customers. We talked with Tim Cranny, Panoptic CEO, about his company and the issue of Payment Card Industry Data Security Standard in the security space.

Silicon Slopes: What is Panoptic Security and ExpertPCI?

Tim Cranny: Panoptic Security is an information security company based in Salt Lake City that specializes in PCI compliance programs. We provide an enterprise level online Web application that helps small to midsize businesses that handle credit card transactions assess whether or not they are PCI compliant, and assists them through the process of becoming compliant. By leveraging a strong executive team of industry leading technologists and PCI compliance experts, the company has developed a SaaS solution that makes PCI compliance more understandable and affordable for small merchants.

ExpertPCI, our flagship product, is based on our smart technology which helps merchants through the entire PCI security process. By answering some basic questions, the software identifies which PCI questions to ask, based on the business’s credit card transaction environment. Once the information is obtained, ExpertPCI advises the merchant how to become PCI compliant.

As a part of the PCI compliance process there are a number of reports and documents that a merchant is required to complete. Not all PCI compliance solutions for small business offer a complete package for the merchant. None of them customize those documents specifically to the merchant the way Panoptic Security does.

As a part of the ExpertPCI package, a merchant receives: proper PCI SAQ selection, simplified help-based SAQ completion, a customized Security Policy, a customized Remediation Plan, a customized Incident Response Plan, 12 month's access to ExpertPCI for updated PCI information and to change their documents based on changes in their business, expert support, and the proper reports needed for their merchant service provider to submit to their acquiring bank.

Our merchant service provider partners, such as the ISOs, processors and acquiring banks receive real-time access to dash-board styled reports that are needed to show PCI compliance for their merchants. These reports can be customized in basically any way a partner would like.

Silicon Slopes: What is PCI Compliance? 

Tim Cranny: PCI DSS (Payment Card Industry Data Security Standard) compliance is actually a fascinating thing. PCI is a broad, comprehensive, detailed and technical set of security requirements created by the major credit card payment brands including Visa, MasterCard, American Express, and Discover. Each year, the various payment brands spend millions of dollars on marketing to consumers and encouraging them to use plastic over cash, but these credit card payment brands also realize that their entire business model and brand is hostage to the performance of every small merchant who takes credit cards. For example, if you go to a florist and use a credit card instead of cash to buy flowers, and then get your identity stolen, you don’t just blame just that florist, but also the card company as well. Next time, you might be more inclined to use cash. PCI is a response to that threat, and its goal is to ensure that people who want to use their credit cards can do so securely, with confidence and trust, because the merchant is compliant with all of the Payment Card Industry (PCI) standards.

Silicon Slopes: Who needs to be compliant?

Tim Cranny: Every merchant, of any size or transaction volume, who accepts major credit cards, needs to be PCI compliant. For large organizations this isn’t too much of a challenge: they are more likely to have experts on hand who understand the PCI security issues and can handle it, but for the small merchants, it often feels like they are dealing with something that is more confusing than the tax code.

Silicon Slopes: Is PCI a significant issue in the security space?

Tim Cranny: Yes, and it is growing more significant every day. The most noteworthy thing about PCI is how it has revolutionized the way data security and credit card transaction requirements are now imposed on small businesses. It is also significant because of how it helps them create a healthy and secure environment to transact business safely with their customers.

The key is the impact and relationship on small businesses and the public. Companies the size of Target or WalMart, with thousands of credit card transactions each day on a global level, usually handle their data security and PCI compliance through consultants that develop enterprise-wide security solutions for them.

But, when you assess the data vulnerability to small businesses like local gas stations, specialty stores or restaurants, the impact of ID theft or a data breach creates pressures for virtually every small business owner. Small businesses can’t afford to lose customers because they are not a secure business to transact with. They can’t afford not to accept credit cards as payment. They can’t afford the fines and/or fees that can be applied to them in the event of a data breach. And let’s not forget that more than 90% of all retail businesses globally are considered small to mid-sized businesses. The proportion of businesses combined with the potential for ID theft or data breaches is astronomical.

By applying PCI requirements to small merchants, as a benefit to their business health, it has revolutionized security for them and has made it more than just a new security standard. It makes it possible for small businesses to remain a safe and trusted place for the public to interact with.

Silicon Slopes: Who are your target markets?

Tim Cranny: The direct consumers of our ExpertPCI Web application are small business merchants. They are the folks who have the most trouble with PCI compliance. They are typically not aware of the data threats to their businesses. They assume too much security with their Point of Sale equipment. They are not usually technology savvy and rarely have dedicated IT support. Merchants can independently come to our site, www.panopticsecurity.com and engage directly with us, if they want.

Our channel of business development is through merchant service providers, such as ISOs, their agents, payment processors, POS providers and the acquiring banks through which merchants manage their credit card transactions. We develop customized programs for these partners to implement simplified PCI compliance to all of their merchants. We even provide vertical specific template programs for organizations that have many of their merchants in specific vertical markets, such as movie theaters, gas stations, pharmacies, etc. This ability is a unique differentiator for Panoptic Security in the PCI compliance space.

We also work with direct selling companies, franchise organizations and online retail support centers. These types of companies all have small businesses as their customer or sales agents. Our custom programs for these types of organizations is unique and specialized to their business and industry.

Silicon Slopes: How are you unique in the marketplace?

Tim Cranny: One key difference is our implementation process for merchant service providers, ISOs, processors, acquiring banks, direct selling companies, franchise organizations and online retail support centers. Our methodology minimizes the time to implement for these organizations and ensures their merchants are processed faster and easier.

There are a handful of companies that target the small merchant but they treat them like large enterprises. This usually results in higher costs and lower levels of customization. At Panoptic Security, our business model and solution have been tailored for the small merchant. It allows the merchant and their service providers to have a customized approach to PCI at a much lower cost than other solutions available. 

Another key differentiator is our unique Vertical Templates Program. This program allows merchant service providers, whose clients are vertical industry specific, to access our ExpertPCI application for each vertical industry. This makes for even easier completion of the PCI DSS SAQ. By using this customized technology, our Templates Program can be applied to virtually any vertical market, including gas stations, pharmacies, beauty shops and salons, and movie theaters.

Still another great differentiator is our Remediation Reseller program. Considering most merchants will need to “fix” issues within their business environment to become PCI compliant, we make it easier for them to access the companies that can provide them with the tools they will need, such as firewalls. And we also make the Remediation Reseller program another channel development opportunity for us with our partners. Our goal is to make becoming PCI compliant and remaining that way easy for small businesses. They need immediate access to the right information and resources from us in order to achieve this.

When you combine the mentioned differentiators with our dashboard-style reports for the merchant service providers, which can be customized as needed, we stand heads above the competition. There are other unique and opportunity-based differences that we offer all of our partners. We need to keep a few of those to ourselves right now so we can continue to outdistance the competition.

Silicon Slopes: What are your future plans for continued growth and success (HIPAA & SOX)?

Tim Cranny: PCI is very important and is right here right now, but there are some other issues that are similar and are going to gain equal importance over time. For example, take HIPAA and the regulations that are aimed at various healthcare organizations to protect personal healthcare records. HIPAA poses security requirements on even the smallest pharmacies and doctor offices to protect personal patient information. This is another example of how a small organization that can be unsophisticated from a security point of view now needs to worry about security requirements in order to stay in business. 

At Panoptic we are currently developing solutions specifically for HIPAA and SOX for both the small business and the institutional provider. For small businesses that will need these, we understand they typically can’t afford security consultants. They need technology and security tools that achieve compliance in an efficient way, in spite of being a small business.

We look to keep Utah and the global business community involved and aware of the security-based advancements being developed at Panoptic Security for a variety of application environments.