After spending six of his 10 years in the U.S. Air Force as a cybersecurity professional, Chris Gerritz brought his expertise to the retail payments industry.
His startup, Infocyte, operates on the premise that hacks into payment systems are inevitable. Infocyte incorporated in April and closed on its first round of funding, $500,000 from Live Oak Partners, several weeks ago. The investment has allowed the company to add employees, including Jacob Stauffer, a civilian who's worked for the U.S. Air Force as chief of the intrusion forensics section for eight years.
In the Air Force, "at that level we made some assumptions that they'd be able to get through our defenses undetected," said Gerritz. "We made the assumption that they were there and so we set out to find them."
The same assumptions should apply to retail systems, Gerritz said. The company's tools detect a compromise and provide an audit of sensitive systems. Its product will be ready for a commercial launch in the first quarter of 2015.
"In the commercial world [there's] only a small subset of companies that want to have really good security, like banks for instance...but others just want to be compliant," Gerritz said.
Because most businesses don't want to spend large amounts of money on anti-fraud systems that they might never use, companies can take the Infocyte assessment to their board to show that current investments aren't sufficient, said Gerritz.
Payments companies must have some fraud protection to stay compliant with the Payment Card Industry data security standard. The PCI council, which maintains the PCI standard, frequently insists that its rules are simply a base layer of security that should be built upon.
The card brands have their own set of rules for protection as well.
Merchants that have the money can hire companies such as Trustwave to screen for individual and device identification, comparing these details against risk factors from around the world.
But proactive protection from data breaches could become increasingly popular as more companies demand insight into whether they or their partners have been hacked. For instance, Gerritz said, Infocyte would allow an insurance company to know whether a client's computer systems are clean.
One of the more important advances seen in data breach detection is memory forensics, or the ability to scan the memory of computers to detect the hackers who have learned how to evade antivirus scans by staying off the hard drive of machines, said Gerritz.
Infocyte has done several assessments on federal credit unions and banks in the U.S. Currently the company has two banks in pilot programs.
While Gerritz said Infocyte's price point will be lower than its competition, the company is still experimenting with what to charge. It is looking to target medium-sized banks and retailers, he said.
The startup also wants to provide training for other service providers so that others can perform these types of assessments, plus it could also train in-house teams to do their own sweeps, although they would have to use an Infocyte box.
The payments space, which has been riddled with high profile data breaches since last holiday season, could attract more military-grade data breach and fraud protection services soon. The military encourages entrepreneurship through boot camps that help veterans build companies specifically in the field of cybersecurity, said Gerritz.