Small company, big ambitions. Sounds like the classic entrepreneurial dream—but what if it means you bear the burden of big-company regulatory or standards compliance?

Linkable Networks is a Boston-based startup that provides technology-based services that allow consumers to link store-level and item-level discount offers directly to their credit or debit card of choice—without requiring point-of-sale integration, mail-in rebates, or paper coupons. The company sees itself as bridging the gap between advertisers, brands, consumers and financial institutions.

Linkable was formed in September 2010 and currently has fewer than 50 employee. But with the goal of building a highly scalable infrastructure for this spectrum of customers, the company decided it would need security controls for Level-1 PCI DSS compliance, the high-end requirements typically applied to businesses processing more than six million transactions per year.

[Also see 5 bright ideas for SMB security]

And if that challenge weren't complicated enough: Linkable's entire technical infrastructure, aside for an office switch, firewall and individual laptops, is cloud-based, with all the audit uncertainty that comes along.

Investing in security

"The needs are primarily about protecting our customers' privacy and securely providing our business value," says Chip Correra, CTO for Linkable Networks. Correra says all major investment decisions are discussed with the company's investors. The basic justification for the extra security spending "was that nearly everyone that we are doing business with is requiring a high level of security/privacy protection," he says. "It was a strategic investment decision that can easily be cost-justified" given the nature of the business and customer base.

However, while it may be obvious that security and privacy should be high-priority investments, Correra notes, "There is a wide spectrum of investments that you can make in [security] and a non-linear curve associated with cost versus value."

"Once we decided to invest significantly more than the typical startup might, it was an easy decision to pick PCI compliance as the standard because it is pervasive and familiar to other companies that we work with," he says.

[See Security metrics: Critical issues for more on budgeting, investment and ROI]

The company contracted with a locally-based, international information security consulting and services company, TBG Security, to help build the security and PCI compliance program. Linkable began the project in September 2011 with an initial assessment and gap analysis. "We've spent the past two months improving existing policies, standards, awareness, training and technical enablement of our security program," Correra says.

Two elements of the program worth extra emphasis are flexibility and training.

Kevin Gorsline, vice president of Compliance Services at TBG, notes that PCI DSS is an evolving standard, so the security framework has to allow for changes in future requirements.

And Correra notes that improvements in training have been especially important for Linkable. "Most subject matter experts are quick to point out that people, not technology, are the riskiest part of most security programs," he says. "Lack of training leaves security programs very vulnerable, but elaborate training programs can be very, very expensive. TBG was very helpful in guiding us to implement a training program that is appropriate and cost effective for our business."

Linkable has also looked to TBG to provide required compliance services such as vulnerability scanning and penetration testing, Correra says. "One of the key recommendations was about investing in some technology that enables us to efficiently incorporate static byte code scans of our platform," he says. "While our initial scans didn't reveal that we had a long list of issues to resolve, we did discover some areas that we thought were important to improve upon."

Cloud compliance

One of the challenges of the initiative is the companys nearly exclusive use of cloud computing resources, with the entire computing infrastructure on Amazons public cloud.

"We found that there was plenty of information, best practices, technologies and implementation examples that pre-date [the] cloud environment but far less that accounted for cloud deployments such as ours, and nearly nothing that actually took advantage of some of the natural benefits of clouds," Correra says.

[Also read about current cloud security trends]

"When the PCI standards were developed, they didnt take into account the challenges of shared environments that cloud computing presents today," says Gorsline. "That being the case, weve had to do more extensive penetration testing to not only insure that Linkable Networks data is protected, but that we could not gain access to any other data that might be shared in the cloud environment."

The verification process becomes a bit more cumbersome in this type of environment, Gorsline says, "since were relying on a third party, in this case Amazon, to report and ensure compliance with the regulations. And then we need to verify that compliance with a limited toolset provided by Amazon."

Over the next year Linkable Networks will let everything it has deployed and learned "soak in" while it practices the new security procedures and makes small improvements as needed, Correra says. "Beyond these short-term goals, we'll keep an eye on some of the emerging security tools and technologies that are specifically geared to cloud environments and look for opportunities to improve the efficiency of our security program," he says.