On 10 September 2009, Payment Card Industry (PCI) compliance vendor Trustwave announced the acquisition of data loss prevention (DLP) provider Vericept. The acquisition closed on 26 August 2009. Trustwave did not disclose the terms of the deal, but said it plans to retain the Vericept management team and integrate content-aware DLP functions into its PCI compliance and managed services. Trustwave also said it intends to maintain a presence in the enterprise DLP market.

This acquisition is a sound move for Trustwave. Content-aware DLP functions complement many of Trustwave's current service offerings and are useful to organizations facing PCI compliance requirements, as DLP functions help provide stronger segregation of card data handling systems. This deal also continues Trustwave's strategy of acquiring complementary technologies to enhance its PCI-oriented managed services: Earlier this year, in February, Trustwave acquired network access control (NAC) vendor Mirage Networks.

The content-aware DLP market will be mostly unaffected by this acquisition. Since 2008, Vericept has faced significant funding and resource challenges and has struggled to maintain its competitiveness. The company has been primarily hampered by the vendor risk it represented to prospective buyers, but Gartner has always believed Vericept technology to be sound. Although this acquisition should bring stability to Vericept and increase its sales through Trustwave's direct sales force and strong channels, Gartner believes the deal lacks the market-changing force of previous acquisitions in the consolidating enterprise DLP market, such as Symantec acquiring Vontu and RSA acquiring Tablus. We believe that the disconnect between Trustwave's core business in PCI assessments and managed services and the goal of aggressively pursuing the enterprise DLP market will negatively impact its ability to maintain the competitiveness of the Vericept product.

• Trustwave customers and prospects: Add Trustwave/Vericept DLP capabilities to your shortlist for managed services to meet PCI requirements, but verify integration plans and road map before committing. For enterprise DLP requirements, explore the new functions, but do not automatically give any preference to Trustwave in selection criteria.
• Vericept customers: Maintain your current investment if you are content with your current implementation or interested in pursuing a PCI-compliance-centric or managed services implementation of DLP. If you're a larger enterprise seeking to deploy enterprisewide DLP functions in network, discovery and endpoint, start exploring options with other enterprise DLP providers.

• "Limiting the Scope of Payment Card Industry Audits and Liability” — Proper network segmentation and outsourcing of as much card data processing and storage as possible can help enterprises limit PCI compliance efforts. By John Pescatore and Avivah Litan
• "Critical Capabilities for Content-Aware Data Loss Prevention” — Three use cases will help organizations develop a clear DLP strategy with specific business requirements before they attempt to select a product. By Paul Proctor and Eric Ouellet

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)