The looming arrival of the credit card security regulations that make up PCI have been criticized for being too weak.
The channel has been bracing itself for the past 18 months for the much delayed arrival of the PCI standard, which finally kicks in next week.
Emma Dunstone, marketing director at Secerno, said that too much of the emphasis of the PCI requirements, particularly 6.6 was on enforcing the need for a firewall but there was not enough recognition of the internal threats.
"It doesn't do enough to protect against the internal threat, where 80 per cent of attacks come from," she said.
She added that if resellers understood that the minimum requirements were not enough to protect the customer then they could make additional sales.
"There is a difference between what's compulsory and what's necessary," she said.
Ivan Ristic, vice president of security research at Breach Security, said that as with other areas of protection customers had to take a layered approach.
"Web application firewalls are not a silver bullet. Organisations should strive to build applications securely, and to continuously improve the legacy ones. It is a long term process," he said.
Dave Ellis, director of e-security and professional services at ComputerLinks, said that some of the problems could be as a result of human error inside an organisation and it could be unmalicious but the company's crown jewels were stored on internal databases.
"It is important that companies are looking at these things holistically. This whole database area is a key one," he said.