Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Data Security Posts

As merchants and the entire payments community in the U.S. prepare to implement EMV, there are questions and concerns about the technology changes and investment required. Perhaps the biggest change isn’t so much a technology investment, although that will certainly play a role, but an investment in changing the behavior patterns of both associates and customers.

There is a debate going on currently about how EMV will be implemented in the United States. Throughout the rest of the world, we tend to think of EMV as “chip-and-PIN”. PIN is just one of the EMV acceptable methods of authentication. Visa is promoting “chip-and-Sig” (signature) as an alternative for the United States. Traditionally, an EMV cardholder does not relinquish their card, which implies the implementation of pay at the table for hospitality. Not only is this a significant investment in new technology, but it will also require changing our habits. Does the waiter stay near the table when leaving a payment terminal, or leave and return as they do today? What if consumers have trouble with the device? How are split checks handled? These are all questions beyond pure technology which will also require significant investment.

To make matters more interesting, all of this is happening at a time when alternative payment methods such as PayPal, TabbedOut and Square are springing up with new ways to fundamentally change the payment experience, especially in hospitality.

There are no easy answers to these questions, and no doubt the U.S. will go through some turmoil as merchants sort out the best solutions for their particular business. Currently the talk is about the benefits of EMV, and the need for the United States to “join the rest of the world.” While the benefits are there, the challenges are as well. Here at Merchant Link, we are striving to develop EMV solutions which address the technology aspects of the equation. At the same time, the best technological solution will only succeed if it meets the business and cultural requirements as well.

 What do you think? We welcome your input on how these cultural changes to the payment experience will impact your business, what you think it will mean for a consumer to maintain possession of their payment card throughout the process, and what you think are the key challenges of EMV beyond the technology. Share your thoughts below.

When it comes to evaluating payment data security technologies….are you following the 5 “S’s”?
scope, study, support, seek, secure

If you’re not, how can you really know your data is protected and secure? Too often merchants go with the solution that is directly in front of them. They are focusing on their business, selling their products and services to their customers, and security and PCI simply get in the way. But one breach and suddenly, all of their hard work is gone.

A breach of merchant data not only hurts the consumer, but it harms the merchant as well. PCI will fine merchants in the case of a negligent breach and once the word gets out, consumers become weary of doing business with you – so the merchant’s brand reputation is impacted.

The process of evaluating all the different payment security technologies out there doesn’t have to be complicated or time-consuming. Follow these 5 simple steps…

  1. SCOPE – Examine your data flow and look at where data is stored
  2. STUDY – Educate yourself on security methods, technologies, and PCI compliance
  3. SUPPORT – Inventory current systems – your hardware, software, and processors – and understand how will integrate to the technology
  4. SEEK – Evaluate vendors and seek answers to key questions
  5. SECURE – Implement the right mix of methods and technologies to secure  cardholder data

If you don’t know whether or not your data is protected and secure, give us a call.

Watching the Olympics, it’s always fascinating (and heartbreaking) to see how split seconds and minor missteps are what ultimately separate the winners from the losers. In fact, that’s why the technology that’s used at the games is incredibly important…with high-speed cameras, lasers and sensors that measure in the hundredths to thousandths of seconds.

Yesterday in the 200 men’s butterfly, Michael Phelps led almost the entire race and was on his way to winning his 18th medal when in the very last stretch South Africa’s Chad le Clos reached farther and touched the wall just .05 of a second before Phelps. It was so close that Michael’s mother and even his coach thought he’d won. (Check out the video here.)

The Olympics aren’t the only place where the smallest mistake or split-second lull in your resolve can bring heavy consequences. Protecting your customers’ payment data requires the same level of precision and persistence.

Examine how payment data is flowing through your network. When a credit card is swiped or entered into the system, how and when is that data being secured? Encryption should occur at, or as close as possible to, the point of interaction (POI). If it’s left “in the clear” even for a millisecond, that provides a window of opportunity for a hacker to place a piece of malware there and steal the data. Point-to-point encryption (P2PE) is one way merchants are preventing theft of data in-transit. To protect stored data, tokenization is an effective method. Both technologies can be employed in tandem to protect payment data end to end.

And don’t discount the human, or psychological factor. By the time athletes arrive at the Olympics, they’ve put in countless hours of training and are ready physically but if they’re off mentally at the moment it counts it can hurt their performance. Similarly, merchants can implement the most advanced security technology available but if they don’t prepare their staff to guard against threats such as social engineering, their own people could be manipulated into divulging confidential information. Security is like a chain: It’s only as strong as its weakest link.

CIO’s and IT staff have continually full plates these days.  They are required to juggle complex and often competing projects just to “keep the lights on” and at the same time work toward the overall vision their CEO lays out for the business.  Operating during a down economy the past few years has caused businesses to look for efficiencies and many reduced staff.  At the same time there has been an explosion of user-generated project requests for new applications, web functionality and mobile technology.  It can be a tall order to implement new or strategic projects such as company-wide security plans and PCI compliance when you are fighting everyday just to do the basics.

For hospitality IT departments, putting off security projects can be very risky.  As Merchant Link reported in March of this year, according to the Verizon 2012 Data Breach Investigation Report, Restaurants/Accommodations continues to be the most targeted industry for data breach attacks.  So how can you, the CIO or IT Director, ensure that data security doesn’t fall to the bottom of your “to-do” list?  By partnering with a payment security expert, you can benefit from the collective experience and support garnered by assisting numerous customers in implementing a secure and comprehensive solution.

Look for a flexible payment data security solution that takes a layered approach to implementation so you can plan each stage.  This eases constraints on resources while still allowing you to gain benefits as you implement each layer.  For example, by implementing a cloud-based payment gateway, merchants can take advantage of a hosted architecture while removing the credit card interface system from PCI scope.  Additional scope reductions can be achieved by removing stored PAN data using a tokenization solution.  To protect card data from initial point of interaction and as it travels through the network, point-to-point encryption can also be added.  A key benefit of a layered solution is the ability to implement in stages while receiving cost savings and scope reduction at each stage.

It’s true an IT department has to juggle many priorities and projects but data security is just too important to let fall off your plate.  An experienced partner, a comprehensive solution and flexible implementation options will allow you to achieve your data security goals and ensure the day to day operations keep running without busting your budget or your team.  We invite you to share your experiences, questions and comments below.

The big day is just around the corner.  With only days left, how can you show your significant other how much you care?

According to New Online Spending Index conducted by Javelin Strategy & Research, 19 percent of shoppers will spend more money on gifts.

The National Retailer Federation’s (NRF) conducts an annual Valentine’s Day Consumer Intentions and Actions survey and this year found that the average person will spend more than they have over the past 10 years, reaching a spending total of $17.6 billion.

Shopping surges happen throughout the year and it often makes us wonder if merchants are prepared to secure all that consumer payment data.  Both of these recent surveys indicate that safe and secure shopping is critical for both online and traditional brick and mortar merchants.  Flowers and chocolates are always favorite gifts around this time of year, but according to Javelin, 60 percent of those surveyed plan on purchasing something else.

Jewelry merchants should be especially vigilant. Last year, the day after Valentine’s Day, several jewelry stores were under attack from hackers.  Day’s Jewelers, with five stores across Maine and New Hampshire, suffered a breach from outside hackers and nearly 1,000 customers who purchased items from Day’s reported fraudulent activity on their cards.

So don’t let the big day break any hearts or wallets.  Retailers must protect that trust of their customers and can do so by following a few simple tips that we often talk about on this blog:

  • It’s all in the heart — of the network that is. Every retailer should understand where cardholder data is stored on the network. Are there proper security controls in place to protect this data? Ensure data is properly protected according to PCI standards.
  • Focus on the relationship. It’s not just technology, its people and processes, and how they all connect and work together. Merchants must educate and train staff to understand network security policies and procedures.
  • Know when it’s time to move on. As in every relationship, there are times when you need to take stock of things and let go.  The same holds true for information stored on the network. Merchants tend to hold on to data when in reality, this information can be easily removed from the system which in turn minimizes the cardholder data environment and security risk.

We hope that merchants take these tips to heart to maintain strong relationships the loyalty of their customers.

Immediately following the New Year, you probably noticed a few changes.  The gym parking lot was jammed packed.  Every other commercial on TV was for some kind of home workout tape or weight loss solution. Nearly every store was highlighting the “new you.”

Not even thirty days have gone by and things are starting to change again.  People are falling off the bandwagon. Grocery stores are replacing the diet products with Valentine’s Day candy and the commercials for diet plans and fitness products have reverted back to ads about fast food chains and cars.

New Year’s Resolutions don’t last very long but there is one resolution that shouldn’t be let go.

Following the New Year, Hotel News Now featured a series of articles about New Year’s resolutions for hoteliers. One entire article in the series was dedicated to resolutions that hoteliers should consider in the area of data and network security. The highest priority “resolution” for hoteliers was encryption and tokenization of credit card data.

Hotels remain one of the most targeted businesses for data thieves. A quick fix to patch a security gap, or several to get through a PCI audit, simply can’t provide the long term, comprehensive protection needed to ensure that a hotel’s customers are safe from having their sensitive information stolen.

In order to ensure that customer data is safe, hoteliers need to evaluate end-to-end security solutions that can protect customers’ sensitive data while on the move and at rest. Today’s advanced cloud-based tokenization and encryption solutions are enabling hoteliers to become PCI compliant and beyond by removing customer data from the company’s network completely.

These solutions protect data on the move and at rest by encrypting and tokenizing data and storing it off of the network in a secure location. This ensures hotel patrons can rest easy because even if the information is compromised, the tokens are useless to data thieves.

But why is it so important for hoteliers to not give up on their resolution to better protect customer credit card data? Because it’s not just about the damage to the customer or the hotel brand; a data breach can hit a hotelier hard in the wallet.

The cost of data breaches are perpetually increasing. In addition to customers losing faith in the brand, companies that are hacked often find themselves footing the bill for expensive credit monitoring services for victims. They also expend resources on PR campaigns to help mitigate damage to the company’s reputation.

Although this time of year is often when New Year’s resolutions begin to die, hoteliers who made a resolution to better protect their customers’ valuable credit card data need to stay strong. With the cost of a breach rising and the hospitality industry the prime target for data thieves, they simply can’t afford to take their eye off the prize.

By Beth McGarrity

Recently, Javelin Strategy & Research released a study that analyzes how consumers’ credit details are secure.  The Seventh Annual Card Issuer’s Safety Scorecard dives into existing trends related to card fraud, mitigation against these threats and evaluation of card issuers that have consumer-facing prevention, detection and resolution capabilities.

The study focused on the top 20 card issuers such as American Express, MasterCard, Visa, Bank of America, JP Morgan Chase, Capital One and more. The results found that card issuers do a good job resolving fraud problems once they occur, but ultimately fall short on prevention and detection.

In light of the number of recent breaches that have impacted big brands, as well as financial institutions like Citigroup, consumers need to be aware of how their payment information is protected and take proactive steps to ensure their own credit protection.

by Scott Franklin

Often, the thought of improving your company’s data security posture seems overwhelming. Not only are there questions of what to secure, but larger questions often arise about the desired end-state and how best to overcome the numeorius obstacles that arise when implementing any security or compliance program. For example, should compliance be the desired end-state, or is a broader notion of security a more appropriate goal? Equally, should data security be treated solely as a technology problem, or is it better to treat it as a business problem and push for board-level visibility?

Before too many possibilities start swimming in your head, here are 8 steps to help simplify your thinking:

1. Know where and how any PCI-related data, or other sensitive information, is stored, processed, or transmitted throughout your organization. This can be done by identifying all systems, processes, and interaction points that involve the acceptance, storage, processing, and transmission of credit card data. Consider how you manage and secure paper and electronic documents that contain sensitive data as well as what happens to any recorded Voice over IP calls. As part of that process develop an understanding of who has access to this sensitive data and consider limiting access based on user roles.

2. Know what is on your network and how your network is accessed. Inventory management is an important first step in improving your company’s data security posture. While taking stock of legitimate computers and WiFi access points, your IT team should also be on the lookout for rogue computers, insecure remote access points, and open wireless networks. One often overlooked source of access in hotels is a co-mingled guest/hotel business network. For the protection of all parties, the guest network and the hotel business network should both be protected by firewalls and maintain fully independent infrastructure.

3. Make security and compliance everyone’s responsibility. Remember that compliance is not just an IT security problem, it’s a business issue, and to be effective, it requires all employees to support and enforce the effort. Awareness campaigns are just the beginning of a more rigorous educational effort to promote awareness of organizational policies and procedures from the C-suite to the front desk.

4. While it’s tempting to store every last piece of data, a prudent company will retain data only as long as its required for business purposes and not a day longer. While this applies broadly to all data, it is particularly important to keep customer data no longer than absolutely needed. The bottom line here is that cyber thieves can’t steal what you don’t have; if you don’t have customer data hanging around, there’s nothing to steal!

5. Develop an Information Security (or Data Security) Plan/Program that addresses both internal and external threats. Make sure the plan covers all aspects of data security and protection and addresses all key constituents, including vendors, contractors, and partners. And then educate, educate, educate!

6. Make sure you’re using the right tool for the job. Tokenization and end-to-end encryption solutions can help provide protection of sensitive data throughout the entire operational life cycle. Using solutions such as these will reduce your PCI burden, result in bottom-line savings, and generally enhance the overall security posture of your company. Consider also using PCI compliant PMS systems (PA-DSS) and use TRSMs when possible.

7. While some aspects of your new data security plan do require spend, there are many steps that can be taken inexpensively (but have excellent return on investment), and some that are entirely free. For example, the use of strong passwords that are changed regularly (and always changed when new systems are installed) is completely free and an incredibly effective technique to increase your security posture. Another freebie is to update systems regularly; implement a patch management program to make sure all OS and application patches are installed in a timely fashion and make sure that unnecessary accounts are removed from systems. Other low-cost solutions include using endpoint protection software, such as anti-virus software, deploying firewalls, and conducting regular web application security scans.

8. And finally, don’t be afraid to ask for help. Your vendors should be able to assist you with rudimentary PCI compliance questions. At Merchant Link, key members of our team participate in PCI Council working groups and related industry forums so we are up to date on the latest information and can share our knowledge with our customers. For more daunting questions, consider engaging a QSA or another bona fide security expert for advice and guidance. While this may require upfront expenditure, the fee is going to be much less expensive than a breach. Then, just as you have an evacuation plan for a physical security emergency, consider developing a breach response plan so you know who to contact if a breach occurs – key contacts include the merchant bank as well as federal and state law enforcement agencies.

Remember, you’re not alone. Given that every organization that touches a credit card transaction is affected by PCI compliance issues there are thousands of IT security professionals facing the same complexities and similar issues to you. Listed below are some of my go-to security resources:

https://www.pcisecuritystandards.org/index.shtml
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
http://www2.visaeurope.com/documents/ais/hotelbreach_europe_2.pdf
http://www.crowell.com/pdf/SecurityBreachTable.pdf