Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Encryption Posts

Fresh off the road from a busy Spring schedule of conferences and events such as the recent RIS Retail Technology Conference and MICROS Retail Conference, I reflected on some of the latest trends in retail I picked up on in various sessions, conversations and reports.

Customers are King; Mobile Use and Commerce Increasing
Mobile has placed even more power into the hands of today’s consumer, with the ability to check competitors’ prices while in store (a phenomenon known as “showrooming”) and so retailers are being forced to adopt new pricing and promotional tactics. Marketing investments are focused on mining more data and using it to provide more customized promotions to increase engagement and loyalty. To keep up with today’s tech-savvy consumers, retailers are also increasingly adopting mobile point-of-sale solutions. We’re seeing some POS providers leveraging the tablet form factor, integrating barcode scanners and mag stripe readers into handheld devices that double as a tool to offer on-demand product information to shoppers wherever they are in the store.
 
Profits Are Up; Retailers Reinvesting Again
According to the NRF Foundation’s recently released Retail Horizons: Benchmarks for 2011, Forecasts for 2012, retailers have returned to profitability after the economic downturn. The survey revealed that marketing and advertising spend is up, as well as investment in IT upgrades, e-commerce and leadership development.
 
P2PE Emerging as Key Data Security Strategy
Point-to-point encryption (P2PE) is gaining greater momentum as one of the most effective ways for retailers to secure on- and offline and mobile payments, with the added benefit of reducing PCI scope. Unfortunately, hackers continue to target retailers, with their favorite method being to target data “in transit,” as it moves through and from the merchant environment. Attackers in 2011 were more successful at harvesting data in transit than any other method, according to the Trustwave’s 2012 Global Security Report. Meanwhile, the PCI Council just released updated point-to-point encryption requirements as well as a fact sheet outlining how merchants can securely accept payments using mobile devices with actionable recommendations on partnering with a P2PE solution provider to securely accept payments and meet PCI DSS compliance obligations.

So those are a few of the key trends I’ve observed.

What are you seeing and experiencing? Share your comments and thoughts below.

Motion Computing, a leading global provider of tablet PCs and supporting mobility solutions, recently announced the availability of the Motion® CL900 SlateMate™ – the first tablet PC with an integrated magnetic stripe reader and barcode scanner. The tablet integrates Merchant Link’s TransactionShield solution to ensure cardholder data is never vulnerable while it’s being processed.
 
Following is an exclusive podcast with Mike Stinson, VP of Marketing at Motion Computing, who discusses trends in mobile point-of-sale solutions and the tablet form factor in retail environments.

As they often say in technology, you’re not wrong, just too early… and this may be the case with the mobile wallet.  Yes, the technology has been around for awhile.  But now that consumers have embraced their mobile devices and broadened their perspectives on payments, is it still not quite ready for primetime?

While 2012 was supposed to be the year of the mobile wallet, players like Google are still struggling to find merchants who are willing to support and embrace the new technology.  Recent attempts to hack into the Google Wallet application are not helping these players make their case.

Google Wallet requires a personal identification number (PIN) code and a phone lock screen, which the company claims provides a higher level of security than most credit cards have today.  However, this past month two incidents proved that the PIN code could be cracked.  These breaches also forced Google to discontinue the acceptance of prepaid cards.

While we know that there will continue to be a lot of hype around mobile commerce, we also clearly understand that adoption by merchants and processors will really depend on payment security.

To deny the possibility of an attack over a mobile payment network would be irresponsible.  Most merchants are awaiting further development in this area before they take that leap and adopt a mobile wallet solution.  Once the industry embraces an aggressive security strategy for mobile payments, we believe adoption by merchants will follow suit.

What do you think? Let us know by leaving a comment below.

The big day is just around the corner.  With only days left, how can you show your significant other how much you care?

According to New Online Spending Index conducted by Javelin Strategy & Research, 19 percent of shoppers will spend more money on gifts.

The National Retailer Federation’s (NRF) conducts an annual Valentine’s Day Consumer Intentions and Actions survey and this year found that the average person will spend more than they have over the past 10 years, reaching a spending total of $17.6 billion.

Shopping surges happen throughout the year and it often makes us wonder if merchants are prepared to secure all that consumer payment data.  Both of these recent surveys indicate that safe and secure shopping is critical for both online and traditional brick and mortar merchants.  Flowers and chocolates are always favorite gifts around this time of year, but according to Javelin, 60 percent of those surveyed plan on purchasing something else.

Jewelry merchants should be especially vigilant. Last year, the day after Valentine’s Day, several jewelry stores were under attack from hackers.  Day’s Jewelers, with five stores across Maine and New Hampshire, suffered a breach from outside hackers and nearly 1,000 customers who purchased items from Day’s reported fraudulent activity on their cards.

So don’t let the big day break any hearts or wallets.  Retailers must protect that trust of their customers and can do so by following a few simple tips that we often talk about on this blog:

  • It’s all in the heart — of the network that is. Every retailer should understand where cardholder data is stored on the network. Are there proper security controls in place to protect this data? Ensure data is properly protected according to PCI standards.
  • Focus on the relationship. It’s not just technology, its people and processes, and how they all connect and work together. Merchants must educate and train staff to understand network security policies and procedures.
  • Know when it’s time to move on. As in every relationship, there are times when you need to take stock of things and let go.  The same holds true for information stored on the network. Merchants tend to hold on to data when in reality, this information can be easily removed from the system which in turn minimizes the cardholder data environment and security risk.

We hope that merchants take these tips to heart to maintain strong relationships the loyalty of their customers.

Author:  Laura Kirby-Meck

There are many signs out there that the global economy is beginning to improve. In addition to the recent jobs report and the Dow hitting its highest mark since 2008, there also seems to be a renewed energy and hope that this long-running economic malaise will finally come to an end.

One sector that seems to be bouncing back is the hospitality industry.  According to a recent report from Global Industry Analysts (GIA), the global hotel industry is poised to reach $479 billion by 2015.  Some key factors pushing this along are luxury hotels recovering quicker than other segments of the industry, as well as the demand for hotel rooms and services increasing — creating new construction opportunities as properties expand.

The report rightly points out that hotels are increasingly becoming targets for criminal attacks and cyber breaches.  Conversely, hoteliers have been trimming their IT dollars post-recession, even in the face of hackers trying to steal vital data.

While cost savings are important, cutting back in the area of payment security could have an even deeper business and reputational impact if a data breach were to occur and we would encourage hoteliers to take a look at the efficiencies that new encryption and tokenization solutions offer for both reducing PCI scope and enhancing security.

It is exciting to see that certain segments of the economy are poised for a major comeback.  Though as business opportunities expand for the hotel industry, payment security should remain paramount.  Even during the good times a breach can cause irreparable business damage.

You can access the full report here.

www.strategyr.com/Hotel_Industry_Market_Report.asp

Immediately following the New Year, you probably noticed a few changes.  The gym parking lot was jammed packed.  Every other commercial on TV was for some kind of home workout tape or weight loss solution. Nearly every store was highlighting the “new you.”

Not even thirty days have gone by and things are starting to change again.  People are falling off the bandwagon. Grocery stores are replacing the diet products with Valentine’s Day candy and the commercials for diet plans and fitness products have reverted back to ads about fast food chains and cars.

New Year’s Resolutions don’t last very long but there is one resolution that shouldn’t be let go.

Following the New Year, Hotel News Now featured a series of articles about New Year’s resolutions for hoteliers. One entire article in the series was dedicated to resolutions that hoteliers should consider in the area of data and network security. The highest priority “resolution” for hoteliers was encryption and tokenization of credit card data.

Hotels remain one of the most targeted businesses for data thieves. A quick fix to patch a security gap, or several to get through a PCI audit, simply can’t provide the long term, comprehensive protection needed to ensure that a hotel’s customers are safe from having their sensitive information stolen.

In order to ensure that customer data is safe, hoteliers need to evaluate end-to-end security solutions that can protect customers’ sensitive data while on the move and at rest. Today’s advanced cloud-based tokenization and encryption solutions are enabling hoteliers to become PCI compliant and beyond by removing customer data from the company’s network completely.

These solutions protect data on the move and at rest by encrypting and tokenizing data and storing it off of the network in a secure location. This ensures hotel patrons can rest easy because even if the information is compromised, the tokens are useless to data thieves.

But why is it so important for hoteliers to not give up on their resolution to better protect customer credit card data? Because it’s not just about the damage to the customer or the hotel brand; a data breach can hit a hotelier hard in the wallet.

The cost of data breaches are perpetually increasing. In addition to customers losing faith in the brand, companies that are hacked often find themselves footing the bill for expensive credit monitoring services for victims. They also expend resources on PR campaigns to help mitigate damage to the company’s reputation.

Although this time of year is often when New Year’s resolutions begin to die, hoteliers who made a resolution to better protect their customers’ valuable credit card data need to stay strong. With the cost of a breach rising and the hospitality industry the prime target for data thieves, they simply can’t afford to take their eye off the prize.

In conjunction with the National Retail Federation’s Big Show, we are excited to announce that Merchant Link, along with our partners Equinox Payments and Voltage Security, has implemented a cutting-edge, reliable, cloud-based solution to protect sensitive payment data.

Columbia Sportswear, which is best known for its outdoor apparel and accessories, was motivated by the desire to reduce its PCI scope across its retail locations.  Columbia was facing an issue that many retailers face and needed to minimize storage of payment data on its network environment.  By implementing proven solutions that were integrated specifically to meet the needs of this major retailer, Columbia will not only reduce PCI scope but will have a scalable solution as their payment needs evolve when contactless, electronic wallets and EMV become more mainstream.

This is certainly big news for us at the NRF show, as it reinforces how cutting-edge security payments solutions are moving to the cloud.  In support of this announcement, we have also developed a unique microsite called “Protect All Points,” which highlights all the information you need about this new implementation.  And, be sure to stay tuned for video from the NRF show.

In addition, we are sponsoring the 2012 Tech Global Partners’ Annual Cocktail Reception at the Marriott Marquee Sunday night.  We look forward to seeing all of our customers, partners and friends in the media next week at the NRF show.  New York City, here we come!

We’ve all heard of flash mobs, or groups of people that meet in a particular place and do something fun, creative or unique, such as break out in dance or song. These flash mobs are an interesting phenomenon that have even broken into the mainstream, being parodied in advertisements and featured in TV shows.

But have you heard of flash attacks? They’re not nearly as innocuous and fun as flash mobs, and they can directly result in loss of money and damage to retailers’ brand reputation.

Flash attacks are what Gartner analyst, Avivah Litan, calls credit card skimming schemes, something we’ve discussed previously on the blog.  Essentially, credit card skimming involves individuals either tampering with, or otherwise replacing, credit card readers on point-of-sale (POS) devices within retail establishments. These tampered or replaced devices then compromise the credit card data of the cards that pass through them.

As described by Avivah in her latest blog post, these credit card skimming schemes, or flash attacks, are extremely sophisticated. More than simple acts of vandalism by random data thieves, these are highly-targeted, well-planned attacks by organized groups.

So how do these criminal operations work? Group ringleaders hire individuals to install skimmers into the POS devices or replace the equipment. From there, counterfeiters take the data and create cards, complete with pin numbers taped right on.

More individuals are recruited to then hit up ATM machines and other retail establishments where they can get cash or products that are easily resold (electronics, etc.). The attacks occur quickly and can take place in the country where the theft occurred or in other countries. The individuals withdrawing money or making purchases are instructed to pace themselves and otherwise avoid fraud detection systems.

Avivah’s blog post is an eye-opener and really highlights just how dubious and organized the people running these credit card skimming scams truly are. It’s frightening just how calculated, educated and efficient these attacks can be.

With the National Retail Federation (NRF) annual convention coming up next month, data theft and security issues facing retailers and merchants will be taking center stage. It’s important that retailers educate themselves about the attacks that are occurring, and familiarize themselves with the technologies and solutions available to help eliminate their risk. As the cost of a data breach continues to rise, no retailer can afford to be caught by surprise.

By Beth McGarrity

As the year comes to a close, and TV personalities from Oprah to Ellen to Barbara Walters highlight their favorite things and most fascinating stories in 2011,  I thought I’d take a moment to reflect on my favorite SecurityCents posts and industry news and share them with you.

PCI Announces Guidance for Merchants.

Merchants were provided with an abundance of guidance this year on emerging technologies that assist with compliance and securing sensitive data.  The first documents were released in late 2010 and focused on point-to-point encryption followed by tokenization and virtualization.  In the New Year, the Council will focus on three new areas including cloud, risk assessment and e-commerce security.

Validation from Coalfire Systems.

It’s easy for vendors to say that their product or solution is going to help merchants reduce the scope of PCI compliance.  In some cases, it’s really just unsubstantiated marketing hype.  At Merchant Link, we invest significantly in R&D to ensure that our solutions really do reduce PCI scope and we wanted to offer our customers a third-party validation of this fact.  Coalfire evaluated our TransactionVault™ and TransactionShield™ solutions for tokenization and encryption and confirmed our findings.

Avivah Litan Talks Tokenization.

We had the honor of featuring Avivah Litan on a podcast recently to discuss payment security.  As a renowned expert in this area, Avivah regularly publishes industry research and opinions on her own blog that we avidly follow here at Merchant Link.  For this podcast, Avivah focused on key trends in payment security, specifically as it relates to point-to-point encryption and tokenization.

Google Wallet Meets MasterCard and NFC.

Its here!  Finally…well…sort of.  The technology for mobile wallets has been around for awhile, but the concept hasn’t caught on very well. Then Google entered the market with the mobile wallet, using Near Field Communications (NFC) to allow for data exchange with point-of-sale (POS) technologies. From the payment side, the company partnered with MasterCard and Citi to allow users to pair credit cards to their phones.  It’s been an interesting progression to watch and something we will certainly keep an eye out for as the issues surrounding secure payment transactions will be top of mind for merchants.

What else is on your list of favorite things from 2011?  Share them with us by posting a comment below.

The cost of a data breach for retailers and merchants is rising every day, both in terms of dollars and brand reputation, taking into account costs for internal investigation, notification/crisis management and response. And soon, there may be another cost being levied on merchants from a different source: the government.

According to a recent article in the Financial Times, the European Union is considering a stiff fine for retailers if they fail to secure sensitive customer data. The size of the fine amounts to more than just a simple slap on the wrist. In fact, retailers breaching European Union privacy rules could be on the hook to pay a fine up to 5 percent of their annual revenue.

Although these rules are still in their infancy and, if passed, wouldn’t go into effect for as long as two years, they should still be a frightening proposition for all retailers. And it’s not just European retailers that should be concerned since the rules are expected to also apply to European subsidiaries of foreign companies.  It could also be an indicator of what may happen in the U.S.

If you think the rules may go without being enforced, you should think again. StorefrontBacktalk’s Evan Schuman wrote about this issue in a recent column, and speculated that the EU is likely to strictly enforce this legislation since they’re starved for cash and these fines could be a good way to raise money. Also, unlike credit card companies and other stakeholders that threaten to punish retailers, the government doesn’t necessarily have anything to lose from fining a retailer.

For example, Visa would probably think twice about punishing or terminating its relationship with Wal-Mart simply because the retail giant wasn’t on the cutting edge of data security. The loss of revenue from credit card transaction fees would simply be too great.

Although these rules could be years in the making, or never even see the light of day, they’re evidence that governments are starting to crack down on companies that aren’t making data security a priority. With 2011 being a banner year for cyber attacks and data theft, and the potential for the cost of a breach to continue to increase, the time is now for retailers to take a more serious look at their security posture.

With tokenization and encryption solutions available to retailers via the cloud, there is no reason why any company should not be PCI compliant and protected from data breaches. The costs are too high, both to the company’s coffers and its reputation.

Don’t let your company wait until it has to part with 5 percent of its annual revenue before you start to reevaluate how you store and protect payment card data.