Merchant Link SecurityCents

Merchant Link recently has named Laura Kirby-Meck as executive vice president of sales and marketing. Laura is a hospitality industry veteran with more than twenty years of experience leading successful sales teams and implementing marketing strategies to position leading hospitality companies in the market.

Following is an exclusive podcast with Laura who discusses payment security trends for the hospitality sector and beyond.

These days, merchants are being told they can save money by using a client-to-processor connection or “direct driver” vs. a hosted payment gateway in the cloud. Are these claims really true? What do merchants stand to lose by sending transaction data directly from their point-of-sale system to a processor?

A hosted payment gateway facilitates the secure transfer of information between a point of payment (your POS) and the payment processor or bank. The gateway acts as a translator, traffic cop and bodyguard – interpreting and directing data streams through a secure route to the appropriate destination, quickly and accurately.

Merchants considering both options should keep in mind:

1. Choice: A gateway connects merchants to a variety of processors and often offers the flexibility to switch payment providers quickly and efficiently, enabling a merchant to best manage its payment acceptance fees. Merchants with franchisees can offer them the choice of processors and maintain a secure and consistent payments acceptance process across their brand.  Merchants can also use the gateway to route different card types to specified hosts, saving them money by reducing processor’s switching fees.  A quality gateway assures that a merchant is not locked in to a particular processor’s technology that is hard to “unravel” if they decide to change.
2. Support: A quality gateway provider has the unique ability to track down and efficiently resolve problems no matter where an issue occurs within the life cycle of a transaction; saving merchant’s time and money by eliminating “finger pointing” between POS providers and payment processors.  The more complex the merchant environment, the more a gateway is needed.  A gateway can help a merchant quickly resolve payments hassles and get back to managing their business.
3. Cost: While most gateway providers charge a subscription or per-transaction fee, merchants should take into account the ongoing investment they will have to make in new software and/or a POS upgrades when considering a client-to-processor connection. The merchant is then locked in to technology that will soon be dated.  In contrast, a cloud-based payment gateway is easily implemented and maintained.  Configuration changes are usually performed at the gateway without interrupting business at the site when software and payment scheme updates are required.

Savvy business owners know that the only way to separate claims from reality and determine what’s best for their business is to educate themselves, talk to other merchants who are utilizing similar solutions, and ask a whole lot of questions. Check out this informative presentation and let us know what you think by leaving a comment below.

By Michael Ryan

While many of us were sitting on the couch, fighting our food-induced comas during the Thanksgiving holiday, merchants were scrambling to prepare for an onslaught of customers that were eager to take advantage of Black Friday deals.

Black Friday, which seems to start earlier and earlier each year, not only marks the busiest time of the year for merchants, but also predicts shopping trends, consumer confidence and the state of the economy for the coming year.

And this year’s Black Friday was in no way a disappointment. Shoppers showed up in droves and spent a record amount of money over the weekend. Black Friday spending this year was up 16% from the $45 billion consumers spent last year, according to a recently released survey by the National Retail Federation.

And that sales momentum continued into Cyber Monday, as many shoppers took to retailer’s sites looking for the best deals. Eight in ten retailers were prepared, offering special promotions to please these online shoppers.

Even more interesting is the number of shoppers that relied on their smartphones and other mobile devices to shop online. Compared to last year, the number of mobile users shopping online doubled.

And we don’t doubt that all these numbers are real. We saw it in our own operations. For example, our retail transaction volume for one of our large retail chain clients was a whopping 44% higher on Black Friday this year as compared to last year, and 38% higher on Cyber Monday.

In light of the retailers’ success, both in stores and online, it is importance to stress that consumer confidence drives continued sales and brand trust. During the busiest shopping season of the year, retailers cannot afford to suffer from a data breach and leaked consumer credit card information.

Now, more than ever, retailers must be diligent, which is why we’ve developed these three simple tips for merchant to keep in mind:

• Know the network. Every retailer should understand where cardholder data is stored on the network. Are there proper security controls in place to protect this data? Ensure data is properly protected according to PCI standards.
• If it is not needed, remove it. Many retailers keep cardholder data on the system even when it is not necessary.  Nothing is more exciting to potential attackers than hitting the jackpot of payment information.
• It’s not just technology, its people and processes. Merchants must educate and train staff to understand network security issues.  Yes, the IT department must be aware, but it is just as important for cashiers to understand the risks and be trained to spot suspicious activity.

Retailers have a lot on their plate as they strive to hit their numbers during this holiday shopping season, but security shouldn’t be a leftover thought. The cost of a breach can not only cost retailers millions of dollars, but will hurt consumers’ confidence and trust in the retailer’s brand. With such a significant impact, can the retail industry  afford not to unwrap some extra security this holiday season?

We are coming to the end of the year, when everyone takes a look back and reflects on the past 12 months and tries to determine the trends that will impact the coming year. Many industries are facing a sobering outlook for 2012 and looking to do more with less.

The hospitality sector in particular has struggled with the economic downturn the past few years. Steve Short, president of NetLink Resource Group, says that it is still possible for hospitality executives to achieve their goals by investing in smart IT projects to drive business growth.

By smart, I assume he means that these IT projects should help the company meet business objectives while simultaneously saving the company money. My guess is that many will look to implement cloud solutions that require less management and maintenance.

But specifically, the hospitality sector should focus on investment in projects that secure their sensitive customer data and by extension, their brand reputation. The potential return on investment includes simplified PCI compliance. Technology solutions such as point-to-point encryption and tokenization have been reviewed by the PCI Council, resulting in documents that guide executives on how to properly implement these solutions.

As budgets decrease and focus on ROI increases. making sense of the dollars and cents is more challenging ever. But given the cost of compliance, and the cost of a potential data breach, the hospitality sector should seriously consider and measure the ROI of protecting their data.

To read more from Steve Short and his predictions, check out his blog on HTFP Connect.

We have always highlighted how damage experienced after a data breach can have  lasting negative effects on brand equity and reputation.  A recent survey of nearly 850 executives, conducted by the Ponemon Institute, reinforced this by reporting that the average time it takes to restore an organization’s reputation after a breach is one year.

Following is a podcast with Dr. Larry Ponemon who discusses this study and what companies can do to best protect their reputations after a breach from the ITAC blog.

The top executives of retail companies have a list of business functions, products and services that they’ve been told they, “just have to have.”

Public relations, marketing, advertising…all considered a necessity if you want consumers to know you exist. Information security hasn’t always been at the top of that list, but retail executives are starting to wake up and realize the negative impact a data breach can have on their company.

Why the change? Data breaches are hitting retailers where it hurts – in their wallets.

Just this week, the Financial Times featured an article on the cost of data breaches and the need for data security. The article references British mega-chain, Marks & Spencer, which operates hundreds of M&S department stores and Simply Food markets in the UK, as well as more than 325 locations in countries such as China, India, Indonesia, and South Korea.

Marks & Spencer, which touts that around 21 million people visit its stores each week, was the victim of data thieves that stole customer email addresses from one of the company’s email marketing vendors. The exact cost of the breach wasn’t listed, but the company had to email all of their customers and warn them about the theft, which was undoubtedly a blow to their brand reputation.

Many other retailers that are the victims of data theft don’t get off that easily. Should financial or credit card information get compromised, credit monitoring services are often offered to customers at the company’s expense. Public relations, and crisis communications staff or vendors are then needed to help control the situation and make it “go away.” Information security experts are needed to find vulnerabilities and ensure they are resolved.

It’s this cost to the company that has retailers looking at data security much more seriously. According to the Financial Times article, retailers are even looking at insurance policies designed to help offset the cost of a data breach. However, technology has created an even better “insurance policy” against data theft. Retailers are eliminating the data from their networks completely by utilizing tokenization and encryption solutions. These solutions ensure that the data, should it be stolen, is useless to data thieves.

For retailers of all sizes, data security is more than something that the company “should look into.” As more globally-recognized brands and small merchants alike fall victim to data thieves, the need for data security becomes increasingly apparent. If the Financial Times article is any indication, retailers are starting to wake up and embrace data security, and that can only mean good things for customers all over the globe.

Avivah Litan is a vice president and distinguished analyst in Gartner Research and is a renowned expert in the area of payments security.   She regularly publishes key industry research reports with regards to PCI compliance, has a well-read blog and is often quoted in the media discussing PCI compliance and payment security – among other things. Following is an exclusive podcast with Avivah Litan who discusses key payment security trends and highlights the value of end-to-end encryption and tokenization.

By Beth McGarrity

Now in its eight year, October is known for its annual National Cyber Security Awareness Month, which is sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance (NCSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Each year, there is a theme which strives to educate and drive awareness for cyber security issues.  What I like about this year’s theme is that it demonstrates the responsibility that each individual has when it comes to cyber security.

With the theme of, “Our Shared Responsibility,” it doesn’t matter if you are the merchant, the employee, the vendor or the home user –we all play a serious role in securing online environments.

In an effort to share in this responsibility, our blog will focus this month on education across the ecosystem.  It goes beyond understanding specific technology solutions to understanding the psychology behind user actions and unveiling common myths of security standards and solutions so that users can stay safe online and shore up cyber security efforts.

If there is a topic that you’d like to see from us on the blog, please drop us a comment below.  Or if you’d like to guest blog for us this month, let us know and we’ll provide you with our editorial guidelines.

By Beth McGarrity

There is a new bill in the U.S. Senate that is aimed at protecting a citizen’s privacy and information when a security breach occurs.  In the last few weeks, the Personal Data Protection and Breach Accountability Act of 2011 was introduced, with sponsors of the bill, saying that many of the recent security breaches have been preventable.

But the National Retail Federation has another view.  David French of NRF said that the bill is far too broad and instead of achieving protection of consumer information, the bill would have a negative impact, resulting in “notice fatigue.”

Now, this is interesting, because NRF is an avid supporter of protecting notification when identity theft occurs, yet feels that standards must be met before a notification is sent out.  If consumers are receiving notices for every incident, regardless of severity, they will eventually begin to ignore the notification and potentially not take the appropriate steps when the risk level is high.

We are all for notification to consumers when there is a risk involved and agree that notification fatigue could be an issue.  But the real issue that we believe needs to be addressed is how the sensitive information is being stored on a merchant’s system.

Ultimately, this becomes a security issue and storing personal identifiable information about consumers on a network that doesn’t have the proper security controls, is a major risk.  If you are going to take the risk, you must take an aggressive approach to security and you must test and monitor your approach regularly.

An incident may still occur, but you are less likely to have to notify your customers of a security incident if you are thinking about security as an integrated process within your business.

By Michael Ryan

This week, our team is down in Arizona for the North American PCI Community Meeting.  Each year we look forward to this event as it offers us a chance to network with Qualified Security Assessors (QSAs) and fellow Special Interest Group (SIG) members as well as others in the community and discuss the issues that are facing merchants both big and small.

In fact, the discussions are quite helpful as this is really the time for the PCI Council to outline programs, resources and goals for the coming year.  One of the most interesting aspects is to learn what the Council will provide guidance on next.

Merchant Link has been a part of the SIGs for both tokenization and point-to-point encryption (P2PE) and continues to offer our expertise in an effort to provide guidance to merchants.

We were excited to see that right before the meeting this year, the Council announced guidelines for P2PE focused on hardware-based implementations.  The 96-page document provides guidance on securing systems and devices, implementing monitoring and response processes, developing and maintaining secure applications, protecting sensitive data, and using secure cryptographic key management methodologies.  Interestingly enough, the Council has said that even with these guidelines, merchants should only use applications that have been validated to be PCI compliant.  This list is targeted to post on their website in spring 2012.

Perhaps, this delay, along with the delays for the tokenization guidelines and virtualization guidelines is why the Council is taking a new approach to SIGs.  For 2012, the SIGs will be manned by a Council member to ensure that the group stays on task and will only have a term of 12 months.

Over the last couple months, many proposals were made for what guidance should come next.  The proposals were short-listed and voting will take place on the PCI portal.  I’m looking forward to seeing what’s on the agenda for next year.