Merchant Link SecurityCents

From the old knuckle busters, to electronic transactions, to mobile wallets. The world of payments today is evolving at breakneck speed, with more change expected over the next few years than in the last few decades combined. At last week’s Electronic Transactions Association Annual Meeting & Expo, the message was loud and clear: keep up, remain versatile, and continue to innovate, or risk getting left behind.

Having attended the ETA show for many years, it’s interesting to experience the shift in focus. We’re not just talking about basic credit card processing anymore. For example, an exciting new wave of data mining is turning transaction data into marketing gold, providing valuable business intelligence for merchants, and a more personalized experience for consumers. It’ll be interesting to see the reaction as more of these programs are rolled out. I suspect merchants will be thrilled, but consumers may be wary given the high volume of marketing messages we are exposed to daily. But as long as these programs remain “opt-in” and provide real and relevant value, the outlook looks good.

As mobile wallets continue to evolve, which some predict will be the payment method of choice by 2020, I imagine we’ll see a shake-out with a select few companies rising to the top. As card types evolved years ago, most merchants came to accept MasterCard, VISA, American Express, Discover and Diner’s Club.  As mobile wallet options evolve, it will be interesting to see which options become standard.

When it comes to transaction security, the focus has shifted from technical problem to an essential and expected part of doing business. Various methods are still being discussed and debated and this year, many were wondering what EMV would mean for security.

Check out ETA’s conference highlights, photos and video here and we’ll hope to see you at the show in New Orleans next year!

Webcast #4 in our payments education series is up!

In this video, we take a look at merchant services, pricing, and what you can do to better manage your processing costs.

Check it out and let us know what you think.

The Verizon RISK team has published the highly anticipated 2012 Data Breach Investigations Report.  After seeing steady declines for the past two years, the report finds that breaches skyrocketed in 2011, boasting the second-highest data loss total since the Verizon team started keeping track in 2004. While mainline cybercriminals continue to target monetarily valuable data, 2011 saw a re-invigoration of online activism. “Hactivism” is targeted towards larger organizations worldwide with the intent to damage the brand and embarrass the organization. In addition to the significant increase in number of attacks, the report shows organizations required to be PCI DSS compliant continue to struggle. According to the report 96% of breach victims were not compliant as of their last assessment (up 7% from last year).

Most Afflicted Industry
The report found that once again, the most afflicted industry was Accommodation/Food Service (Restaurants 95%, Hotel 5%). The report found that nearly three-quarters of automated opportunistic attacks hit the Retail/Trade or Accommodation/Food Service industries. Even though the amount of data per business is small, these “industrialized” attacks are carried out against large numbers in a surprisingly short timeframe encountering almost no resistance.  Many of these are small to midsize level 4 merchants who are failing in assessing and achieving PCI DSS compliance.

Most Used Techniques
External agents continue to be responsible for the largest proportion of breaches in 2011 (98%). The report shows the most common external breach techniques utilize some combination of hacking and malware (61%). Linked to almost all compromised records is circumventing authentication using stolen or guessed credentials (84% of records).

While internal employee breaches fell again this year to only 4% of total incidents, there is an interesting correlation to the food service industry. Most affected by internal employee breaches were smaller businesses and independent local franchisees of larger brands. The highest percentage of internal incidents belonged to money handlers such as the Cashier/Teller/Waiter category (65%) and the Manager/Supervisor category (15%).

Most Compromised Devices
With the Accommodation/Food Service industry continues to be the most targeted, it is not surprising that the highest percentage of user device compromises consist of POS Terminals (35%), Desktops (18%) and ATMS (8%). The report recommends training staff to detect signs of device tampering and to look for anti-tampering technology in POS and PIN devices.

Conclusions
Mitigating data breach threats can range from simple solutions to costly and complex systems. The report shows overwhelmingly that implementing a few basic safeguards has a big impact for small and mid-size companies that make up a large portion of the Accommodation/Food Service sector. These companies should look to:

• Implement a firewall on remote access services
• Change default credentials of POS systems and other Internet-facing devices
• Make sure your POS is a PCI DSS compliant application
• Eliminate unnecessary data on site

To assist in eliminating data on site, consider combining tokenization and point-to-point encryption to protect both stored data and data in-flight. Tokenization eliminates storage of actual cardholder data, while point-to-point encryption protects data in-flight from the point of interaction and as it travels through the merchant’s IT environment. If you get rid of the data, you get rid of the risk.

The 2012 MURTEC conference is a wrap, and conference organizers are reporting 40% attendee growth over last year. From our perspective, and many others I spoke with, this year was one the best MURTECs yet. When you bring together the right people, and are able to have the right conversations, it’s amazing the business that gets done.

(And for all the booth veterans out there… ever notice how the quality of your conversations is directly proportionate to the number of chotchkies acquired? The higher the quality, the less you give away… funny but true.)

The show included an opening keynote address by Mike Inman of TableForce on the art of negotiation that was insightful for buyers and vendors alike. Inman talked about isolating items of high value to you and low value to the other party (and vice-versa) in order to arrive at an agreement.

Jack Clare, VP – Information Technology & CIO for Yum Restaurants International, shared the innovative approach they’re taking to kitchen automation and making their back office more efficient by connecting technology and operations. Clare is featured on Hospitality Technology’s MURTEC video playlist, as is Baron Concors, CIO of Pizza Hut who talks about applying business intelligence and big data to all business functions – not just marketing.

XPIENT Solutions was exhibiting and we announced a partnership yesterday that will allow their customers to increase the security of their payment transactions and cardholder data as well as benefit from the flexibility and support of our payment gateway service.

During the roundtable session, I sat at a table where the topic was PCI – a subject that continues to hit a nerve with operators, many of whom see it as a source of aggravation. One participant admitted it even caused him to consider quitting his job at one point. Still, the good news is that operators, auditors and vendors seem to be more educated these days when it comes to PCI and less confused about the standards and what is considered out of scope versus in scope. As we reported last week, businesses are taking greater ownership when it comes to compliance. And, operators are more interested than ever in solutions such as point-to-point encryption that can help them get rid of the sensitive cardholder data on their networks, effectively removing their systems from PCI scope.

Check out our video highlights, including observations from Alan Hayman of the Hayman Consulting Group and Joe Finizio, President & CEO of the Retail Solutions Providers Association.

Webcast #3 in our payments education series is up!

In this video, we take a closer look at interchange and at the various ways you can keep costs as low as possible.

Check it out and let us know what you think.

Last week, we introduced a unique educational series focused on the fundamentals of credit card processing.

Today, we bring you webcast #2!  “Understanding Transaction Fees” provides insight on the different types of transactions fees and how are they calculated and collected.

Check it out and let us know what you think by leaving a comment below.

Here on the SecurityCents blog, we talk a lot about strategies to secure cardholder data, and what’s happening in the world of payments in general. As part of our ongoing commitment to empower merchants with tools and information to better manage their payments, we’re kicking off a webinar program today, starting with a series on the fundamentals of credit card processing.

This unique series will begin with four recorded webcasts, and will answer questions such as:

• How do credit card transactions flow through the network and who are the players involved?
• What are the different types of transaction fees and how are they calculated?
• What can merchants do to reduce their processing costs?

Then, we’ll host a couple of live webinars April 4-5 where we’ll outline valuable best practices to help you run a more efficient and profitable business. Attendees will also have the opportunity to submit questions to be answered live by our panel of experts.

View our first webcast and sign up for the live webinar by clicking here or on the EDUCATION tab above. And let us know what you think by leaving a comment below.

If you’re like me, you spend time during your daily commute at the local Starbucks, standing in line, waiting for your caffeine fix. As you eagerly await your turn in line, reciting your order repeatedly in your mind to ensure you don’t mess it up, you see individuals approach the register and pay for their cappuccinos, coffees, espressos and other concoctions with…their cellphones?

The scenario of a barista scanning their mobile device and account information being transferred through a point-of-sale system raises some red flags in the minds of consumers. Yet studies by credit card giants, such as MasterCard, show that customers aren’t so adverse to the increased adoption of mobile payments.

In fact, results of a recent study they conducted showed that 62 percent of Americans with cell phones would welcome paying for purchases with a mobile device.  It really becomes a psychology issue rather than a pure technology issue. Does the convenience of the purchase outweigh the security concerns in their minds?

With that in mind, younger generations are more likely to embrace mobile payments and feel more comfortable without a wallet than without a mobile device.  That could mean that mobile payments and a society without cash are clearly around the corner. Right?

Well, not completely. The customer is only one half of the equation for mobile payment adoption. The other half is the merchant, and right now, merchants are simply not seeing the potential return on their mobile payment investment. That’s because the switch to mobile payments involves much more than just training your staff to add “cell phone” to the list of ways customers can cover their tab.

To embrace mobile payments, a merchant’s point of sale, payment processing, and device management systems need to be overhauled. Most importantly, additional security concerns need to be addressed.

With advanced tokenization and encryption solutions being embraced by merchants, the customer’s invaluable credit card information can be protected from the time of the card swipe through the rest of the transaction lifecycle.

Most of us in the industry understand that the movement to secure mobile payments is only in the beginning stages and that solutions are in development to secure these types of transactions in the future. However, until merchants see enough benefit in embracing mobile devices as forms of payment to cover their investment in upgrades to their point of sale, payment processing and security systems, a cashless society could remain simply a pipedream.

Hospital Technology Next Generation (HTNG) is an association that we’ve been working closely with.  We have been impressed with their efforts in helping hoteliers take an active stance against cyber criminals. The organization plays a major role in advocating for best payment security practices for hotels, and our own Sue Zloth, is actively involved in HTNG working groups.

Now the group has launched this comprehensive web site called “HTNG is Improving Hotel Credit Card Security” that serves as a key resource for hoteliers to learn more about protecting their customer data.  Douglas Rice, Executive Vice President and CEO, to discuss this new initiative and other key payment security trends for hoteliers in our latest podcast on the Merchant Link SecurityCents HITEC page.

What trends do you think will be featured at HITEC?  Join the conversation on our HITEC page and leave a comment.  Interested in being a guest blogger and providing our readers with your perspectives?  Send me an email.

The week between Christmas and New Year’s Eve is always a time of reflection and anticipation. We often like to look back at major events that shaped our worlds, while at the same time, keeping our eyes on the year ahead.

The editorial staff at SecurityCents has opted to look back and highlight our most popular posts this year. In 2010 hackers made tremendous strides in obtaining customer credit card data, so there was no shortage of news and developments impacting our sector.

Fortunately, SecurityCents launched in 2010 with the mission of being the online destination for merchants to gain insights for winning the war against hackers. The following is a summary of our top posts that resonated with our readers. Enjoy!

Hotels Remain #1 Target for Hackers
2010 was the year that hackers made hotels their #1 target for stealing customer credit card data from hotels.  In what was one of the most significant hotel breaches this year, Destination Hotels and Resort had suffered from a credit card fraud scheme that impacted 21 of its hotels across the United States.  It was reported that data from more than 700 guests across the country was involved.  Check out our full post from Sue Zloth on this topic here.

A Look Back at 2010: What Has Impacted Retail?
Our very own Mike Ryan penned a post about all the major happenings in the retail sector in 2011.   From the sentencing of Albert Gonzalez to the evolution of PCI standards and The PCI Council providing guidance on emerging technologies that mitigate breaches, we have it all in this comprehensive post.

Before You Head Out On Vacation, Know the Difference between Tokenization and Encryption
Merchant Link’s Tim Kinsella wrote about the differences between tokenization and encryption right at the peak of summer vacation season.  Why the summer vacation angle?  As most CSOs of major retail and hospitality chains were heading to the beach for some much-needed rest, payment security was surely still top of mind.  Check out the full post here.

PCI Council Releases Guidance on Encryption for PCI DSS and Scope Reduction
In October, The PCI Council released the first in a series of documents that delved into the issue of encryption as it impacts PCI DSS and scope reduction. Merchant Link’s Sue Zloth provided key insights into this guidance and how it provided merchants with an understanding of what they should be evaluating to determine if a point-to-point encryption solution will simplify PCI DSS compliance for their environment.  Read the full post here.

Using Panasonic SMP? You Are No Longer PCI Compliant
When Panasonic decided to concentrate on their workstation business last year, they discontinued support for their software products, including the System Manager Pro (SMP) point-of-sale software — leaving nearly 3,500 merchants and quick service restaurants (QSR) at a loss. Merchant Link partner Don Bunt provided an insightful post about how Bunt Software and Merchant Link created a PCI compliant solution for Panasonic SMP users called SMPLink™.  Check out the full post here.

Most Notorious Hacker Sentenced; DOJ’s Perspective
In early 2010, Albert Gonzales, one of the most notorious hackers to-date, was sentenced to 20 years in prison for leading the attack on TJX and other retailers.  More than 90 million credit and debit card numbers were stolen at a cost of hundreds of millions to the affected retailers.  Here’s a podcast that we ran (courtesy of the ITAC blog) with Kim Peretti, Former Senior Counselor, DOJ, who discusses her role in bringing down Albert Gonzalez.

“Security is a Moving Target:” Staples Security Analyst at RSA 2010
The editorial team of SecurityCents was armed with a video camera at RSA 2010 and was able to secure an on-the-spot interview with Carlton Jones, Security Analyst at Staples Inc., who discussed what guides Staples’ security philosophy from best-of-class investments to using business cases to making on-going process improvements.  Check out the full video here.

We could have made this post longer – there were simply too many good posts to choose from! As we continue to make SecurityCents the ideal destination for all news and commentary related to secure payments in 2011, we welcome all comments and feedback on how to make this blog even more effective in the coming year.