Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

PCI Compliance Posts

This week, our team is at the PCI North American Community Meeting, where several new programs have been announced including the PCI Professional Program, the Council’s first individual accreditation program designed to build a greater level of PCI expertise across the industry for improved payment security globally. Check out this wrap up report to learn about the other major announcements, news and highlights.

Last week while watching Michael Phelps win his 20th Olympic medal, I was also reading a very interesting post on PCI Guru’s blog that discusses a topic covered in the latest Assessors newsletter. What do these two diverse topics have in common? Read on and see.

The blog post I mentioned refers to pre-authorization data and scope; a topic which has oft been the subject of discussion. Is pre-authorization data in scope with regard to PCI or not? While my personal belief is that it should always be considered in scope, the source of this debate comes from the fact that the standard does not really call it out. Indeed, many of the requirements are specific to post-authorization (such as restrictions on any storage of sensitive authentication data). In the newsletter, the PCI Council definitively states “PCI DSS applies wherever cardholder data (CHD) and/or sensitive authentication data (SAD) is stored, processed or transmitted, irrespective of whether it is pre-authorization or post-authorization.”

 OK, so card data is in scope regardless of its authorization state wherever it is stored, processed or transmitted. But what does that mean to the merchant, other than putting a final period on the debate? The Council’s statement here is really one of common sense. Card data is not any less valuable before authorization than after it.

Generally, the length of time that data remains pre-authorization is short. That can vary however, especially when one considers new fees such as the Visa Zero Floor Limit Fee which adds a fee to any transaction that is settled without authorization. Merchants are incented to store the data to ensure they can receive an authorization prior to submitting for settlement. 

The PCI Council leaves the requirements regarding storage of pre-authorization sensitive authorization data up to the individual payment brands. They did state however, that any storage of SAD prior to authorization would be held to a higher standard of security and controls. Regardless of what PCI states, from a risk perspective it’s just good practice for merchants to secure all credit card data, and to remove as much of it from the merchant environment as possible. Point-to-point encryption and tokenization can play a role in effectively removing and securing card data.

For merchants, it’s tempting to let the realities of day-to-day operations take priority over complex topics like PCI, kicking the can down the road so to speak. This brings us back to the Olympics. Michael Phelps mentioned in an interview all the various obstructions that his coach created during his training. One that stood out was his coach stepping on his goggles to crack them, so they would fill with water during Michael’s next swim. This was to prepare Phelps for any situation that could occur in competition. Sure enough, during one of his races, his goggles did fill with water and he had to rely on counting strokes to know where he was. Without that preparation, he might not have been prepared for that hurdle.

Similarly, merchants need to prepare themselves for the day when they may be the target of an attack. Whenever I hear the argument that pre-authorization data can be considered out of scope because the PCI DSS doesn’t specifically say, I know I’m talking to someone who is not taking a long term ongoing approach to PCI. Just like Michael Phelps trains for all eventualities, merchants today must prepare to face the threats of tomorrow. Look closely at your environment. Have you effectively secured data pre-authorization? Do you know every place that card data exists within your environment? In a recent blog post, one of my colleagues wrote about the security training that every Merchant Link associate participates in. Security is more than a moment in time, or a specific job role. It’s something that everyone needs to be aware of.

Oh, and just to remind you, the Council has spoken. It IS in scope.

The 2012 Multi-Unit Restaurant Technology Conference (MURTEC) show starts today, otherwise known as the “The Gold Standard Restaurant Technology Event,” bringing together more than 225 restaurant technology, finance and operations professionals for three days of peer-to-peer exchange of ideas and best practices. Merchant Link will be there and reporting back on all the tech talk and trends.

One of the many things people will be buzzing about is Hospitality Technology’s 2012 Restaurant Technology Study. Among this year’s results, in the area of PCI compliance/security, restaurant operators are moving away from the belief that:

  • PCI compliance is the responsibility of the vendor (48% agreed in 2011, 38% agreed in 2012).
  • PCI compliance guarantees there will be no breach (22.8% agreed in 2011, 13.8% agreed in 2012).

These trends indicate that the message about PCI as best practice, not a guarantee – is finally getting through, and that businesses are taking greater ownership when it comes to compliance.

In our own business, we see evidence of these trends, as more and more merchants are asking us to help them get rid of sensitive cardholder data on their networks altogether. Restaurant chains like Silver Diner, are taking a layered approach to prevent a data breach. Using tokenization and point-to-point encryption, Silver Diner not only enhanced their security, they were able to achieve significant reductions in PCI scope and costs. Check out the case study we just posted to learn more.

And let us know your thoughts on compliance by leaving a comment below.

Many retailers have been scrambling to meet PCI DSS 2.0 compliance by the Jan. 1, 2012 deadline.  But are they really compliant?

During its annual IT Security Summits and Catalyst events, and at its Security & Risk Summit in EMEA, Gartner conducted a series of kiosk-based surveys with 383 IT managers and found that almost a fifth of firms are not compliant with the Payment Card Industry (PCI) Data Security Standards (DSS).

Lawrence Pingree, research director at Gartner, blames this non-compliance on increasing pressure on firms’ IT budgets, even though the PCI Security Standards Council continues to reinforce that failure to comply can negatively impact both merchants and their consumers.

The reality is that merchants need to go beyond compliance and implement multiple layers of security to ensure that customer data is protected.   PCI compliance is certainly an important part of this, but it’s only one piece of the puzzle.  And, for those organizations who are not yet compliant, we urge you to take the necessary steps to meet PCI DSS. You can access the “User Survey Analysis: 2012 Security Buying Behaviors and Budget Trends” report from Gartner here.

By Beth McGarrity

As the year comes to a close, and TV personalities from Oprah to Ellen to Barbara Walters highlight their favorite things and most fascinating stories in 2011,  I thought I’d take a moment to reflect on my favorite SecurityCents posts and industry news and share them with you.

PCI Announces Guidance for Merchants.

Merchants were provided with an abundance of guidance this year on emerging technologies that assist with compliance and securing sensitive data.  The first documents were released in late 2010 and focused on point-to-point encryption followed by tokenization and virtualization.  In the New Year, the Council will focus on three new areas including cloud, risk assessment and e-commerce security.

Validation from Coalfire Systems.

It’s easy for vendors to say that their product or solution is going to help merchants reduce the scope of PCI compliance.  In some cases, it’s really just unsubstantiated marketing hype.  At Merchant Link, we invest significantly in R&D to ensure that our solutions really do reduce PCI scope and we wanted to offer our customers a third-party validation of this fact.  Coalfire evaluated our TransactionVault™ and TransactionShield™ solutions for tokenization and encryption and confirmed our findings.

Avivah Litan Talks Tokenization.

We had the honor of featuring Avivah Litan on a podcast recently to discuss payment security.  As a renowned expert in this area, Avivah regularly publishes industry research and opinions on her own blog that we avidly follow here at Merchant Link.  For this podcast, Avivah focused on key trends in payment security, specifically as it relates to point-to-point encryption and tokenization.

Google Wallet Meets MasterCard and NFC.

Its here!  Finally…well…sort of.  The technology for mobile wallets has been around for awhile, but the concept hasn’t caught on very well. Then Google entered the market with the mobile wallet, using Near Field Communications (NFC) to allow for data exchange with point-of-sale (POS) technologies. From the payment side, the company partnered with MasterCard and Citi to allow users to pair credit cards to their phones.  It’s been an interesting progression to watch and something we will certainly keep an eye out for as the issues surrounding secure payment transactions will be top of mind for merchants.

What else is on your list of favorite things from 2011?  Share them with us by posting a comment below.

When the PCI Security Standards Council (PCI SSC) holds its election for Special Interest Groups (SIGS), it often provides a true window into the future of payment security.  One could actually consider the outcome of the SIG elections a true crystal ball if you will.

Last year, for example, our experts participated in the PCI SIGs for point-to-point encryption and tokenization.  We saw these technologies as reaching a tipping point in the hospitality, retail and lodging industries.

This year, the organization received 500 votes from more merchants, financial institutions, service providers and associations for the initiatives they want to prioritize in 2012, which included cloud computing, e-commerce security and risk assessment.  All of which, are top of mind for merchants as online and mobile transactions become more prevalent.

In addition, PCI SSC received votes from many organizations outside of North America, showcasing how finding global payment security solutions will be a priority.  Here’s what Jeremy King, European Director, PCI Security Standards Council, had to say in the PCI Council’s official press release:

“This is our first SIG election and I’m really pleased with the turnout, with a quarter of all of our Participating Organizations voting. Most impressively, a third of our votes came from outside North America showing that involvement in the Council’s activity and development of PCI Standards and resources to help secure the payment chain is truly a global endeavor.  I’m looking forward to close collaboration between the Council and SIG membership.”

The SIGs have often resulted in guidance for interpreting and implementing the PCI Standards – in such areas as wireless security, EMV chip, point-to-point encryption and virtualized environments. So we will be offering our own opinions and watching with anticipation to see what they will recommend in these new areas.

And while there is no such thing as a real crystal ball, the SIG elections clearly provide a glimpse into the future of payments and PCI compliance.

We are coming to the end of the year, when everyone takes a look back and reflects on the past 12 months and tries to determine the trends that will impact the coming year. Many industries are facing a sobering outlook for 2012 and looking to do more with less.

The hospitality sector in particular has struggled with the economic downturn the past few years. Steve Short, president of NetLink Resource Group, says that it is still possible for hospitality executives to achieve their goals by investing in smart IT projects to drive business growth.

By smart, I assume he means that these IT projects should help the company meet business objectives while simultaneously saving the company money. My guess is that many will look to implement cloud solutions that require less management and maintenance.

But specifically, the hospitality sector should focus on investment in projects that secure their sensitive customer data and by extension, their brand reputation. The potential return on investment includes simplified PCI compliance. Technology solutions such as point-to-point encryption and tokenization have been reviewed by the PCI Council, resulting in documents that guide executives on how to properly implement these solutions.

As budgets decrease and focus on ROI increases. making sense of the dollars and cents is more challenging ever. But given the cost of compliance, and the cost of a potential data breach, the hospitality sector should seriously consider and measure the ROI of protecting their data.

To read more from Steve Short and his predictions, check out his blog on HTFP Connect.

With the holiday shopping season fast approaching, most of us are dreading the full parking lots, long lines and busy malls. Finding the perfect gift amid the frenzy can be a challenge. Similarly, when merchants set out to purchase a new technology solution, it can invoke a certain amount of dread.

As merchants grapple with the ongoing challenges of payment security and PCI compliance, now is the time to embrace new technologies such as point-to-point encryption (P2PE) as part of an overall risk management strategy.

Merchants can ease the shopping process by arming themselves with the following questions.  By asking these questions first, it will be easier to find a solution that meets their unique needs.

  1. Is the P2PE solution a hardware or software solution or both?
  2. Is the vendor well established in the payments industry?
  3. Does the solution encrypt both swiped cards and manually entered cards?
  4. Does the solution encrypt online transactions, as well as on-site or card-present transactions?
  5. Has the vendor solution been evaluated by a trusted Qualified Security Assessor (QSA)?
  6. Is the P2PE solution integrated with the property management or point-of-sale system or is the encrypting device standalone?
  7. What happens if the encrypting device fails? What is the fall back scenario?
  8. Where is the HSM located in the solution? Where is the data decrypted exactly?
  9. Does the P2PE solution integrate with a tokenization system?
  10. Can the solution function effectively without tokenization?
  11. How does the encrypting device handle non-payment cards such as employee cards, gift cards and airline/membership cards?
  12. How does the vendor secure communication between their network and the merchant’s systems?
  13. Is the solution tamper resistant? What happens if an attempted breach occurs?
  14. Does the solution support format-preserving encryption?

As we all know, hackers are continually targeting merchants with new and creative tactics. Merchants must stay one step ahead of them and employ the best means and methods available. According to Bob Russo, general manager, PCI Security Standards Council, “If implemented in accordance with PCI requirements, P2PE solutions can significantly reduce a merchant’s card data environment, mitigate potential breaches and simplify PCI DSS validation efforts.”

So don’t let solution shopping overwhelm and stress you out. Submit these questions to prospective vendors to help ensure a painless experience.

By Troy Mechura

Most merchants often assume that PCI compliance is a laborious effort and all the new technologies that the PCI Council is offering guidance on offers a new layer to the complexity.

Most merchants that believe that compliance is a monstrous effort are overwhelmed with the process.  It doesn’t have to be so daunting if you think of compliance with a long-term view.

Just think of what happens when you haven’t cleaned your house in months.  When you begin the process, it seems like you will never finish.  But if you clean your house, room by room every week, it would be a much more simple process.  The same principle applies for compliance.

Merchants need to embrace the fact that compliance is now a part of a routine to safeguard the network and critical assets.  Evaluate the network, identify the data that is stored and clean house, making sure that any data that is old and no longer needed is removed.  Implementing best practices including vulnerability scanning, assessments and regular PCI checks and balances will help simplify compliance.

The fact is that the PCI Council is working with the vendor community to identify technologies that can simplify and properly secure the PCI compliance experience, making it easier for merchants to protect data in the card holder environment.  They have also built in longer timelines for notification and implementation of new rules.

Recently, the Council released tokenization guidelines and additional guidance on virtualization and point-to-point encryption.  These technologies allow for merchants to get a handle on securing sensitive data and in some cases, even reduce the scope of PCI Compliance.  Tokenization, for example, can reduce PCI scope as it removes data off the network completely.  It helps merchants’ clean house on a regular basis.

As one of the members that contributed to the Tokenization guidance, we understand the need for merchants to minimize risk.  In fact, at Merchant Link we remove data completely and use multiple layers of authentication to ensure that transaction requests can only be accessed by someone who is authorized.  But more than that, we urge that merchants use a multiple layered approach.

By combining best practices, new technology solutions and creating a routine for PCI compliance, the monstrous load of work, is no longer as complex and there is less work and less work for the merchant.

For more helpful tips on reducing the burden of PCI, visit the PCI Council’s website for training and education.

By Beth McGarrity

Verizon Business just issued the results of its 2011 Payment Card Industry Compliance Report and the findings are a bit sobering.  More than three-quarters of enterprises audited in the past two years for compliance with the Payment Card Industry Data Security Standard failed to pass their initial evaluation.

Of the 100 firms evaluated by accredited Verizon assessment teams, only 21percent were found fully compliant at the completion of their Initial Report on Compliance (IROC) – meaning that 79 percent of the organizations evaluated essentially failed the first test.

In addition, according to Verizon, these findings indicate a pattern of backsliding after organizations achieve compliance.  The reasons for this are likely fatigue and complacency.  Businesses may think that compliance is not something that needs to be constantly monitored and updated.

The report revealed that the requirements organizations are struggling with the most are:

  • 3 – Protect stored cardholder data
  • 10 – Track and monitor access
  • 11 – Regularly test systems and processes
  • 12 – Maintain security policies

When it comes to protecting stored cardholder data and reducing PCI scope, one of the most effective ways to do that is by implementing a tokenization solution. The PCI Council recently stated that “storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s effort to implement PCI DSS requirements.”

As Jen Mack, director of PCI Consulting Services for Verizon, highlighted in an interview with, failure to meet PCI compliance standards can leave organizations vulnerable to breaches. “Are more breaches possible? Honestly, I think it’s a real possibility, unless these organizations get serious,” says Mack.