Merchant Link SecurityCents

Many retailers have been scrambling to meet PCI DSS 2.0 compliance by the Jan. 1, 2012 deadline.  But are they really compliant?

During its annual IT Security Summits and Catalyst events, and at its Security & Risk Summit in EMEA, Gartner conducted a series of kiosk-based surveys with 383 IT managers and found that almost a fifth of firms are not compliant with the Payment Card Industry (PCI) Data Security Standards (DSS).

Lawrence Pingree, research director at Gartner, blames this non-compliance on increasing pressure on firms’ IT budgets, even though the PCI Security Standards Council continues to reinforce that failure to comply can negatively impact both merchants and their consumers.

The reality is that merchants need to go beyond compliance and implement multiple layers of security to ensure that customer data is protected.   PCI compliance is certainly an important part of this, but it’s only one piece of the puzzle.  And, for those organizations who are not yet compliant, we urge you to take the necessary steps to meet PCI DSS. You can access the “User Survey Analysis: 2012 Security Buying Behaviors and Budget Trends” report from Gartner here.

By Beth McGarrity

As the year comes to a close, and TV personalities from Oprah to Ellen to Barbara Walters highlight their favorite things and most fascinating stories in 2011,  I thought I’d take a moment to reflect on my favorite SecurityCents posts and industry news and share them with you.

PCI Announces Guidance for Merchants.

Merchants were provided with an abundance of guidance this year on emerging technologies that assist with compliance and securing sensitive data.  The first documents were released in late 2010 and focused on point-to-point encryption followed by tokenization and virtualization.  In the New Year, the Council will focus on three new areas including cloud, risk assessment and e-commerce security.

Validation from Coalfire Systems.

It’s easy for vendors to say that their product or solution is going to help merchants reduce the scope of PCI compliance.  In some cases, it’s really just unsubstantiated marketing hype.  At Merchant Link, we invest significantly in R&D to ensure that our solutions really do reduce PCI scope and we wanted to offer our customers a third-party validation of this fact.  Coalfire evaluated our TransactionVault™ and TransactionShield™ solutions for tokenization and encryption and confirmed our findings.

Avivah Litan Talks Tokenization.

We had the honor of featuring Avivah Litan on a podcast recently to discuss payment security.  As a renowned expert in this area, Avivah regularly publishes industry research and opinions on her own blog that we avidly follow here at Merchant Link.  For this podcast, Avivah focused on key trends in payment security, specifically as it relates to point-to-point encryption and tokenization.

Google Wallet Meets MasterCard and NFC.

Its here!  Finally…well…sort of.  The technology for mobile wallets has been around for awhile, but the concept hasn’t caught on very well. Then Google entered the market with the mobile wallet, using Near Field Communications (NFC) to allow for data exchange with point-of-sale (POS) technologies. From the payment side, the company partnered with MasterCard and Citi to allow users to pair credit cards to their phones.  It’s been an interesting progression to watch and something we will certainly keep an eye out for as the issues surrounding secure payment transactions will be top of mind for merchants.

What else is on your list of favorite things from 2011?  Share them with us by posting a comment below.

When the PCI Security Standards Council (PCI SSC) holds its election for Special Interest Groups (SIGS), it often provides a true window into the future of payment security.  One could actually consider the outcome of the SIG elections a true crystal ball if you will.

Last year, for example, our experts participated in the PCI SIGs for point-to-point encryption and tokenization.  We saw these technologies as reaching a tipping point in the hospitality, retail and lodging industries.

This year, the organization received 500 votes from more merchants, financial institutions, service providers and associations for the initiatives they want to prioritize in 2012, which included cloud computing, e-commerce security and risk assessment.  All of which, are top of mind for merchants as online and mobile transactions become more prevalent.

In addition, PCI SSC received votes from many organizations outside of North America, showcasing how finding global payment security solutions will be a priority.  Here’s what Jeremy King, European Director, PCI Security Standards Council, had to say in the PCI Council’s official press release:

“This is our first SIG election and I’m really pleased with the turnout, with a quarter of all of our Participating Organizations voting. Most impressively, a third of our votes came from outside North America showing that involvement in the Council’s activity and development of PCI Standards and resources to help secure the payment chain is truly a global endeavor.  I’m looking forward to close collaboration between the Council and SIG membership.”

The SIGs have often resulted in guidance for interpreting and implementing the PCI Standards – in such areas as wireless security, EMV chip, point-to-point encryption and virtualized environments. So we will be offering our own opinions and watching with anticipation to see what they will recommend in these new areas.

And while there is no such thing as a real crystal ball, the SIG elections clearly provide a glimpse into the future of payments and PCI compliance.

We are coming to the end of the year, when everyone takes a look back and reflects on the past 12 months and tries to determine the trends that will impact the coming year. Many industries are facing a sobering outlook for 2012 and looking to do more with less.

The hospitality sector in particular has struggled with the economic downturn the past few years. Steve Short, president of NetLink Resource Group, says that it is still possible for hospitality executives to achieve their goals by investing in smart IT projects to drive business growth.

By smart, I assume he means that these IT projects should help the company meet business objectives while simultaneously saving the company money. My guess is that many will look to implement cloud solutions that require less management and maintenance.

But specifically, the hospitality sector should focus on investment in projects that secure their sensitive customer data and by extension, their brand reputation. The potential return on investment includes simplified PCI compliance. Technology solutions such as point-to-point encryption and tokenization have been reviewed by the PCI Council, resulting in documents that guide executives on how to properly implement these solutions.

As budgets decrease and focus on ROI increases. making sense of the dollars and cents is more challenging ever. But given the cost of compliance, and the cost of a potential data breach, the hospitality sector should seriously consider and measure the ROI of protecting their data.

To read more from Steve Short and his predictions, check out his blog on HTFP Connect.

With the holiday shopping season fast approaching, most of us are dreading the full parking lots, long lines and busy malls. Finding the perfect gift amid the frenzy can be a challenge. Similarly, when merchants set out to purchase a new technology solution, it can invoke a certain amount of dread.

As merchants grapple with the ongoing challenges of payment security and PCI compliance, now is the time to embrace new technologies such as point-to-point encryption (P2PE) as part of an overall risk management strategy.

Merchants can ease the shopping process by arming themselves with the following questions.  By asking these questions first, it will be easier to find a solution that meets their unique needs.

1. Is the P2PE solution a hardware or software solution or both?
2. Is the vendor well established in the payments industry?
3. Does the solution encrypt both swiped cards and manually entered cards?
4. Does the solution encrypt online transactions, as well as on-site or card-present transactions?
5. Has the vendor solution been evaluated by a trusted Qualified Security Assessor (QSA)?
6. Is the P2PE solution integrated with the property management or point-of-sale system or is the encrypting device standalone?
7. What happens if the encrypting device fails? What is the fall back scenario?
8. Where is the HSM located in the solution? Where is the data decrypted exactly?
9. Does the P2PE solution integrate with a tokenization system?
10. Can the solution function effectively without tokenization?
11. How does the encrypting device handle non-payment cards such as employee cards, gift cards and airline/membership cards?
12. How does the vendor secure communication between their network and the merchant’s systems?
13. Is the solution tamper resistant? What happens if an attempted breach occurs?
14. Does the solution support format-preserving encryption?

As we all know, hackers are continually targeting merchants with new and creative tactics. Merchants must stay one step ahead of them and employ the best means and methods available. According to Bob Russo, general manager, PCI Security Standards Council, “If implemented in accordance with PCI requirements, P2PE solutions can significantly reduce a merchant’s card data environment, mitigate potential breaches and simplify PCI DSS validation efforts.”

So don’t let solution shopping overwhelm and stress you out. Submit these questions to prospective vendors to help ensure a painless experience.

By Troy Mechura

Most merchants often assume that PCI compliance is a laborious effort and all the new technologies that the PCI Council is offering guidance on offers a new layer to the complexity.

Most merchants that believe that compliance is a monstrous effort are overwhelmed with the process.  It doesn’t have to be so daunting if you think of compliance with a long-term view.

Just think of what happens when you haven’t cleaned your house in months.  When you begin the process, it seems like you will never finish.  But if you clean your house, room by room every week, it would be a much more simple process.  The same principle applies for compliance.

Merchants need to embrace the fact that compliance is now a part of a routine to safeguard the network and critical assets.  Evaluate the network, identify the data that is stored and clean house, making sure that any data that is old and no longer needed is removed.  Implementing best practices including vulnerability scanning, assessments and regular PCI checks and balances will help simplify compliance.

The fact is that the PCI Council is working with the vendor community to identify technologies that can simplify and properly secure the PCI compliance experience, making it easier for merchants to protect data in the card holder environment.  They have also built in longer timelines for notification and implementation of new rules.

Recently, the Council released tokenization guidelines and additional guidance on virtualization and point-to-point encryption.  These technologies allow for merchants to get a handle on securing sensitive data and in some cases, even reduce the scope of PCI Compliance.  Tokenization, for example, can reduce PCI scope as it removes data off the network completely.  It helps merchants’ clean house on a regular basis.

As one of the members that contributed to the Tokenization guidance, we understand the need for merchants to minimize risk.  In fact, at Merchant Link we remove data completely and use multiple layers of authentication to ensure that transaction requests can only be accessed by someone who is authorized.  But more than that, we urge that merchants use a multiple layered approach.

By combining best practices, new technology solutions and creating a routine for PCI compliance, the monstrous load of work, is no longer as complex and there is less work and less work for the merchant.

For more helpful tips on reducing the burden of PCI, visit the PCI Council’s website for training and education.

By Beth McGarrity

Verizon Business just issued the results of its 2011 Payment Card Industry Compliance Report and the findings are a bit sobering.  More than three-quarters of enterprises audited in the past two years for compliance with the Payment Card Industry Data Security Standard failed to pass their initial evaluation.

Of the 100 firms evaluated by accredited Verizon assessment teams, only 21percent were found fully compliant at the completion of their Initial Report on Compliance (IROC) – meaning that 79 percent of the organizations evaluated essentially failed the first test.

In addition, according to Verizon, these findings indicate a pattern of backsliding after organizations achieve compliance.  The reasons for this are likely fatigue and complacency.  Businesses may think that compliance is not something that needs to be constantly monitored and updated.

The report revealed that the requirements organizations are struggling with the most are:

• 3 – Protect stored cardholder data
• 10 – Track and monitor access
• 11 – Regularly test systems and processes
• 12 – Maintain security policies

When it comes to protecting stored cardholder data and reducing PCI scope, one of the most effective ways to do that is by implementing a tokenization solution. The PCI Council recently stated that “storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s effort to implement PCI DSS requirements.”

As Jen Mack, director of PCI Consulting Services for Verizon, highlighted in an interview with GovInfoSecurity.com, failure to meet PCI compliance standards can leave organizations vulnerable to breaches. “Are more breaches possible? Honestly, I think it’s a real possibility, unless these organizations get serious,” says Mack.

By Beth McGarrity

Now in its eight year, October is known for its annual National Cyber Security Awareness Month, which is sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance (NCSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Each year, there is a theme which strives to educate and drive awareness for cyber security issues.  What I like about this year’s theme is that it demonstrates the responsibility that each individual has when it comes to cyber security.

With the theme of, “Our Shared Responsibility,” it doesn’t matter if you are the merchant, the employee, the vendor or the home user –we all play a serious role in securing online environments.

In an effort to share in this responsibility, our blog will focus this month on education across the ecosystem.  It goes beyond understanding specific technology solutions to understanding the psychology behind user actions and unveiling common myths of security standards and solutions so that users can stay safe online and shore up cyber security efforts.

If there is a topic that you’d like to see from us on the blog, please drop us a comment below.  Or if you’d like to guest blog for us this month, let us know and we’ll provide you with our editorial guidelines.

This week, Merchant Link announced that its TransactionVault tokenization solution now fully integrates with industry leading spa and activity management software SpaSoft, offered by PAR Springer-Miller.  This integration provides an extra layer of payment security — while helping meet PCI compliance requirements — for spas and resorts.

Following is an exclusive podcast with Michael Deres, Director, SpaSoft Sales and Marketing at PAR Springer-Miller Systems, who discusses this new integration and much more.

By Michael Ryan

This week, our team is down in Arizona for the North American PCI Community Meeting.  Each year we look forward to this event as it offers us a chance to network with Qualified Security Assessors (QSAs) and fellow Special Interest Group (SIG) members as well as others in the community and discuss the issues that are facing merchants both big and small.

In fact, the discussions are quite helpful as this is really the time for the PCI Council to outline programs, resources and goals for the coming year.  One of the most interesting aspects is to learn what the Council will provide guidance on next.

Merchant Link has been a part of the SIGs for both tokenization and point-to-point encryption (P2PE) and continues to offer our expertise in an effort to provide guidance to merchants.

We were excited to see that right before the meeting this year, the Council announced guidelines for P2PE focused on hardware-based implementations.  The 96-page document provides guidance on securing systems and devices, implementing monitoring and response processes, developing and maintaining secure applications, protecting sensitive data, and using secure cryptographic key management methodologies.  Interestingly enough, the Council has said that even with these guidelines, merchants should only use applications that have been validated to be PCI compliant.  This list is targeted to post on their website in spring 2012.

Perhaps, this delay, along with the delays for the tokenization guidelines and virtualization guidelines is why the Council is taking a new approach to SIGs.  For 2012, the SIGs will be manned by a Council member to ensure that the group stays on task and will only have a term of 12 months.

Over the last couple months, many proposals were made for what guidance should come next.  The proposals were short-listed and voting will take place on the PCI portal.  I’m looking forward to seeing what’s on the agenda for next year.