Merchant Link SecurityCents

There has been much discussion on credit card security and the use of card-based vs. transaction-based tokens.  What is the difference exactly?   Transaction-based tokens relate to individual transactions. With transaction-based tokenization, a new token is created each time a transaction occurs.  Card-based tokens are generated for each card number.  In this approach, the same token is reused every time that card number is used.  Hoteliers will find a great deal of value in card-based tokens.  Card-based tokens maintain the history critical to guest satisfaction, loyalty programs and marketing analytics.

Guest Preference and History
For the hotelier, a card-based approach means that you can track all guest transactions within the establishment to one folio/card number.  All guest purchases, from their room charge, dining, spa services or gift shop purchases can be tracked and identified by the card-based token.  Guest preferences associated with the profile will flow to the reservation and tie to the same token.  In addition, even if the guest has multiple stays the token remains the same.  This methodology is extremely useful for multi-property and chain environments where a central reservation system is in use.  All guest stay history can be tracked across the entire chain.   

Technology Footprint
IT departments responsible for maintaining and supporting the property management system environment will appreciate card-based token technology as well.  Card-based tokens do not require as much database storage as transaction-based systems.  The one-to-many relationship used for card-based tokenization uses less database real estate.   

Operations Impact
Accounting and audit functions are also streamlined with card-based tokens.  Credit card batch settlement reports are simplified since all incremental transactions roll up to one card number.  It is faster for accounting personnel to look up charges on guest folios.  Bank statement reconciliation and research is also easier with card-based tokenization by associating one card number with multiple transactions on a folio.

As we all know, credit card security is becoming more complex to manage all the time.  With card-based tokenization hoteliers can achieve the high level of security required while gaining operational advantages as well.    Merchant Link invites your feedback and opinions on this topic.  Please share your experiences or questions in the comment section below.

With 2011 and the “Year of the Data Breach” behind us, the hospitality sector still faces a world of challenges when it comes to payment security.  As such, many in the industry are wondering what’s next when it comes to payment technology and security best practices.  The SecurityCents blog aims to answer this question and much more in a series of podcasts with experts who will shine a light on trends for the next 12 months.

Today, we are speaking with Abby Lorden, the editor-in-chief of Hospitality Technology Magazine, who provides key insights into the latest issues and product innovations hospitality providers will be focused on in 2012.

Immediately following the New Year, you probably noticed a few changes.  The gym parking lot was jammed packed.  Every other commercial on TV was for some kind of home workout tape or weight loss solution. Nearly every store was highlighting the “new you.”

Not even thirty days have gone by and things are starting to change again.  People are falling off the bandwagon. Grocery stores are replacing the diet products with Valentine’s Day candy and the commercials for diet plans and fitness products have reverted back to ads about fast food chains and cars.

New Year’s Resolutions don’t last very long but there is one resolution that shouldn’t be let go.

Following the New Year, Hotel News Now featured a series of articles about New Year’s resolutions for hoteliers. One entire article in the series was dedicated to resolutions that hoteliers should consider in the area of data and network security. The highest priority “resolution” for hoteliers was encryption and tokenization of credit card data.

Hotels remain one of the most targeted businesses for data thieves. A quick fix to patch a security gap, or several to get through a PCI audit, simply can’t provide the long term, comprehensive protection needed to ensure that a hotel’s customers are safe from having their sensitive information stolen.

In order to ensure that customer data is safe, hoteliers need to evaluate end-to-end security solutions that can protect customers’ sensitive data while on the move and at rest. Today’s advanced cloud-based tokenization and encryption solutions are enabling hoteliers to become PCI compliant and beyond by removing customer data from the company’s network completely.

These solutions protect data on the move and at rest by encrypting and tokenizing data and storing it off of the network in a secure location. This ensures hotel patrons can rest easy because even if the information is compromised, the tokens are useless to data thieves.

But why is it so important for hoteliers to not give up on their resolution to better protect customer credit card data? Because it’s not just about the damage to the customer or the hotel brand; a data breach can hit a hotelier hard in the wallet.

The cost of data breaches are perpetually increasing. In addition to customers losing faith in the brand, companies that are hacked often find themselves footing the bill for expensive credit monitoring services for victims. They also expend resources on PR campaigns to help mitigate damage to the company’s reputation.

Although this time of year is often when New Year’s resolutions begin to die, hoteliers who made a resolution to better protect their customers’ valuable credit card data need to stay strong. With the cost of a breach rising and the hospitality industry the prime target for data thieves, they simply can’t afford to take their eye off the prize.

We’ve all heard of flash mobs, or groups of people that meet in a particular place and do something fun, creative or unique, such as break out in dance or song. These flash mobs are an interesting phenomenon that have even broken into the mainstream, being parodied in advertisements and featured in TV shows.

But have you heard of flash attacks? They’re not nearly as innocuous and fun as flash mobs, and they can directly result in loss of money and damage to retailers’ brand reputation.

Flash attacks are what Gartner analyst, Avivah Litan, calls credit card skimming schemes, something we’ve discussed previously on the blog.  Essentially, credit card skimming involves individuals either tampering with, or otherwise replacing, credit card readers on point-of-sale (POS) devices within retail establishments. These tampered or replaced devices then compromise the credit card data of the cards that pass through them.

As described by Avivah in her latest blog post, these credit card skimming schemes, or flash attacks, are extremely sophisticated. More than simple acts of vandalism by random data thieves, these are highly-targeted, well-planned attacks by organized groups.

So how do these criminal operations work? Group ringleaders hire individuals to install skimmers into the POS devices or replace the equipment. From there, counterfeiters take the data and create cards, complete with pin numbers taped right on.

More individuals are recruited to then hit up ATM machines and other retail establishments where they can get cash or products that are easily resold (electronics, etc.). The attacks occur quickly and can take place in the country where the theft occurred or in other countries. The individuals withdrawing money or making purchases are instructed to pace themselves and otherwise avoid fraud detection systems.

Avivah’s blog post is an eye-opener and really highlights just how dubious and organized the people running these credit card skimming scams truly are. It’s frightening just how calculated, educated and efficient these attacks can be.

With the National Retail Federation (NRF) annual convention coming up next month, data theft and security issues facing retailers and merchants will be taking center stage. It’s important that retailers educate themselves about the attacks that are occurring, and familiarize themselves with the technologies and solutions available to help eliminate their risk. As the cost of a data breach continues to rise, no retailer can afford to be caught by surprise.

By Beth McGarrity

As the year comes to a close, and TV personalities from Oprah to Ellen to Barbara Walters highlight their favorite things and most fascinating stories in 2011,  I thought I’d take a moment to reflect on my favorite SecurityCents posts and industry news and share them with you.

PCI Announces Guidance for Merchants.

Merchants were provided with an abundance of guidance this year on emerging technologies that assist with compliance and securing sensitive data.  The first documents were released in late 2010 and focused on point-to-point encryption followed by tokenization and virtualization.  In the New Year, the Council will focus on three new areas including cloud, risk assessment and e-commerce security.

Validation from Coalfire Systems.

It’s easy for vendors to say that their product or solution is going to help merchants reduce the scope of PCI compliance.  In some cases, it’s really just unsubstantiated marketing hype.  At Merchant Link, we invest significantly in R&D to ensure that our solutions really do reduce PCI scope and we wanted to offer our customers a third-party validation of this fact.  Coalfire evaluated our TransactionVault™ and TransactionShield™ solutions for tokenization and encryption and confirmed our findings.

Avivah Litan Talks Tokenization.

We had the honor of featuring Avivah Litan on a podcast recently to discuss payment security.  As a renowned expert in this area, Avivah regularly publishes industry research and opinions on her own blog that we avidly follow here at Merchant Link.  For this podcast, Avivah focused on key trends in payment security, specifically as it relates to point-to-point encryption and tokenization.

Google Wallet Meets MasterCard and NFC.

Its here!  Finally…well…sort of.  The technology for mobile wallets has been around for awhile, but the concept hasn’t caught on very well. Then Google entered the market with the mobile wallet, using Near Field Communications (NFC) to allow for data exchange with point-of-sale (POS) technologies. From the payment side, the company partnered with MasterCard and Citi to allow users to pair credit cards to their phones.  It’s been an interesting progression to watch and something we will certainly keep an eye out for as the issues surrounding secure payment transactions will be top of mind for merchants.

What else is on your list of favorite things from 2011?  Share them with us by posting a comment below.

The top executives of retail companies have a list of business functions, products and services that they’ve been told they, “just have to have.”

Public relations, marketing, advertising…all considered a necessity if you want consumers to know you exist. Information security hasn’t always been at the top of that list, but retail executives are starting to wake up and realize the negative impact a data breach can have on their company.

Why the change? Data breaches are hitting retailers where it hurts – in their wallets.

Just this week, the Financial Times featured an article on the cost of data breaches and the need for data security. The article references British mega-chain, Marks & Spencer, which operates hundreds of M&S department stores and Simply Food markets in the UK, as well as more than 325 locations in countries such as China, India, Indonesia, and South Korea.

Marks & Spencer, which touts that around 21 million people visit its stores each week, was the victim of data thieves that stole customer email addresses from one of the company’s email marketing vendors. The exact cost of the breach wasn’t listed, but the company had to email all of their customers and warn them about the theft, which was undoubtedly a blow to their brand reputation.

Many other retailers that are the victims of data theft don’t get off that easily. Should financial or credit card information get compromised, credit monitoring services are often offered to customers at the company’s expense. Public relations, and crisis communications staff or vendors are then needed to help control the situation and make it “go away.” Information security experts are needed to find vulnerabilities and ensure they are resolved.

It’s this cost to the company that has retailers looking at data security much more seriously. According to the Financial Times article, retailers are even looking at insurance policies designed to help offset the cost of a data breach. However, technology has created an even better “insurance policy” against data theft. Retailers are eliminating the data from their networks completely by utilizing tokenization and encryption solutions. These solutions ensure that the data, should it be stolen, is useless to data thieves.

For retailers of all sizes, data security is more than something that the company “should look into.” As more globally-recognized brands and small merchants alike fall victim to data thieves, the need for data security becomes increasingly apparent. If the Financial Times article is any indication, retailers are starting to wake up and embrace data security, and that can only mean good things for customers all over the globe.

Chartered as a working group of Hotel Technology Next Generation (HTNG), at least sixteen major hotel groups from around the world plan to work together to develop an industry security framework for handling sensitive credit card data – this includes dramatically improving the security of credit card processing by and for hotels while significantly reducing overall costs.

Following is an exclusive podcast with Douglas C. Rice, Executive Vice President and CEO, Hotel Technology Next Generation (HTNG), who discusses this new working group.

Avivah Litan is a vice president and distinguished analyst in Gartner Research and is a renowned expert in the area of payments security.   She regularly publishes key industry research reports with regards to PCI compliance, has a well-read blog and is often quoted in the media discussing PCI compliance and payment security – among other things. Following is an exclusive podcast with Avivah Litan who discusses key payment security trends and highlights the value of end-to-end encryption and tokenization.

By Beth McGarrity

Verizon Business just issued the results of its 2011 Payment Card Industry Compliance Report and the findings are a bit sobering.  More than three-quarters of enterprises audited in the past two years for compliance with the Payment Card Industry Data Security Standard failed to pass their initial evaluation.

Of the 100 firms evaluated by accredited Verizon assessment teams, only 21percent were found fully compliant at the completion of their Initial Report on Compliance (IROC) – meaning that 79 percent of the organizations evaluated essentially failed the first test.

In addition, according to Verizon, these findings indicate a pattern of backsliding after organizations achieve compliance.  The reasons for this are likely fatigue and complacency.  Businesses may think that compliance is not something that needs to be constantly monitored and updated.

The report revealed that the requirements organizations are struggling with the most are:

• 3 – Protect stored cardholder data
• 10 – Track and monitor access
• 11 – Regularly test systems and processes
• 12 – Maintain security policies

When it comes to protecting stored cardholder data and reducing PCI scope, one of the most effective ways to do that is by implementing a tokenization solution. The PCI Council recently stated that “storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s effort to implement PCI DSS requirements.”

As Jen Mack, director of PCI Consulting Services for Verizon, highlighted in an interview with GovInfoSecurity.com, failure to meet PCI compliance standards can leave organizations vulnerable to breaches. “Are more breaches possible? Honestly, I think it’s a real possibility, unless these organizations get serious,” says Mack.

By Beth McGarrity

Now in its eight year, October is known for its annual National Cyber Security Awareness Month, which is sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance (NCSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Each year, there is a theme which strives to educate and drive awareness for cyber security issues.  What I like about this year’s theme is that it demonstrates the responsibility that each individual has when it comes to cyber security.

With the theme of, “Our Shared Responsibility,” it doesn’t matter if you are the merchant, the employee, the vendor or the home user –we all play a serious role in securing online environments.

In an effort to share in this responsibility, our blog will focus this month on education across the ecosystem.  It goes beyond understanding specific technology solutions to understanding the psychology behind user actions and unveiling common myths of security standards and solutions so that users can stay safe online and shore up cyber security efforts.

If there is a topic that you’d like to see from us on the blog, please drop us a comment below.  Or if you’d like to guest blog for us this month, let us know and we’ll provide you with our editorial guidelines.