Merchant Link SecurityCents

By Beth McGarrity

There is a new bill in the U.S. Senate that is aimed at protecting a citizen’s privacy and information when a security breach occurs.  In the last few weeks, the Personal Data Protection and Breach Accountability Act of 2011 was introduced, with sponsors of the bill, saying that many of the recent security breaches have been preventable.

But the National Retail Federation has another view.  David French of NRF said that the bill is far too broad and instead of achieving protection of consumer information, the bill would have a negative impact, resulting in “notice fatigue.”

Now, this is interesting, because NRF is an avid supporter of protecting notification when identity theft occurs, yet feels that standards must be met before a notification is sent out.  If consumers are receiving notices for every incident, regardless of severity, they will eventually begin to ignore the notification and potentially not take the appropriate steps when the risk level is high.

We are all for notification to consumers when there is a risk involved and agree that notification fatigue could be an issue.  But the real issue that we believe needs to be addressed is how the sensitive information is being stored on a merchant’s system.

Ultimately, this becomes a security issue and storing personal identifiable information about consumers on a network that doesn’t have the proper security controls, is a major risk.  If you are going to take the risk, you must take an aggressive approach to security and you must test and monitor your approach regularly.

An incident may still occur, but you are less likely to have to notify your customers of a security incident if you are thinking about security as an integrated process within your business.

By Michael Ryan

This week, our team is down in Arizona for the North American PCI Community Meeting.  Each year we look forward to this event as it offers us a chance to network with Qualified Security Assessors (QSAs) and fellow Special Interest Group (SIG) members as well as others in the community and discuss the issues that are facing merchants both big and small.

In fact, the discussions are quite helpful as this is really the time for the PCI Council to outline programs, resources and goals for the coming year.  One of the most interesting aspects is to learn what the Council will provide guidance on next.

Merchant Link has been a part of the SIGs for both tokenization and point-to-point encryption (P2PE) and continues to offer our expertise in an effort to provide guidance to merchants.

We were excited to see that right before the meeting this year, the Council announced guidelines for P2PE focused on hardware-based implementations.  The 96-page document provides guidance on securing systems and devices, implementing monitoring and response processes, developing and maintaining secure applications, protecting sensitive data, and using secure cryptographic key management methodologies.  Interestingly enough, the Council has said that even with these guidelines, merchants should only use applications that have been validated to be PCI compliant.  This list is targeted to post on their website in spring 2012.

Perhaps, this delay, along with the delays for the tokenization guidelines and virtualization guidelines is why the Council is taking a new approach to SIGs.  For 2012, the SIGs will be manned by a Council member to ensure that the group stays on task and will only have a term of 12 months.

Over the last couple months, many proposals were made for what guidance should come next.  The proposals were short-listed and voting will take place on the PCI portal.  I’m looking forward to seeing what’s on the agenda for next year.

By Beth McGarrity

It’s that time of year…tailgating, parties and football on the television.  And who can watch the games without the perfect snack?  As I was making my favorite recipe for a 7-layered bean dip for last Sunday’s Redskins game against the Giants, I got to thinking about the perfect recipe needed to protect the multiple layers that exist in the payment process.  There is no one magic ingredient that is going to secure your entire system.

So I sat down to write and share this recipe with our readers:

Ingredients

• 1 cup authentication
• 1 2/3 cups encryption
• 2 cups tokenization
• A pinch of education and training for both customers and internal resources
• A dash of trust

Directions

EVALUATE your network and determine access points and storage of sensitive information.

LAYER the security over your network using proven technologies to authenticate users and identify malicious traffic on your network.  In addition to security appliances including firewalls, intrusion prevention and detection systems, merchants should secure payment data in-flight and at rest by layering point-to-point encryption and tokenization solutions.

MONITOR your network for suspicious activity.

EDUCATE both your customers and employees on security best practices to reduce human error and minimize impact to your security posture.

UPDATE, as necessary. A perfect recipe for security has to be analyzed on a regular basis and evolve based on new and emerging threats.

End Result

If you follow these directions closely – much like you would in creating the ultimate 7-layered dip – you will bring your transaction security to a completely new level.  Each layer is critical to the overall success of your security strategy.  One weak layer can cause the whole “security dish” to be foul tasting, and even worse, cause your customers’ vital credit and debit card information to be compromised.

By Michael Ryan

Over the past month, there has been a great deal of discussion about tokenization.  The PCI Council released much awaited guidelines in early August and while many questions were answered both vendors and merchants asked for more clarity.

If you haven’t done so yet, take a look at the tokenization buyers guide that was developed by Walter Conway.  The guide provides an unbiased and technology-neutral look at tokenization.  It addresses how tokenization may reduce a merchant’s PCI scope and offers methods on how to evaluate alternative vendor products. Merchants can view this buyer’s guide along with the guidance from the PCI Council to determine what solution is best for their environment.

Now, there are certain areas within the guide that I didn’t necessarily agree with.  In particular, the subject of token collision or exhaustion that may exist with some format preserving tokenization solutions as well as processing delays that may arise from card-based tokenization methodologies.

Each of Merchant Link’s clients has tens of billions of tokens available to them to make the issue of collision or exhaustion near impossible. We also process billions of card-based tokenization transactions each year with no noticeable delay in processing speed. As Conway suggests merchants should be aware of these issues and discuss them with their prospective vendor.

Conway also offers an excellent checklist within the document that we believe every merchant should use when considering which solution to employ.  If you haven’t checked it out yet and you are considering a tokenization solution, I highly recommend it.

By Beth McGarrity

For those of us who work in the transaction security business, we know all too well that the hospitality sector is a key target for thieves looking to steal vital customer data.   We write about it on a regular basis on this blog and certainly make note when the hospitality  trade press covers payment security, PCI compliance and the like.

Though every so often, the topic of data security and the hospitality sector bubbles up into the mainstream media, which is good because it raises the issue to a higher level and shines a brighter light on the challenges that faces hoteliers.

The Los Angeles Times recently ran an article about the data security challenges that plague the hospitality sector. In it, they cited a recent study from British insurance firm Willis Group Holdings found data theft insurance claims jumped 58 percent last year.  And, the largest share of attacks – 38 percent – was aimed at hotels, motels, resorts and tour companies.

Laurie Fraser, global markets leisure practice leader for Willis, pointed out in the article that large hotel chains are most vulnerable because hotel management companies fall short in monitoring how data is collected and stored at dozens or even hundreds of properties throughout the world.  She also stated that independent contractors who work for individual hotels could also be the weak link when it comes to exposing hotels to hackers and viruses.

The report from Willis clearly underscores the value of implementing transaction security solutions like encryption and tokenization that fully remove all customer credit card data from a hotel’s IT systems.

Though we may sound like a broken record on this one, these solutions allow hospitality providers to get out of the credit card processing and protection businesses and focus on their core businesses.   In addition, if this Washington Post article is correct about the future economic outlook for the hospitality sector, then hoteliers really need to be focusing on maintaining guest bookings and room rates, as opposed to transaction security.

By Mike Ryan

As anticipated, Visa announced the extension of the Technology Innovation Program (TIP) originally announced for non-U.S. markets back in February.  Reading through the document, it is clear that this is an attempt to get the market moving on two major Visa initiatives: near-field communications (NFC) and EMV.

As several analysts and my fellow bloggers have pointed out, this program says at least as much about Visa’s focus on NFC as it does about EMV. But, I’m more interested in what it doesn’t say.

First, the announcement doesn’t say that to qualify for PCI exemptions, 75 percent of the traffic needs to be EMV transactions.  It only says that the terminal must be EMV and NFC capable.  U.S. payment processors don’t support the standard today, so clearly no merchant would qualify. Obviously this is not an attempt to make the industry more secure or reduce fraud in the short term.

Second, you may have also noted that there are no liability shifts or protections from data breach penalties as there were in the global version of the program.  It seems that Visa knows that this program will not enhance security or prevent fraud, so while merchants may get a temporary reprieve from regulation they will still be subject to fines and penalties if they are breached

I’ll be honest…a part of me wants to applaud the effort to accelerate the NFC roll out because I want to use my phone to make purchases at the point-of-sale (POS).  However, I can’t do this with a clear conscience because my job is to help merchants become more secure and avoid the high cost of a data breach.

The reality is that EMV is still several years away.  While it will eventually help prevent some types of card-present fraud, it does nothing to protect cardholder data from being stolen from merchants’ networks.  The EMV message still sends card numbers in the clear — without point-to-point encryption (P2PE) and/or tokenization — so it essentially does nothing to protect data.

That data, if stolen, can still be used at the POS until EMV is widely adopted several years from now — or for the foreseeable future in card-not-present (CNP) fraud.  According to Javelin Strategy & Research’s most recent Identity Fraud Survey Report, CNP has outpaced card-present fraud for the first time ever.

Visa’s program doesn’t offer any new protection, so the penalties will continue to rest with the merchant.  So let’s start preparing for EMV and NFC, but don’t be fooled…unless you render the data useless, criminals will still try to steal that data and someone will ultimately pay the price when a breach occurs.

By Sue Zloth

Today, the PCI Council officially released the Tokenization Guidelines document.  As a member of the task force, I can tell you that we’ve been working on this guidance for the better part of two years, so we are happy to see that it has finally been released publicly.  The guidance provides much-needed direction on how to implement a tokenization solution and how it may reduce the scope of the cardholder data environment (CDE).

Already, there have been a lot of questions and conversation around this.  In fact, a lot of buzz has been circulating early this morning.  The first question is “Does Merchant Link meet these guidelines?”  We do.  The second question is, “Are tokens in- or out-of-scope?”

Specifically, the guidelines state that to be considered out-of-scope for PCI DSS, the tokens would need to have no value to an attacker attempting to retrieve personal account numbers (PANs).  In addition, the guidelines state that tokens that can be used for a transaction can be in scope for PCI DSS, even if the tokens can’t directly be used to retrieve PAN or other cardholder data.  For solutions which support these types of tokens, the guidelines state that there must be additional controls in place to detect and prevent fraudulent transactions.  This is where I feel the Council’s document fell short…when they introduced this concept that tokens may potentially be back in scope without providing guidance as to how to keep them out of scope.

Here at Merchant Link, we developed our TransactionVault^TM tokenization solution to minimize the risk of cardholder data theft for our merchants.  We use multiple layers of authentication to confirm that the originator of a tokenization, de-tokenization or payment request is an authorized user.  For example, we won’t simply accept a transaction request from anyone. They need to authenticate themselves to us before we will perform their transaction request.

Additionally, our tokens can only be used to perform a transaction at the merchant that was the original recipient of the token.  If we receive a request to perform a transaction using that token from any other merchant, it won’t work.

But ultimately, what we urge for all of our merchants is a layered approach utilizing point-to-point encryption and tokenization together, providing the needed level of security to protect cardholder data and reduce the risk. The Council agrees and is pushing merchants to combine both technologies.

By Beth McGarrity

Privacy Officers tend to be senior level executives within a business or organization who are responsible for managing the risks and business impacts of privacy laws and policies.  Without a doubt this is a job that comes with a tremendous amount of responsibility, and with more and more organizations being vulnerable to data breaches, these executives have good reason to have many sleepless nights.

Gartner Group recently identified the top five issues that privacy officers should pay particular attention to in 2011 and 2012.  And, as one would expect, data breaches rose to the top of that list.  According to Gartner, data breaches are of major concern because of their visibility, while preparing for and managing a breach is a bit more tactically straightforward.

Gartner also recommends that organizations should encrypt data when transmitting it across public networks, when used mobile devices, as well as when it is simply sitting in storage. Other solutions that Gartner recommends are data loss prevention tools, tokenization, data masking and privacy management tools.

So, the big takeaway is the reputational damage that data breaches can cause, and that encryption and tokenization can significantly reduce the risk of experiencing a breach.

From a merchant’s perspective, we believe that having the right tools to prevent data breaches is of utmost importance. This allows merchants to focus on their core businesses – as opposed to being in the credit card processing business.   And, shouldn’t the focus of any business be on servicing customers and meeting bottom-line goals?

By Beth McGarrity

In the brick-and-mortar world, merchants run the risk of long-term reputational damage when they experience a credit card breach.  For online merchants, data breaches can cause even more damage — as credit and debit cards are typically the only means for doing transactions.  Clearly, protecting one’s online brand is of utmost importance.

According to a recent report by Visa’s CyberSource unit and Trustwave, nearly 70 percent of online merchants said they have tightened credit card data security in order to protect their brands.  This was a larger motivator than the desire to avoid fines for non-compliance with the Payment Card Industry Data Security Standard (PCI DSS).

In addition, the report also highlights how online merchants are also concerned about insider threats.   Not a huge surprise.  In fact, our readers may recall our post about nefarious employees stealing customer data via USB drives.  Although this post was more for brick-and-mortar merchants, the reality is that bad employees lurk in both the offline and online worlds.

So what are online merchants doing to actually tighten their credit card security?

They are moving credit card data from their networks to third-party vendors as a way of reducing security risks, data storage and compliance costs, according to the study.

So it seems that online merchants are taking a page from what is happening in the brick-and-mortar world:  they are completely removing the data from their systems.  And as in traditional environments, tokenization and encryption are two viable solutions to remove the data.

No matter where products are sold – at a retail outlet or on a website – protecting one’s brand is paramount.

By Beth McGarrity

Here on SecurityCents, we are often blogging about attacks on restaurants, retail or lodging where the attacker has one main purpose:  stealing payment information for monetary gain.  But as we’ve seen during recent months, the attackers’ motive is shifting and evolving.

Just ask Sony…

Or the CIA and FBI…

Or Mastercard and Visa…

Each of these organizations have been faced with a different sort of attack during the year where groups like Anonymous and Lulz Security have attacked servers to bring down the site and embarrass the organization for lack of security controls.

It may be different than the stories we’ve told in the past, but the moral of the story is the same.  And these new threats shouldn’t detract from what we already know.

The focus on stealing payment data has not been lost.  A few months back, Citigroup disclosed that over 210,000 accounts in North America alone were breached and information was stolen.  It was one of the most significant attacks on a financial institution.

So while the rise of hactivism is currently in the spotlight, don’t forget that cyber criminals who are seeking monetary gain continue to lurk in the shadows, slowly and consistently tapping into networks and determining the vulnerabilities that exist and can be exploited.  It is critical that merchants continue to stand guard and ensure that they have the security controls in place to protect customer payment data.