Merchant Link SecurityCents

As most of our readers know, October is National Cyber Security Awareness Month, where the focus is education of cyber security issues.  To help drive awareness for these efforts, we are sharing a podcast with the Executive Director of the National Cyber Security Alliance (NCSA).  Michael Kaiser’s podcast was featured on the ITAC blog and shares insight improving online safety and creating an environment where everyone has a shared responsibility to securing cyberspace.

By Troy Mechura

It is always nice when you get to spend time with your customers, but it is more rewarding when you are able to partner together to support a very important cause.

Earlier in the week, as millions of people along the eastern seaboard were combing through the disaster that Hurricane Irene left behind, it was awesome to have clear skies and Texas’ legendary “warm” weather for the Have a Heart annual Golf Classic.

In partnership with Carlson Restaurants, we sponsored the event which reaches out to a network of employees in need.  Whether it’s because of a natural disaster or other causes, T.G.I. Friday’s team members are able to support other members within the employee network to offer assistance.

In my opinion, there is nothing like an employee driven charity.  It shows the compassion that this extraordinary group of folks has for one another.  And really, what else can you ask for in an employer, partner or customer?

Currently, there are about 13,000 T.G.I. Friday’s employees that are a part of the fund, contributing through payroll deductions.  Last year alone, $550,000 was given to employees’ in-need.  In light of the latest natural disaster, it really drives home how important it is to reach out and lend a helping hand.

We are proud to be a part of the annual Golf Classic and Have a Heart Charity.

By Jorge Bertran, Director of Business Development, Merchant Link

This week at RetailNOW has been great.  One of the most memorable events was the night of the RetailNOW 2011 conference awards dinner.  Especially, when we heard our name called as one of the winners for the Retail Solutions Provider Association (RSPA) Awards of Excellence.

Merchant Link was recognized as the Bronze winner in the Payment Processing category.  It was an honor to receive this award. More so because these awards are unique in the retail technology industry due to the fact that dealers get to vote for the winners.

It also gives us further validation that our approach, which is to ease the burden for our customers, is the right one. Every day, our staff looks for ways to remove the hassle and risk from the payment process and ensure smooth, secure transactions from start to finish.  This award highlights that we are succeeding in our mission.

For a full list of the award recipients, click here. For photos of our team at RetailNow 2011, visit our Flickr page.

By Beth McGarrity

Recently, Javelin Strategy & Research released a study that analyzes how consumers’ credit details are secure.  The Seventh Annual Card Issuer’s Safety Scorecard dives into existing trends related to card fraud, mitigation against these threats and evaluation of card issuers that have consumer-facing prevention, detection and resolution capabilities.

The study focused on the top 20 card issuers such as American Express, MasterCard, Visa, Bank of America, JP Morgan Chase, Capital One and more. The results found that card issuers do a good job resolving fraud problems once they occur, but ultimately fall short on prevention and detection.

In light of the number of recent breaches that have impacted big brands, as well as financial institutions like Citigroup, consumers need to be aware of how their payment information is protected and take proactive steps to ensure their own credit protection.

By Michael Ryan

Earlier this year, I wrote about how legislation could affect debit transactions and specifically, the impact of the Durbin Amendment, which is aimed at debit card interchange fees and increasing competition in payment processing. Nearly six months later and we now have the official rules.

The big banks can breathe a sigh of relief. Fee caps are now 21 cents plus five basis points. This is still a hit of roughly 50 percent on a $40 transaction but it certainly looked much bleaker (max of 12 cents per transaction) just a couple months ago.

The network routing rules are also a bit simpler. Cards must carry bugs from two unaffiliated networks but they do not need to offer the same authentication service. In most cases that likely should mean one network for signature-based and one for PIN- based. With the elimination of rate differences between the two options we may actually see real competition in the form of new offerings from the networks.

So who won?

The issuers traded draconian cuts for merely drastic cuts but it would be hard to categorize that as victory. Certainly large merchants who are able to negotiate interchange plus type rates will see the biggest short term gain. Ostensibly that will lead to reduced prices for consumers who were supposed to benefit most from this legislation. We may see some trickle down but I wouldn’t expect any sweeping price reductions.

So of the groups most often cited in Durbin discussions – issuers, merchants and consumers – each may have come away with something.

But I believe the real beneficiaries are a third group not often mentioned in this discussion, acquirers/ISOs. The regulation caps the interchange that issuers can collect but it says nothing about acquirer’s margins on top of interchange.

So while large savvy merchants who have negotiated interchange plus rates will see decreases there is no reason to believe that acquirers will cut debit fees in the short term for small merchants who pay more traditional rates. This could be a huge windfall for the acquirer community.

As we have seen with other examples of regulatory price fixing, the unintended consequences may ultimately be more pronounced than what is actually intended.

By Beth McGarrity

Earlier this month, I was at a conference listening to a panel of speakers that included Troy Leach, CTO of the PCI Security Standards Council. One of the things that struck me during the panel discussion is the effort that the Council is making to ensure that small merchants without a lot of resources truly understand what is being asked of them.

To this end, Troy discussed the launch of a microsite that will help small merchant implement changes included in Payment Card Industry Data Security Standard (PCI-DSS) version 2.0. The information on the site is specifically targeted to small and mid-sized merchants, who are often under attack because they are easy targets.

This is just one of the efforts that the Council is undertaking. The others include ongoing guidance on emerging technologies, extending the life-cycle of the council’s standards from two years to three years to give merchants more time to comply.

At Merchant Link we applaud the Council’s efforts. SMB merchants are under a tremendous amount of pressure. They seem to be at the front of the line when it comes to attacks and they are the least prepared, because they don’t have the resources in place to keep up with sophisticated attackers.

Want to hear more from Troy Leach? Check out the video below.

by Beth McGarrity

There’s been a lot of talk recently about mobile payment systems; without a doubt they’re the next big thing.  Imagine being able to bump iPhones with the farmer selling apple cider at her roadside stand, or not having to carry a stack of bills to pay for that playset you found on Craigslist because you can swipe your credit card on the seller’s Android and the transaction is complete.

While these scenarios sound vaguely like the stuff of science fiction, companies like PayPal and Square have issued the first salvo in the mobile payments revolution.  Paypal is focusing on Bump’s aptly named bumping technology, whereas Square, founded by Twitter’s Jack Dorsey, uses a simple attachment so that users can swipe their credit cards at any point of sale from an art gallery to a weekend garage sale, effectively turning anyone and everyone into a merchant.

Even though these technologies are relatively new, they are being adopted at lightning speed; it’s not just micro merchants or weekend vendors who are making use of them.  Starbucks has launched a gift card upload capability so that coffee drinkers can pay for the purchases with their phones.  And Bank of America and US Bancorp in conjunction with Visa are piloting mobile payments programs in the New York area.

It’s interesting to see how these technologies are being perceived and adopted.  On the one hand mobility is a highly valued attribute and likely to attract consumers to brands, but, on the other. as consumers have become savvier about protecting their information assets, they are more hesitant to embrace these technologies.  With well-founded fears from physically handing over a credit card to have it be skimmed in a magnetic stripe scam, having stored data being mined during transmission or storage, or worse still – losing the mobile device that hosts the payment chip.

While it is true that there are myriad security concerns it’s great to see that all the articles linked to in this post acknowledge security as a major factor in the success of mobile payment technologies and that the companies who are pioneering the technology are building in security from the ground up.  Whether they are retail giants or micro sellers, retailers owe it to their customers to work with providers and processors who exhibit security best practices.

by Beth McGarrity

When we talk about our mission here at Merchant Link, we not only talk about making credit card transactions secure, but also about making them easy for the merchants we serve.  That’s where our support team comes in.

Every year at this time, as part of Customer Service Week, we celebrate and recognize the important service our team provides in delivering “one-call-solves-all” support to our customers.

Kay Fakunle, Manager of Technical Support acknowledged the team’s hard work this year.  “We’ve been doing a lot of trainings, all building up to this week.  Our Superior Service scores are up as well as our Customer Survey scores, so this week is largely focused on rewarding those accomplishments and having fun.”

Another theme this week was teamwork.  Jomaine Sanders, Manager of Implementations, explained, “All year long we take care of our customers, but then there are our own, internal customers.  We’ve talked a lot about the importance of working well together.”

To help build camaraderie, the games this week included a scavenger hunt with clues that tested the team’s knowledge of each other.  Virtual Bingo provided an amusing distraction, with numbers posted on our Intranet throughout the week.  And high-spirited games of Family Feud, Minute-to-Win-It, and a Friday afternoon ice cream social rounded out the week.

Special recognition went to Deborah Olufolaju for outstanding service. And the team had fun with several peer-nominated awards too, including:

• Most Likely to Always Have a Can-Do Attitude – Emily
• Most Likely to Appear on American Idol – Oneka
• Most Likely to Have the Most Shoes – Winsome
• Most Likely to Enjoy a Bad Movie – Detrick
• Most Likely to Arrive On-Time – LaNique and Paul
• Most Likely to Find a Quarter on the Ground – Donna

Congratulations all, and keep up the hard work!

by Scott Franklin

Often, the thought of improving your company’s data security posture seems overwhelming. Not only are there questions of what to secure, but larger questions often arise about the desired end-state and how best to overcome the numeorius obstacles that arise when implementing any security or compliance program. For example, should compliance be the desired end-state, or is a broader notion of security a more appropriate goal? Equally, should data security be treated solely as a technology problem, or is it better to treat it as a business problem and push for board-level visibility?

Before too many possibilities start swimming in your head, here are 8 steps to help simplify your thinking:

1. Know where and how any PCI-related data, or other sensitive information, is stored, processed, or transmitted throughout your organization. This can be done by identifying all systems, processes, and interaction points that involve the acceptance, storage, processing, and transmission of credit card data. Consider how you manage and secure paper and electronic documents that contain sensitive data as well as what happens to any recorded Voice over IP calls. As part of that process develop an understanding of who has access to this sensitive data and consider limiting access based on user roles.

2. Know what is on your network and how your network is accessed. Inventory management is an important first step in improving your company’s data security posture. While taking stock of legitimate computers and WiFi access points, your IT team should also be on the lookout for rogue computers, insecure remote access points, and open wireless networks. One often overlooked source of access in hotels is a co-mingled guest/hotel business network. For the protection of all parties, the guest network and the hotel business network should both be protected by firewalls and maintain fully independent infrastructure.

3. Make security and compliance everyone’s responsibility. Remember that compliance is not just an IT security problem, it’s a business issue, and to be effective, it requires all employees to support and enforce the effort. Awareness campaigns are just the beginning of a more rigorous educational effort to promote awareness of organizational policies and procedures from the C-suite to the front desk.

4. While it’s tempting to store every last piece of data, a prudent company will retain data only as long as its required for business purposes and not a day longer. While this applies broadly to all data, it is particularly important to keep customer data no longer than absolutely needed. The bottom line here is that cyber thieves can’t steal what you don’t have; if you don’t have customer data hanging around, there’s nothing to steal!

5. Develop an Information Security (or Data Security) Plan/Program that addresses both internal and external threats. Make sure the plan covers all aspects of data security and protection and addresses all key constituents, including vendors, contractors, and partners. And then educate, educate, educate!

6. Make sure you’re using the right tool for the job. Tokenization and end-to-end encryption solutions can help provide protection of sensitive data throughout the entire operational life cycle. Using solutions such as these will reduce your PCI burden, result in bottom-line savings, and generally enhance the overall security posture of your company. Consider also using PCI compliant PMS systems (PA-DSS) and use TRSMs when possible.

7. While some aspects of your new data security plan do require spend, there are many steps that can be taken inexpensively (but have excellent return on investment), and some that are entirely free. For example, the use of strong passwords that are changed regularly (and always changed when new systems are installed) is completely free and an incredibly effective technique to increase your security posture. Another freebie is to update systems regularly; implement a patch management program to make sure all OS and application patches are installed in a timely fashion and make sure that unnecessary accounts are removed from systems. Other low-cost solutions include using endpoint protection software, such as anti-virus software, deploying firewalls, and conducting regular web application security scans.

8. And finally, don’t be afraid to ask for help. Your vendors should be able to assist you with rudimentary PCI compliance questions. At Merchant Link, key members of our team participate in PCI Council working groups and related industry forums so we are up to date on the latest information and can share our knowledge with our customers. For more daunting questions, consider engaging a QSA or another bona fide security expert for advice and guidance. While this may require upfront expenditure, the fee is going to be much less expensive than a breach. Then, just as you have an evacuation plan for a physical security emergency, consider developing a breach response plan so you know who to contact if a breach occurs – key contacts include the merchant bank as well as federal and state law enforcement agencies.

Remember, you’re not alone. Given that every organization that touches a credit card transaction is affected by PCI compliance issues there are thousands of IT security professionals facing the same complexities and similar issues to you. Listed below are some of my go-to security resources:

https://www.pcisecuritystandards.org/index.shtml
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
http://www2.visaeurope.com/documents/ais/hotelbreach_europe_2.pdf
http://www.crowell.com/pdf/SecurityBreachTable.pdf