Regardless of whether the year 2012 will end the way the Mayans had predicted, retailers are moving forward with initiatives that can continue to grow their business. The general mood of the retailers at the National Retail Federation’s Big Show in New York earlier this month was a few rungs above cautious optimism. In addition to investing in ways to expand sales channels and understanding customer needs to increase revenues, corporations were also looking to build social stewardship into their businesses.

The buzz on the EXPO show floor was clearly about new devices that allow acceptance of mobile sales and payments, and the technologies that facilitate the management of store displays, supplies and analytics.

While the shiny new toys were eye-catching and inspiring, other aspects that are just as crucial to the success of a retail business were conspicuously missing from the conversation. I found it interesting that the security of customer data such as personal information, purchase history and preferences, and even payment data are not yet top of mind. There were a handful of vendors showing secure point-of-sale devices at the EXPO, but the coverage from the session presentations on this topic was thin.

Perhaps data security has been relegated to the “basic requirement of doing business” category and has become a non-topic. According to Visa, over 90% of both Level 1 and Level 2 merchants are PCI-DSS compliant. However, we continue to hear reports of data breaches, including the recent one from Zappos, which, incidentally, was a finalist for the ARIL Customer Service Award at the conference. (The breach notification went out to customers the day before the award luncheon.)

This goes to show that hackers never rest, and, therefore, as an industry we shouldn’t either. As we continue to invest in growing our businesses, it’s always good practice to take a moment to assess the integrity and security of what you have in place first. Making security a forefront topic in your business’ management can mean staying a step ahead of hackers– and this is where you should always strive to be.

For more information about Voltage Security visit www.voltage.com or follow them on Twitter at www.twitter.com/voltagesecurity.

Not even thirty days have gone by and things are starting to change again.  People are falling off the bandwagon. Grocery stores are replacing the diet products with Valentine’s Day candy and the commercials for diet plans and fitness products have reverted back to ads about fast food chains and cars.

New Year’s Resolutions don’t last very long but there is one resolution that shouldn’t be let go.

Following the New Year, Hotel News Now featured a series of articles about New Year’s resolutions for hoteliers. One entire article in the series was dedicated to resolutions that hoteliers should consider in the area of data and network security. The highest priority “resolution” for hoteliers was encryption and tokenization of credit card data.

Hotels remain one of the most targeted businesses for data thieves. A quick fix to patch a security gap, or several to get through a PCI audit, simply can’t provide the long term, comprehensive protection needed to ensure that a hotel’s customers are safe from having their sensitive information stolen.

In order to ensure that customer data is safe, hoteliers need to evaluate end-to-end security solutions that can protect customers’ sensitive data while on the move and at rest. Today’s advanced cloud-based tokenization and encryption solutions are enabling hoteliers to become PCI compliant and beyond by removing customer data from the company’s network completely.

These solutions protect data on the move and at rest by encrypting and tokenizing data and storing it off of the network in a secure location. This ensures hotel patrons can rest easy because even if the information is compromised, the tokens are useless to data thieves.

But why is it so important for hoteliers to not give up on their resolution to better protect customer credit card data? Because it’s not just about the damage to the customer or the hotel brand; a data breach can hit a hotelier hard in the wallet.

The cost of data breaches are perpetually increasing. In addition to customers losing faith in the brand, companies that are hacked often find themselves footing the bill for expensive credit monitoring services for victims. They also expend resources on PR campaigns to help mitigate damage to the company’s reputation.

Although this time of year is often when New Year’s resolutions begin to die, hoteliers who made a resolution to better protect their customers’ valuable credit card data need to stay strong. With the cost of a breach rising and the hospitality industry the prime target for data thieves, they simply can’t afford to take their eye off the prize.

The past few weeks have been a whirlwind of activity as we prepared for one of the biggest retail shows of the year.  More than 24,000 retailers, technology providers, suppliers and partners gathered for the retail industry’s premier event, NRF 2012.   For any professional in the retail sector, the “Big Show” is the go-to affair for networking, business development, educational opportunities and much, much more.

What is most exciting about an event like NRF 2012 is seeing, first-hand, key innovations and learning about the future of the industry.  As I walked the show floor, networked with colleagues and attended breakout sessions, several major themes resonated that will clearly shape the years ahead:

• Developing More Customer-Centric Approaches: In today’s competitive marketplace, retailers need to better engage with customers, build stronger relationships and influence them through targeted and highly personalized communications and promotions – clearly tying back to the multi-channel theme.

• Don’t Forget “The Brand:” In a philosophical reversal of the multi-channel approach, some thought-leaders played up the importance of brand, especially when consumers are faced with many choices and channels.  As CNBC pointed out: “Shoppers don’t think about shopping a ‘channel.’ They think about shopping, and if you’re lucky they think about shopping a specific brand.”

• Big Data Goes Big Time: Retailers will step up their data gathering and mining processes to unleash the science behind truly influencing consumers.  This means that vast amounts of customer data, whether it is personal information, credit card data or purchasing patterns, will be collected, managed, sifted and acted upon.  While this data will certainly be used to develop more targeted marketing programs, it underscores the need for the most sophisticated data security solutions.

• Customer Are Willing to Share: Along the lines of “big data,” many retailers are seeing that customers are actually willing to share more personal information these days. This will create the perfect storm of copious amounts of new data mining techniques and the use of algorithms for fully understanding how consumers interact with brands.

• Going Mobile: While this one is clearly not a surprise, the development of next-generation mobile apps, and the payment security challenges that come with this new horizon, was top of mind at the event.  Convenience and efficiencies will certainly abound when retailers arm their sales associates with iPads and other mobile payment gadgets for instant credit card processing from any location within their stores.

• Zappos Breach: The Zappos breach news certainly made waves at the event and reinforced the hard reality that data breaches can happen to any retailer.   Fortunately, customer credit card numbers were not compromised because they were stored on a separate server.   And, as our SecurityCents readers know we always urge merchants to securely store all necessary payment data in a server outside of their network.

• Columbia Sportswear: Along the lines of payment security, we were very excited to announce that Merchant Link, along with our partners Equinox Payments and Voltage Security, has implemented a cutting-edge, reliable, cloud-based solution to protect sensitive payment data.  And, retail giant Columbia Sportswear served as pilot implementation partner – implementing this solution across its nationwide retail network.

• Protect All Points: In support of the Columbia Sportswear announcement, we also developed a unique microsite called “Protect All Points,” which highlights all the key points about this implementation.

Finally, be sure to check out the sessions from the event streamed here.  It’s almost as good as being there in person.  And, NRF has a highly active blog, so be sure to check out posts like this one that highlights digital retail trends.

The “Big Show” certainly delivered and clearly there will be many exciting times ahead for the retail industry.  See you all back at the Javitz Center next year!

This week kicks off NRF 2012, one of the largest shows for retailers, where new technologies, solutions and offerings are announced all week long.  In fact, we just announced a new integrated solution for Columbia Sportswear to secure payment transactions across 54 retail locations.  So, when I was scanning headlines today, I was surprised to see that Zappos.com was in the headlines, but not in a positive way.  The major online retailer had fallen prey to data thieves.

Yet, as I continued reading, a statement caught my eye –

Zappos said that hackers gained access to customers’ names, e-mail addresses, billing and shipping addresses, phone numbers, and the last four digits of credit card numbers and encrypted passwords.

Full credit card numbers and other payment info were stored on a separate server which was not hacked, the company said.

Bravo! Well done. In most of the big retail breaches that we’ve blogged about here, our main message has been to remove sensitive card data from the network.  Most retailers continue to leave information on their servers that contain payment card details, and often this information is forgotten.  So when a hacker gets into the network, they hit a gold mine.

While Zappos is still a victim of a hack, they stored all payment details on a separate server and therefore were able to contain the impact to their customers.  Whenever we have discussions with merchants, we often make the recommendation that they securely store all necessary payment data in a server outside of their network, so that it can not be accessed by a thief that may break in.  It also reduces a retailer’s cardholder data environment, which eases the burden of PCI compliance.

Columbia Sportswear, which is best known for its outdoor apparel and accessories, was motivated by the desire to reduce its PCI scope across its retail locations.  Columbia was facing an issue that many retailers face and needed to minimize storage of payment data on its network environment.  By implementing proven solutions that were integrated specifically to meet the needs of this major retailer, Columbia will not only reduce PCI scope but will have a scalable solution as their payment needs evolve when contactless, electronic wallets and EMV become more mainstream.

This is certainly big news for us at the NRF show, as it reinforces how cutting-edge security payments solutions are moving to the cloud.  In support of this announcement, we have also developed a unique microsite called “Protect All Points,” which highlights all the information you need about this new implementation.  And, be sure to stay tuned for video from the NRF show.

In addition, we are sponsoring the 2012 Tech Global Partners’ Annual Cocktail Reception at the Marriott Marquee Sunday night.  We look forward to seeing all of our customers, partners and friends in the media next week at the NRF show.  New York City, here we come!

Merchant Link scored particularly high in the areas of service and support, product reliability, and channel friendliness. The company was also recognized for product innovation, reflecting the company’s recent focus on providing cutting-edge tokenization and encryption solutions to protect sensitive customer data and enable merchants to meet and exceed PCI compliance standards.

“Merchant Link is pleased and honored to be named to the list of Best Channel Providers,” said Dan Lane, president and CEO of Merchant Link. “The company strives to deliver peace of mind for our channel partners and their customers by providing the highest level of service, security and reliability for their payment processing solutions.”

The list of best channel vendors was based on responses to a survey conducted by Business Solutions magazine and Penn State University. The survey was given to over 4,000 Value Added Reseller (VAR) subscribers and received over 10,000 votes. The Best Channel Vendor list includes only the service providers who received scores in the top 5 percent of their category and is published in the January 2012 issue of Business Solutions magazine.

About Merchant Link
Merchant Link is a leading provider of cloud-based payment gateway and data security solutions, removing the risk and hassle from credit card acceptance for more than 150,000 hotels, restaurants and retailers. Founded in 1993 and headquartered in Silver Spring, Md., Merchant Link currently enables more than 3 billion transactions annually for some of the world’s best-known merchants, providing connectivity to the major U.S. payment card processors. TransactionVault^TM, our tokenization solution, and TransactionShield^TM, our point-to-point encryption solution, mitigate the risk of a data compromise while lowering the cost and effort of PCI compliance. Further information is available at www.merchantlink.com. For our expert opinion on encryption, tokenization and PCI compliance, visit our blog at www.merchantlinksecuritycents.com.

During its annual IT Security Summits and Catalyst events, and at its Security & Risk Summit in EMEA, Gartner conducted a series of kiosk-based surveys with 383 IT managers and found that almost a fifth of firms are not compliant with the Payment Card Industry (PCI) Data Security Standards (DSS).

Lawrence Pingree, research director at Gartner, blames this non-compliance on increasing pressure on firms’ IT budgets, even though the PCI Security Standards Council continues to reinforce that failure to comply can negatively impact both merchants and their consumers.

The reality is that merchants need to go beyond compliance and implement multiple layers of security to ensure that customer data is protected.   PCI compliance is certainly an important part of this, but it’s only one piece of the puzzle.  And, for those organizations who are not yet compliant, we urge you to take the necessary steps to meet PCI DSS. You can access the “User Survey Analysis: 2012 Security Buying Behaviors and Budget Trends” report from Gartner here.

But have you heard of flash attacks? They’re not nearly as innocuous and fun as flash mobs, and they can directly result in loss of money and damage to retailers’ brand reputation.

Flash attacks are what Gartner analyst, Avivah Litan, calls credit card skimming schemes, something we’ve discussed previously on the blog.  Essentially, credit card skimming involves individuals either tampering with, or otherwise replacing, credit card readers on point-of-sale (POS) devices within retail establishments. These tampered or replaced devices then compromise the credit card data of the cards that pass through them.

As described by Avivah in her latest blog post, these credit card skimming schemes, or flash attacks, are extremely sophisticated. More than simple acts of vandalism by random data thieves, these are highly-targeted, well-planned attacks by organized groups.

So how do these criminal operations work? Group ringleaders hire individuals to install skimmers into the POS devices or replace the equipment. From there, counterfeiters take the data and create cards, complete with pin numbers taped right on.

More individuals are recruited to then hit up ATM machines and other retail establishments where they can get cash or products that are easily resold (electronics, etc.). The attacks occur quickly and can take place in the country where the theft occurred or in other countries. The individuals withdrawing money or making purchases are instructed to pace themselves and otherwise avoid fraud detection systems.

Avivah’s blog post is an eye-opener and really highlights just how dubious and organized the people running these credit card skimming scams truly are. It’s frightening just how calculated, educated and efficient these attacks can be.

With the National Retail Federation (NRF) annual convention coming up next month, data theft and security issues facing retailers and merchants will be taking center stage. It’s important that retailers educate themselves about the attacks that are occurring, and familiarize themselves with the technologies and solutions available to help eliminate their risk. As the cost of a data breach continues to rise, no retailer can afford to be caught by surprise.

As the year comes to a close, and TV personalities from Oprah to Ellen to Barbara Walters highlight their favorite things and most fascinating stories in 2011,  I thought I’d take a moment to reflect on my favorite SecurityCents posts and industry news and share them with you.

PCI Announces Guidance for Merchants.

Merchants were provided with an abundance of guidance this year on emerging technologies that assist with compliance and securing sensitive data.  The first documents were released in late 2010 and focused on point-to-point encryption followed by tokenization and virtualization.  In the New Year, the Council will focus on three new areas including cloud, risk assessment and e-commerce security.

Validation from Coalfire Systems.

It’s easy for vendors to say that their product or solution is going to help merchants reduce the scope of PCI compliance.  In some cases, it’s really just unsubstantiated marketing hype.  At Merchant Link, we invest significantly in R&D to ensure that our solutions really do reduce PCI scope and we wanted to offer our customers a third-party validation of this fact.  Coalfire evaluated our TransactionVault™ and TransactionShield™ solutions for tokenization and encryption and confirmed our findings.

Avivah Litan Talks Tokenization.

We had the honor of featuring Avivah Litan on a podcast recently to discuss payment security.  As a renowned expert in this area, Avivah regularly publishes industry research and opinions on her own blog that we avidly follow here at Merchant Link.  For this podcast, Avivah focused on key trends in payment security, specifically as it relates to point-to-point encryption and tokenization.

Google Wallet Meets MasterCard and NFC.

Its here!  Finally…well…sort of.  The technology for mobile wallets has been around for awhile, but the concept hasn’t caught on very well. Then Google entered the market with the mobile wallet, using Near Field Communications (NFC) to allow for data exchange with point-of-sale (POS) technologies. From the payment side, the company partnered with MasterCard and Citi to allow users to pair credit cards to their phones.  It’s been an interesting progression to watch and something we will certainly keep an eye out for as the issues surrounding secure payment transactions will be top of mind for merchants.

What else is on your list of favorite things from 2011?  Share them with us by posting a comment below.

According to a recent article in the Financial Times, the European Union is considering a stiff fine for retailers if they fail to secure sensitive customer data. The size of the fine amounts to more than just a simple slap on the wrist. In fact, retailers breaching European Union privacy rules could be on the hook to pay a fine up to 5 percent of their annual revenue.

Although these rules are still in their infancy and, if passed, wouldn’t go into effect for as long as two years, they should still be a frightening proposition for all retailers. And it’s not just European retailers that should be concerned since the rules are expected to also apply to European subsidiaries of foreign companies.  It could also be an indicator of what may happen in the U.S.

If you think the rules may go without being enforced, you should think again. StorefrontBacktalk’s Evan Schuman wrote about this issue in a recent column, and speculated that the EU is likely to strictly enforce this legislation since they’re starved for cash and these fines could be a good way to raise money. Also, unlike credit card companies and other stakeholders that threaten to punish retailers, the government doesn’t necessarily have anything to lose from fining a retailer.

For example, Visa would probably think twice about punishing or terminating its relationship with Wal-Mart simply because the retail giant wasn’t on the cutting edge of data security. The loss of revenue from credit card transaction fees would simply be too great.

Although these rules could be years in the making, or never even see the light of day, they’re evidence that governments are starting to crack down on companies that aren’t making data security a priority. With 2011 being a banner year for cyber attacks and data theft, and the potential for the cost of a breach to continue to increase, the time is now for retailers to take a more serious look at their security posture.

With tokenization and encryption solutions available to retailers via the cloud, there is no reason why any company should not be PCI compliant and protected from data breaches. The costs are too high, both to the company’s coffers and its reputation.

Don’t let your company wait until it has to part with 5 percent of its annual revenue before you start to reevaluate how you store and protect payment card data.