Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ cloud security ’

These days, merchants are being told they can save money by using a client-to-processor connection or “direct driver” vs. a hosted payment gateway in the cloud. Are these claims really true? What do merchants stand to lose by sending transaction data directly from their point-of-sale system to a processor?

A hosted payment gateway facilitates the secure transfer of information between a point of payment (your POS) and the payment processor or bank. The gateway acts as a translator, traffic cop and bodyguard – interpreting and directing data streams through a secure route to the appropriate destination, quickly and accurately.

Merchants considering both options should keep in mind:

  1. Choice: A gateway connects merchants to a variety of processors and often offers the flexibility to switch payment providers quickly and efficiently, enabling a merchant to best manage its payment acceptance fees. Merchants with franchisees can offer them the choice of processors and maintain a secure and consistent payments acceptance process across their brand.  Merchants can also use the gateway to route different card types to specified hosts, saving them money by reducing processor’s switching fees.  A quality gateway assures that a merchant is not locked in to a particular processor’s technology that is hard to “unravel” if they decide to change.
  2. Support: A quality gateway provider has the unique ability to track down and efficiently resolve problems no matter where an issue occurs within the life cycle of a transaction; saving merchant’s time and money by eliminating “finger pointing” between POS providers and payment processors.  The more complex the merchant environment, the more a gateway is needed.  A gateway can help a merchant quickly resolve payments hassles and get back to managing their business.
  3. Cost: While most gateway providers charge a subscription or per-transaction fee, merchants should take into account the ongoing investment they will have to make in new software and/or a POS upgrades when considering a client-to-processor connection. The merchant is then locked in to technology that will soon be dated.  In contrast, a cloud-based payment gateway is easily implemented and maintained.  Configuration changes are usually performed at the gateway without interrupting business at the site when software and payment scheme updates are required.

Savvy business owners know that the only way to separate claims from reality and determine what’s best for their business is to educate themselves, talk to other merchants who are utilizing similar solutions, and ask a whole lot of questions. Check out this informative presentation and let us know what you think by leaving a comment below.

The Value of a Payment Gateway
View more presentations from Merchant Link

Merchant Link’s Sue Zloth to Participate in PCI Boot Camp at 2011 HITEC ConferenceWhat:

Hospitality technology professionals realize that the safety of guest credit card data and other sensitive information is an important part of ensuring a peaceful and relaxing experience. However, when it comes to payment security, hospitality professionals often have limited knowledge and understanding of the unique requirements, risks, tactics and tools they need to ensure their systems are secure and PCI-compliant.At this year’s Hospitality Industry Technology Exposition & Conference (HITEC), Merchant Link’s Sue Zloth will join other experts in the payment processing and security industry in hosting “PCI Compliance Boot Camp.”. The boot camp will serve to educate hoteliers on PCI compliance, how to pick a qualified security assessor (QSA), cloud computing, incident response plans and more.

It will also focus on the ways hoteliers can minimize risk by removing card data from their environments using emerging technologies and best practices such as tokenization and point-to-point encryption.


Sue Zloth, Product Group Manager at Merchant Link, knows the hospitality industry and the challenges hotels are facing in today’s difficult security environment. She has over 25 years of hospitality and payment industry experience helping to educate decision makers on how to integrate security into payment processing systems.

Sue is a member of the new Hospitality Financial & Technology Professionals (HFTP) PCI Taskforce as well as a member of the PCI Council’s Tokenization Taskforce, co-chair of the Hotel Technology Next Generation (HTNG) Software Forum, and member of the HTNG Payments Workgroup.


HITEC 2011

June 20, 2011

8:30 AM – 11:15 AM (CT)


Austin Convention Center

Ballroom G

500 E Cesar Chavez St

Austin, TX 78701

About Merchant Link
Merchant Link is a leading provider of cloud-based payment gateway and data security solutions, removing the risk and hassle from credit card acceptance for more than 150,000 hotel, restaurant and retailers. Founded in 1993 and headquartered in Silver Spring, Md., Merchant Link currently enables more than 3 billion transactions annually for some of the world’s best-known merchants, providing connectivity to the major U.S. payment card processors. TransactionVaultTM, our tokenization solution, and TransactionShieldTM, our point-to-point encryption solution, mitigate the risk of a data compromise while lowering the cost and effort of PCI compliance.Further information is available at our expert opinion on encryption, tokenization and PCI compliance, visit the Merchant Link blog at

By Sue Zloth

Call it what you will – Tokenization in the Cloud or Tokenization as a Service.  No matter what you call it, the bottom line is removing sensitive cardholder data completely from the merchant’s IT environment and reducing the scope of PCI DSS.

It is an approach that we have been behind for nearly a decade, through the many variations of terminology.  Ultimately, we believe strongly that keeping card numbers within an enterprise is a security liability.

But don’t just take it from us.  Others in the industry are beginning to understand that need to take tokenization into the cloud and are beginning to offer solutions in this area and the analyst community is also nodding their heads in agreement.  It is expected that tokenization in the cloud will become a common strategy for enterprises.

We live and breathe tokenization and encryption so it is always a bright spot when we see the industry embracing this technology and the cloud approach to tokenization.

As part of the Special Interest Group (SIG) for the PCI Council, we expect to provide merchants with formal guidance on the technology shortly.  We hope that the documents will offer a better understanding for the types of tokenization and ways to implement the technology.  In the meantime, if you have questions about different approaches, feel free to drop me a comment below.

By Beth McGarrity

When it comes to security, there are countless moving parts, scenarios and solutions. And so the agenda at RSA is jam-packed with sessions on a wide range of topics.  While cloud security seems to be rising to the top as the most “buzzed about” topic this year, PCI compliance is also a key subject in San Francisco this week.

Here is a quick primer on the PCI-related sessions at RSA:

  • Thursday @ 11:30 am: Martin McKeay Senior Security Analyst, Verizon Business and Michael Dahn, Director PCI Compliance, Verizon Business, are hosting a panel called “PCI Compliance in the Cloud: Why or Why Not?” The session will showcase how being PCI compliant in the cloud requires significant thought and planning by merchants.
  • Friday @ 10:10 am: Marc Appelbaum, Senior Technical Manager, Information Security, Vonage, will discuss “Navigating the Uncharted Waters of PCI Compliance in the 21st Century.” This session will provide insight into how Vonage successfully navigated the complex PCI compliance process, reducing the scope of their entire network from 5000 servers to fewer than 300 servers in just six months.
  • Friday @ 11:20 am: Bob Russo General Manager, PCI Security Standards Council, will discuss updates to PCI standards in his session “Payment Data in 2011 and Beyond: Investigating Updates to the PCI Standards.” Russo will provide practical insights into how security executives can use PCI standards and payment card industry tools to protect their customers’ data and develop a comprehensive security strategy.
  • Friday @ 3:20 pm: James DeLuccia IV Senior Manager, Ernst & Young LLP, will discuss the latest version of the security standard, bringing together client experiences and attendee perspectives to address these changes and challenges in his session PCI DSS Is Updated…Now What?”

By: Nathan Eddy

This story was originally published on eWeek

The hosted platform offers businesses cloud-based services to protect cardholder data.

Voltage Security, a provider of enterprise and payment card data protection inside and outside the cloud, and Merchant Link, a provider of payment gateway and data security solutions, announced a partnership to provide point-to-point encryption, cloud-based decryption and tokenization to businesses looking for a security solution to protect cardholder data and reduce PCI scope. The hosted solution enables merchants to have their Voltage SecureData Payments solution with the decryption and tokenization services hosted within the Merchant Link Payment Gateway.

The service provides a solution to secure data in-flight and data at rest: Voltage Security’s point-to-point encryption technology, where cardholder data is encrypted immediately at point of capture and remains protected throughout the merchant’s environment. The service also provides Merchant Link’s TransactionVault tokenization technology, decryption and payment gateway connecting the POS to the merchant’s processor of choice.

“With this new offering, we are moving the decryption point to the cloud, so the merchant no longer has to have decrypted data in their environment,” said Dan Lane, chief technology officer for Merchant Link. “Data is protected within our secure, PCI-validated redundant data centers. And because the decryption and tokenization is cloud-based, it is both affordable and easy to implement.”

Other features include simplified key management, with no need to inject keys into devices or manually rotate encryption keys; encryption support for a range of form factors in the industry, from payment peripherals to counter-top terminals to multilane terminals; and removal of cardholder data from merchant environments along with outsourced key management, allowing for a reduction of PCI scope.

“Voltage is taking a leadership role in providing data protection both inside and outside the cloud. Now, for the protection of sensitive cardholder data used in payment transactions, merchants can turn to Merchant Link and Voltage for a safe and powerful solution to protect both data in-flight and data at rest,” said Mark Bower, vice president of product management for Voltage Security.

The release comes on the heels of a WatchGuard security forecast for 2011, which predicts VOIP (voice over IP) attacks, manufacturer-delivered malware and social media security breaches will be among the top security concerns for businesses this year.

“2011 stands to be a dynamic year for network security as criminals and hackers take threats to new levels,” said Eric Aarrestad, vice president at WatchGuard Technologies. “Given how new threats are constantly evolving, WatchGuard remains ever vigilant in staying one step ahead of these threats, which gives our customers unparalleled protection for their networks, applications and data.”