Merchant Link SecurityCents

As they often say in technology, you’re not wrong, just too early… and this may be the case with the mobile wallet.  Yes, the technology has been around for awhile.  But now that consumers have embraced their mobile devices and broadened their perspectives on payments, is it still not quite ready for primetime?

While 2012 was supposed to be the year of the mobile wallet, players like Google are still struggling to find merchants who are willing to support and embrace the new technology.  Recent attempts to hack into the Google Wallet application are not helping these players make their case.

Google Wallet requires a personal identification number (PIN) code and a phone lock screen, which the company claims provides a higher level of security than most credit cards have today.  However, this past month two incidents proved that the PIN code could be cracked.  These breaches also forced Google to discontinue the acceptance of prepaid cards.

While we know that there will continue to be a lot of hype around mobile commerce, we also clearly understand that adoption by merchants and processors will really depend on payment security.

To deny the possibility of an attack over a mobile payment network would be irresponsible.  Most merchants are awaiting further development in this area before they take that leap and adopt a mobile wallet solution.  Once the industry embraces an aggressive security strategy for mobile payments, we believe adoption by merchants will follow suit.

What do you think? Let us know by leaving a comment below.

The big day is just around the corner.  With only days left, how can you show your significant other how much you care?

According to New Online Spending Index conducted by Javelin Strategy & Research, 19 percent of shoppers will spend more money on gifts.

The National Retailer Federation’s (NRF) conducts an annual Valentine’s Day Consumer Intentions and Actions survey and this year found that the average person will spend more than they have over the past 10 years, reaching a spending total of $17.6 billion.

Shopping surges happen throughout the year and it often makes us wonder if merchants are prepared to secure all that consumer payment data.  Both of these recent surveys indicate that safe and secure shopping is critical for both online and traditional brick and mortar merchants.  Flowers and chocolates are always favorite gifts around this time of year, but according to Javelin, 60 percent of those surveyed plan on purchasing something else.

Jewelry merchants should be especially vigilant. Last year, the day after Valentine’s Day, several jewelry stores were under attack from hackers.  Day’s Jewelers, with five stores across Maine and New Hampshire, suffered a breach from outside hackers and nearly 1,000 customers who purchased items from Day’s reported fraudulent activity on their cards.

So don’t let the big day break any hearts or wallets.  Retailers must protect that trust of their customers and can do so by following a few simple tips that we often talk about on this blog:

• It’s all in the heart — of the network that is. Every retailer should understand where cardholder data is stored on the network. Are there proper security controls in place to protect this data? Ensure data is properly protected according to PCI standards.
• Focus on the relationship. It’s not just technology, its people and processes, and how they all connect and work together. Merchants must educate and train staff to understand network security policies and procedures.
• Know when it’s time to move on. As in every relationship, there are times when you need to take stock of things and let go.  The same holds true for information stored on the network. Merchants tend to hold on to data when in reality, this information can be easily removed from the system which in turn minimizes the cardholder data environment and security risk.

We hope that merchants take these tips to heart to maintain strong relationships the loyalty of their customers.

These days, merchants are being told they can save money by using a client-to-processor connection or “direct driver” vs. a hosted payment gateway in the cloud. Are these claims really true? What do merchants stand to lose by sending transaction data directly from their point-of-sale system to a processor?

A hosted payment gateway facilitates the secure transfer of information between a point of payment (your POS) and the payment processor or bank. The gateway acts as a translator, traffic cop and bodyguard – interpreting and directing data streams through a secure route to the appropriate destination, quickly and accurately.

Merchants considering both options should keep in mind:

1. Choice: A gateway connects merchants to a variety of processors and often offers the flexibility to switch payment providers quickly and efficiently, enabling a merchant to best manage its payment acceptance fees. Merchants with franchisees can offer them the choice of processors and maintain a secure and consistent payments acceptance process across their brand.  Merchants can also use the gateway to route different card types to specified hosts, saving them money by reducing processor’s switching fees.  A quality gateway assures that a merchant is not locked in to a particular processor’s technology that is hard to “unravel” if they decide to change.
2. Support: A quality gateway provider has the unique ability to track down and efficiently resolve problems no matter where an issue occurs within the life cycle of a transaction; saving merchant’s time and money by eliminating “finger pointing” between POS providers and payment processors.  The more complex the merchant environment, the more a gateway is needed.  A gateway can help a merchant quickly resolve payments hassles and get back to managing their business.
3. Cost: While most gateway providers charge a subscription or per-transaction fee, merchants should take into account the ongoing investment they will have to make in new software and/or a POS upgrades when considering a client-to-processor connection. The merchant is then locked in to technology that will soon be dated.  In contrast, a cloud-based payment gateway is easily implemented and maintained.  Configuration changes are usually performed at the gateway without interrupting business at the site when software and payment scheme updates are required.

Savvy business owners know that the only way to separate claims from reality and determine what’s best for their business is to educate themselves, talk to other merchants who are utilizing similar solutions, and ask a whole lot of questions. Check out this informative presentation and let us know what you think by leaving a comment below.

Joie de Vivre, which manages the largest collection of boutique hotels in California and an assortment of restaurants and spas, will raise the standards of customer service by implementing Merchant Link’s tokenization solution to protect the credit card data of its guests across 27 of its locations.  Merchant Link is a leading provider of cloud-based payment gateway and data security solutions.

Joie de Vivre offers one of the most unique collections of lifestyle hotels and continues to expand on its fresh and inventive properties.  Merchant Link will deploy its hosted, card-based tokenization solution across the Joie de Vivre enterprise, including the hotel property management systems and the spa point-of-sale systems, ensuring that every transaction is tokenized and there is an extra layer of protection that will protect Joie de Vivre’s brand.

“We pride ourselves on being innovative and offering exceptional hospitality services and products to our customers,” said Michael Stano, Joie de Vivre’s vice president of technology. “Our commitment to excellence extends even further by offering safe and secure financial transactions for our customers so they can enjoy their experience without worrying about the safety of their payment information.  And we have the peace of mind knowing that sensitive data doesn’t live on our network.”

Joie de Vivre, a long time customer of Merchant Link, will utilize TransactionVault™, a tokenization technology that removes customer card data from merchants’ systems where it is most at risk of being compromised by hackers. By tokenizing every transaction throughout the entire hotel experience from check-in to purchases at the gift shop and more, Joie de Vivre can remove payment data from all points in the payment process.  This valuable data will instead be stored in Merchant Link’s secure, hosted “vault,” and therefore effectively lowering the cost and effort of attaining and maintaining PCI compliance.

“The lodging industry is quickly realizing the importance of tokenization to secure sensitive data,” said Dan Lane, President and CEO of Merchant Link.  “We have served Joie de Vivre’s payment transaction needs since 2007, and we continue to work with them as they address the complexities of payment transactions.”

About Joie de Vivre Hotels

Joie de Vivre Hotels ( www.jdvhotels.com ) embarked on its mission to “create joy” for guests and employees in 1987, when Chip Conley founded the innovative hospitality company in San Francisco. Each one of Joie de Vivre’s more than 30 hotels is an original concept designed to reflect the local community and engage the five senses so that guests enjoy authentic, memorable experiences. Today Joie de Vivre manages the largest collection of boutique hotels and resorts in California and is expanding outside the state with openings in Scottsdale, Arizona this fall and Chicago in early 2012.

With more than 25,000 guests visiting each month, Fantasy Springs Resort Casino, owned by the Cabazon Band of Mission Indians, is known for providing luxurious accommodations, the finest cuisine, exciting entertainment, and a world-class casino.

Fantasy Springs is also on the cutting-edge when it comes to payments and transaction security.  Following is an exclusive podcast with Don Lindsey, Fantasy Springs Resort Casino’s Director of Information Technology, who discusses transaction security trends and their use of tokenization.

by Tim Kinsella

My kids are like most kids.  They are into most sports, particularly baseball and basketball, and hanging out with friends.  More recently, video games have taken their place in our household.  So when I saw that there was a major security breach on the PlayStation Network, I realized that my world and my kid’s world had collided.

My immediate response was to make sure that my credit card information was safe.

Thankfully, all the credit card information on the system was encrypted preventing the hackers from obtaining this valuable data. Unfortunately, not all the data was encrypted leaving the 77 million users still vulnerable to some kind of identity theft.

It got me thinking about security standards.  Most credit card merchants today realize the impact of a breach. We’ve been educating merchants for years on using tokenization and encryption solutions to protect sensitive payment data.  So why don’t all companies utilize encryption or tokenization solutions to protect their customers’ data? And if they do, why aren’t they using encryption for all important data?

The Payment Card Industry Security Standard sets requirements for companies that process credit card information in order to prevent theft or fraud. One requirement is to encrypt any data that is transferred on public networks.  The fact is that all data that can be used for fraud needs to be evaluated and protected.  Being compliant is not enough…rather it is just the beginning.  Too many merchants believe that compliance equals data security.  In reality, compliance is a step toward true data security.  In the end, it is safer for companies to completely remove this data from their system.

When personal and financial information can be threatened, merchants need to take greater measures to protect this vital data and to ensure the confidence of their customers.

Meanwhile, I have since turned off the gaming consoles and encouraged my kids to pick up a book instead.

Hospital Technology Next Generation (HTNG) is an association that we’ve been working closely with.  We have been impressed with their efforts in helping hoteliers take an active stance against cyber criminals. The organization plays a major role in advocating for best payment security practices for hotels, and our own Sue Zloth, is actively involved in HTNG working groups.

Now the group has launched this comprehensive web site called “HTNG is Improving Hotel Credit Card Security” that serves as a key resource for hoteliers to learn more about protecting their customer data.  Douglas Rice, Executive Vice President and CEO, to discuss this new initiative and other key payment security trends for hoteliers in our latest podcast on the Merchant Link SecurityCents HITEC page.

What trends do you think will be featured at HITEC?  Join the conversation on our HITEC page and leave a comment.  Interested in being a guest blogger and providing our readers with your perspectives?  Send me an email.

By Troy Mechura

It is all too common—hackers accessing personal financial information on merchant payment systems.

Just this week, another quick service restaurant was hit with a data security breach leaving more than a dozen customers victim to credit theft. In Clive, Iowa, patrons of a local Qdoba Mexican Grill reported unauthorized banking transactions that range from several hundred to a thousand dollars.

Authorities suspect that the culprit somehow hacked into the financial clearing house used by Qdoba to process credit and debit cards. Fortunately, banks are recovering these victims’ losses. Instead of customers worrying about the taste of their food, they have to worry about the safety of their personal information.

So here is yet another example of a restaurant falling prey to a security breach. When valuable information is stored on POS systems, they become prime targets for hackers like the one in Iowa because they are less difficult than large scale attacks.

If merchants want to maintain the trust of their customers, they must take preventative measures to ensure the safety of personal financial data. Many cite that they meet the minimum standards set by the PCI Council, but that always isn’t enough. Merchants should utilize encryption or tokenization solutions that practically eliminate the opportunity for security breaches by taking valuable information off payment system’s network. These tools remove sensitive data that restaurateurs simply don’t need in the first place. If you get rid of the data, you get rid of the risk.

By Sue Zloth

If you’ve been following along in this series of posts on tokenization, you should now understand what tokenization is and the difference between card-based and transaction-based tokenization.  Now you’re ready to evaluate tokenization solutions.

Each merchant environment is different and complex in its own way. Retail merchants, for example, are particularly interested in analytics and being able to track the behaviors of their customers. Lodging merchants, on the other hand, have multiple touch points with a customer, from making a reservation, to check-in, to room service transactions, to check-out.

Despite the complexities of a merchant’s needs and environment, there are a few basic things to consider when choosing a tokenization vendor:

• Token solutions need to allow merchants to identify what a customer bought, when they bought it and why they bought it.
• Token vendors need to be able to convert current stored credit cards into tokens easily and securely.
• Token vendors need to be able to handle a large volume of transactions traveling through the system in real time.
• Token vendors need to be able to provide multi-channel tokenization for brick and mortar, eCommerce sites, help desk, catalog etc. and continue to return the same token for the same credit card.
• Token vendors need to be able to handle a complex environment where several transactions occur during one customer experience.

These aren’t the only things to consider when shopping for a tokenization solution, but they’re definitely a start.  If you have any additional questions, feel free to drop a comment below and I’ll provide you with my thoughts.

The Copper Cellar Corporation, which owns and operates 19 Copper Cellar, Calhoun’s, Smoky Mountain Brewery, Cherokee Grill and Chesapeake’s restaurants, will be serving more than quality dining and memorable experiences to its guests moving forward: it will also provide peace of mind with a robust payment protection solution.

The Copper Cellar Corporation recently installed TransactionVault^™, Merchant Link’s tokenization solution, and the Merchant Link Payment Gateway^™ across all of their locations in Knoxville, Nashville, Gatlinburg, Pigeon Forge, Maryville and Lenoir City.

“It’s comforting to not have to worry about the security of our guests’ credit card information,” said Mike Gaston, vice president of information services for Copper Cellar Corporation. “The fact that it is not stored anywhere on our network is a huge relief.”

The company chose to utilize these solutions to safeguard customer’s sensitive payment data and remove it from the premise to ensure that it is transmitted safely and effectively while reducing their PCI DSS compliance footprint.

The Merchant Link Payment Gateway sends payments quickly, while detecting and correcting errors along the way. It ensures funds are delivered accurately and consistently, prevents expensive chargeback fees and reduces clerk or system errors and prevents them from showing up on customer credit statements.

TransactionVault removes customer credit card data at the point of sale where it would be at risk from hackers. The data is instead stored in Merchant Link’s hosted “vault,” effectively securing “data at rest” and reducing the cost and effort of attaining and maintaining PCI compliance. Through TransactionVault, Merchant Link processed 1 billion transactions at more than 15,000 merchant locations in 2010.

The Copper Cellar Corporation utilizes a Squirrel point-of-sale (POS) system for customer payments. Their previous payment processor and data security solution created problems for them by posting batches twice. Merchant Link’s full suite of reporting and error detection tools help to eliminate failed batch attempts, duplicate batches or no settlement attempts.

“Our old processor had double posted batches before,” said Gaston. “Despite not being directly responsible for the error, it made us look bad in the eyes of our guests. Merchant Link monitors for potential batch issues and ensures that problems such as these are a thing of the past for Copper Cellar, its restaurants and its customers.”

The wide-scale implementation was completed shortly after a pilot site went live successfully with Merchant Link’s solutions.