Merchant Link SecurityCents

By Sue Zloth

If you’ve been following along in this series of posts on tokenization, you should now understand what tokenization is and the difference between card-based and transaction-based tokenization.  Now you’re ready to evaluate tokenization solutions.

Each merchant environment is different and complex in its own way. Retail merchants, for example, are particularly interested in analytics and being able to track the behaviors of their customers. Lodging merchants, on the other hand, have multiple touch points with a customer, from making a reservation, to check-in, to room service transactions, to check-out.

Despite the complexities of a merchant’s needs and environment, there are a few basic things to consider when choosing a tokenization vendor:

• Token solutions need to allow merchants to identify what a customer bought, when they bought it and why they bought it.
• Token vendors need to be able to convert current stored credit cards into tokens easily and securely.
• Token vendors need to be able to handle a large volume of transactions traveling through the system in real time.
• Token vendors need to be able to provide multi-channel tokenization for brick and mortar, eCommerce sites, help desk, catalog etc. and continue to return the same token for the same credit card.
• Token vendors need to be able to handle a complex environment where several transactions occur during one customer experience.

These aren’t the only things to consider when shopping for a tokenization solution, but they’re definitely a start.  If you have any additional questions, feel free to drop a comment below and I’ll provide you with my thoughts.

The Copper Cellar Corporation, which owns and operates 19 Copper Cellar, Calhoun’s, Smoky Mountain Brewery, Cherokee Grill and Chesapeake’s restaurants, will be serving more than quality dining and memorable experiences to its guests moving forward: it will also provide peace of mind with a robust payment protection solution.

The Copper Cellar Corporation recently installed TransactionVault^™, Merchant Link’s tokenization solution, and the Merchant Link Payment Gateway^™ across all of their locations in Knoxville, Nashville, Gatlinburg, Pigeon Forge, Maryville and Lenoir City.

“It’s comforting to not have to worry about the security of our guests’ credit card information,” said Mike Gaston, vice president of information services for Copper Cellar Corporation. “The fact that it is not stored anywhere on our network is a huge relief.”

The company chose to utilize these solutions to safeguard customer’s sensitive payment data and remove it from the premise to ensure that it is transmitted safely and effectively while reducing their PCI DSS compliance footprint.

The Merchant Link Payment Gateway sends payments quickly, while detecting and correcting errors along the way. It ensures funds are delivered accurately and consistently, prevents expensive chargeback fees and reduces clerk or system errors and prevents them from showing up on customer credit statements.

TransactionVault removes customer credit card data at the point of sale where it would be at risk from hackers. The data is instead stored in Merchant Link’s hosted “vault,” effectively securing “data at rest” and reducing the cost and effort of attaining and maintaining PCI compliance. Through TransactionVault, Merchant Link processed 1 billion transactions at more than 15,000 merchant locations in 2010.

The Copper Cellar Corporation utilizes a Squirrel point-of-sale (POS) system for customer payments. Their previous payment processor and data security solution created problems for them by posting batches twice. Merchant Link’s full suite of reporting and error detection tools help to eliminate failed batch attempts, duplicate batches or no settlement attempts.

“Our old processor had double posted batches before,” said Gaston. “Despite not being directly responsible for the error, it made us look bad in the eyes of our guests. Merchant Link monitors for potential batch issues and ensures that problems such as these are a thing of the past for Copper Cellar, its restaurants and its customers.”

The wide-scale implementation was completed shortly after a pilot site went live successfully with Merchant Link’s solutions.

By Sue Zloth

As you may have read in my previous post, I’ve been working with the PCI Council Special Interest Group to provide recommendations on tokenization. While the PCI Council guidance on tokenization hasn’t been released yet, I decided to pursue the topic here on our blog to help educate merchants about it.  Last week, I discussed what tokenization is. This week, I’d like to talk about the different types of tokenization.

There are two main types of tokenization: transaction-based tokens and card-based tokens.

• Transaction-based tokens relate to individual transactions. With transaction-based tokenization, a new token is created each time a transaction occurs.
• Card-based tokens are generated for each card number. In this approach, the same token is reused every time that card number is used.

Is one approach better than the other? There really isn’t a simple answer to that question. In the end, it’s up to the merchant to evaluate how they would use token information and make the decision that is right for them.

Many merchants need to track customer purchases. They may use the credit card number as the “key” for that analysis. Once a merchant moves to tokenization, they will use the token instead.  Unfortunately, a merchant using a transaction-based tokenization system would lose the ability to track customer purchasing behavior because the token will be different for each transaction. Since the token is tied only to a single transaction, the merchant won’t know if a customer buys, for example, three items from a store over the course of a month using the same credit card.

With a card-based tokenization solution, merchants are given more insights into the purchasing decisions and activities of their customers. Card-based tokenization allows the merchant to see a customer’s activities across online and brick-and-mortar environments since the same token is always used for the same credit card.

Ultimately, both types of tokenization vastly reduce the risk of sensitive customer data being stolen should a data breach occur. Since these tokens have no value to the thief if ever stolen, the customer’s real data is kept secure.

Next up in the series: What to consider when implementing a tokenization solution

By Sue Zloth

We already know that most merchants are struggling with PCI compliance and while they know it is necessary, some don’t even know where to begin.

According to a new survey, conducted by Cisco, there are many challenges that are often faced when attempting to meet PCI DSS requirements:

• Education tops the list: 43% of respondents suggested that educating employees on the proper handling of cardholder data was the single most highly recognized problem within the organization.
• Out with the old and in with the new: 32% of respondents stated that updating antiquated systems was a top challenge.
• Keeping track of the data: 37% of respondents feel that of the 12 PCI requirements, tracking and monitoring all access to network resources and cardholder data cause the most issues for achieving or maintaining compliance.
• Security: 32% stated that developing and maintaining secure systems and applications cause the biggest hurdles and 30% stated that protecting stored cardholder data is the most challenging.

Personally, we have seen The PCI Council take some very positive steps in educating merchants of all sizes on issues related to compliance. In addition to their new website, they have issued guidance on emerging technologies such as point-to-point encryption and soon will announce guidance on tokenization.

We believe the implementation of these technologies will lessen the burden on merchants. In fact, according to the survey, 60% of respondents are using point-to-point encryption to simplify their compliance efforts. While most of these respondents (70%) came out of the financial industry, we hope to see other sectors follow suit.

Merchants can get out of the credit card business and address the handling of cardholder data by taking it off the network. A layered approach to security implementing both tokenization and encryption will reduce the number of hurdles that merchants face and allow them to ease into compliance.

By Beth McGarrity

When we check into hotels, we often rely on a false sense of security in believing that our valuable credit card information will be safe and secure. Yes, historically, it was safe to assume that hotels were as secure as Fort Knox. But the times have changed. As the Wall Street Journal reported in March, hotels have become a prime target for hackers seeking to steal valuable customer credit card information.

Though it is not very often when we hear from actual victims – who typically shy away from sharing their stories. Nick Percoco, a traveler who checked into a hotel in Toronto, actually shared his story with local Chicago Fox News affiliate.

Here’s an excerpt from that Fox News story:

“Basically, I checked into the hotel,” said Percoco, “Handed my credit card to the front desk, for the incidentals, the room charges. They swiped the card on the machine, gave me my room key.”

But before Percoco had even unpacked his suitcase, he received a text message from his credit card company. His card number had just been used for five online purchases– two in Canada, three in the United States. In all, $700 had been charged at online shoe stores, clothing stores and an electronics store.

It may seem hard to believe that criminals had used his card before he even unpacked his bags. As the WSJ pointed out, the most common weakness at hotels is the security surrounding point-of-sale software — the software hotels use to process credit-card transactions – which seems to be where the break down in security happened for Nick Percoco.

2011 is the year that the hospitality industry will fight back and install cutting-edge encryption and tokenization solutions to ensure that people like Nick Percoco will no longer be victimized.

The ball is clearly in the court of hotels to protect their customers’ credit card data. Otherwise, customers will lose trust and move onto a competing hotel – a prospect no hotel wants to face.

By Michael Ryan

Most of you in the retail industry are probably still frightened by the idea that your company’s name may be the next to be splashed up in the headlines. Being the next TJX or Hannaford is motivation enough to double check the security of your networks and vow never to be complacent in your security efforts.

In the past, security breaches have been straight forward: hackers have identified vulnerabilities and then exploited them to gain access to the network and databases to obtain customers’ confidential information like credit card numbers, social security numbers and other personal data. Today, the attacks on the retail sector are increasingly sophisticated. Just take a look at last month’s announcement concerning a breach at Aldi, a discount grocer which operates 1,100 stores in 31 states.

As reported by Computerworld, hackers tampered with payment terminals at stores in 11 states in the summer months, gaining access to credit and debit card data, such as name, account data and personal identification numbers (PINs). According to reports, the theft of the PIN data suggests that hackers accessed PIN numbers as they were entered.

This was an incredibly sophisticated and coordinated attack designed to steal data in-flight as opposed to the traditional data at-rest. Moreover, it showed a brashness seldom seen. The crooks didn’t hide behind their computers many miles away. At some point they physically tampered with the terminals inside the stores in order to execute the attack.

The bottom line is that between damage to brand and monetary fines, the stakes of fraudulent activity are getting higher and higher for retailers. At the same time, criminals are becoming more creative and brazen in their efforts to steal data, requiring retailers to continue to advance their payment security infrastructure. Unfortunately, there is not just one security solution that is going to protect your systems against credit card data breaches. Ensuring that you implement an in-depth approach that addresses anti-virus, monitoring, tokenization and point-to-point encryption is critical if you want to keep up with the sophistication of today’s criminal organization.

By Sue Zloth

Drum roll please…in case you missed it, the new PCI Data Security Standard 2.0 (PCI DSS) and the Payment Application Data Security Standard 2.0 (PA-DSS) were released by the PCI Security Standards Council late last week.

The Council released the latest version to provide “greater clarity and flexibility to facilitate improved understanding of the requirements and eased implementation for merchants” according to the announcement.  Version 2.0 will become effective for merchants on January 1, 2011.

So, with the new standards in place, now what?

• Should merchants continue their current efforts in becoming PCI DSS compliant under v1.2?
• Do merchants need to stop their efforts to focus on becoming compliant under PCI DSS v 2.0 in preparation for the New Year?
• Will the “validation” documents on encryption and tokenization require additional changes?

Luckily for merchants, version 2.0 doesn’t introduce any new major requirements and most of the changes are geared towards clarification of the existing requirements.  Moreover, for merchants who are well down the path of complying with v.1.2 they are not required to restart their efforts and comply immediately with the new standard since the old 1.2 standard is valid until December 31, 2011.  However, if a merchant hasn’t started yet, they should look to achieve compliance against the 2.0 spec (it is valid now for merchants).

Regarding point-to-point encryption and tokenization, the Council is simply offering guidance.  Last month they released guidance on P2PE and before the end of the year, guidance on tokenization will be released from the Special Interest Group (SIG) that I sit on.  We don’t expect that merchants will have to comply with any additional requirements, although once all of the documents are released, merchants will need to make sure that their providers comply with the P2PE and tokenization requirements.

The Council understands that merchants need more clarity regarding the standards and small merchants, in particular, are struggling to ensure compliance with limited resources and knowledge. In fact, just this past week Troy Leach, the Council’s CTO, was sitting on a panel next to our CTO, Dan Lane, at an industry conference.  He highlighted the changes and discussed how the Council will be taking proactive steps to ensure merchants have the tools needed to understand exactly what is going to be required of them.

By Michael Ryan

With just days left before the ghosts and goblins come out to play, we are taking the time to dispel some of the most frightful myths that merchants face today.  Earlier this week, we shed some light on the common myth that EMV will cure all credit card security woes.  We also provided some clarity on a common myth that tokenization and encryption are the same.

Today’s myth is a bit ghostly in that it often flickers and is slowing fading away.

Spooky Myth of the Day: Full card numbers are required for chargeback resolution.

Visa recently published a great document – Visa Best Practices for Primary Account Number Storage and Truncation – which busts this long held card processing myth. Like the best lore, this one is firmly grounded in truth. As the document states in the opening paragraph, “Due to misinterpretation of Visa dispute processing rules, some acquirers require their merchants to unnecessarily store full Primary Account Numbers (PANs) for exception processing to resolve disputes.”

As we’ve said many times, it is critical for merchants to evaluate the information that is stored on their systems and eradicate data that is sensitive and not needed.  Merchants should only store information that is absolutely necessary or else they are making themselves prime targets for hackers seeking to steal data.

It may take some time to completely eradicate this myth but with Visa’s help we are confident the end is near.

Do you have a spooky myth to share? Include it in a comment below.

By Michael Ryan

It’s a frightening time of year with Halloween right around the corner.  To get our readers in the spirit of the holiday, we are dispelling the scariest of myths that impact merchants today and offering a bit of a treat.

Earlier this week, we discussed the battiness of considering EMV as the solution to all credit card security woes.  It is hardly the case, and nothing can really take away from a layered approach to security.   Today, we’ll look at the two technologies that are often layered together but have most merchants uncertain about the differences between the two.

Spooky Myth of the Day: Tokenization and Encryption are interchangeable terms.

With the recent buzz over encryption and tokenization being used to secure cardholder data the lines sometimes get blurred between the two terms. Thankfully the PCI Council will publish a guidance document early next year that will provide clarification. Until then the debate will continue because the definitions can overlap but for card processing purposes the line can be drawn based on how each may be used.

Here is a simple way to differentiate the two.

Tokenization is the replacement of a data element (such as a credit card number) with another data element the token. The token is typically assigned randomly and a mapping of the relationship between the two data elements stored in a secure environment.

Encryption on the other hand, is the process of transforming a data element using an algorithm to make it unreadable to anyone except those who possess the decryption key.

With today’s technology both tokenization and encryption can be incredibly secure by itself. It really comes down to how each may be used for securing cardholder data. Specifically it is possible to map tokens to a particular card number such that subsequent uses of that card always return the same token. This card-to-token relationship allows merchants to use their cardholder data for analytical purposes such as to understand a particular consumer’s behavior over time or across channels as well as for velocity tracking to root out and prevent fraudulent transactions.

The encryption solutions used to protect cardholder data today provide a unique value each time a card is used to prevent reverse engineering of encryption keys and algorithms. It is also impractical for security and storage reasons to house card-to-token mapping at the point of sale.

So the line is best drawn by how tokenization and encryption may be used… and like my fellow blogger recently said, we think they are used best when paired together… like chocolate and peanut butter! Encryption is ideally suited to be used by the point of entry to secure data in-flight while tokens may be used for storage and leveraged for analytics and fraud protection.

Visit us later this week for the next spooky myth.  If you have other myths that you’d like to add, include it in a comment below.

by Beth McGarrity

When we talk about our mission here at Merchant Link, we not only talk about making credit card transactions secure, but also about making them easy for the merchants we serve.  That’s where our support team comes in.

Every year at this time, as part of Customer Service Week, we celebrate and recognize the important service our team provides in delivering “one-call-solves-all” support to our customers.

Kay Fakunle, Manager of Technical Support acknowledged the team’s hard work this year.  “We’ve been doing a lot of trainings, all building up to this week.  Our Superior Service scores are up as well as our Customer Survey scores, so this week is largely focused on rewarding those accomplishments and having fun.”

Another theme this week was teamwork.  Jomaine Sanders, Manager of Implementations, explained, “All year long we take care of our customers, but then there are our own, internal customers.  We’ve talked a lot about the importance of working well together.”

To help build camaraderie, the games this week included a scavenger hunt with clues that tested the team’s knowledge of each other.  Virtual Bingo provided an amusing distraction, with numbers posted on our Intranet throughout the week.  And high-spirited games of Family Feud, Minute-to-Win-It, and a Friday afternoon ice cream social rounded out the week.

Special recognition went to Deborah Olufolaju for outstanding service. And the team had fun with several peer-nominated awards too, including:

• Most Likely to Always Have a Can-Do Attitude – Emily
• Most Likely to Appear on American Idol – Oneka
• Most Likely to Have the Most Shoes – Winsome
• Most Likely to Enjoy a Bad Movie – Detrick
• Most Likely to Arrive On-Time – LaNique and Paul
• Most Likely to Find a Quarter on the Ground – Donna

Congratulations all, and keep up the hard work!