Merchant Link SecurityCents

As they often say in technology, you’re not wrong, just too early… and this may be the case with the mobile wallet.  Yes, the technology has been around for awhile.  But now that consumers have embraced their mobile devices and broadened their perspectives on payments, is it still not quite ready for primetime?

While 2012 was supposed to be the year of the mobile wallet, players like Google are still struggling to find merchants who are willing to support and embrace the new technology.  Recent attempts to hack into the Google Wallet application are not helping these players make their case.

Google Wallet requires a personal identification number (PIN) code and a phone lock screen, which the company claims provides a higher level of security than most credit cards have today.  However, this past month two incidents proved that the PIN code could be cracked.  These breaches also forced Google to discontinue the acceptance of prepaid cards.

While we know that there will continue to be a lot of hype around mobile commerce, we also clearly understand that adoption by merchants and processors will really depend on payment security.

To deny the possibility of an attack over a mobile payment network would be irresponsible.  Most merchants are awaiting further development in this area before they take that leap and adopt a mobile wallet solution.  Once the industry embraces an aggressive security strategy for mobile payments, we believe adoption by merchants will follow suit.

What do you think? Let us know by leaving a comment below.

The big day is just around the corner.  With only days left, how can you show your significant other how much you care?

According to New Online Spending Index conducted by Javelin Strategy & Research, 19 percent of shoppers will spend more money on gifts.

The National Retailer Federation’s (NRF) conducts an annual Valentine’s Day Consumer Intentions and Actions survey and this year found that the average person will spend more than they have over the past 10 years, reaching a spending total of $17.6 billion.

Shopping surges happen throughout the year and it often makes us wonder if merchants are prepared to secure all that consumer payment data.  Both of these recent surveys indicate that safe and secure shopping is critical for both online and traditional brick and mortar merchants.  Flowers and chocolates are always favorite gifts around this time of year, but according to Javelin, 60 percent of those surveyed plan on purchasing something else.

Jewelry merchants should be especially vigilant. Last year, the day after Valentine’s Day, several jewelry stores were under attack from hackers.  Day’s Jewelers, with five stores across Maine and New Hampshire, suffered a breach from outside hackers and nearly 1,000 customers who purchased items from Day’s reported fraudulent activity on their cards.

So don’t let the big day break any hearts or wallets.  Retailers must protect that trust of their customers and can do so by following a few simple tips that we often talk about on this blog:

• It’s all in the heart — of the network that is. Every retailer should understand where cardholder data is stored on the network. Are there proper security controls in place to protect this data? Ensure data is properly protected according to PCI standards.
• Focus on the relationship. It’s not just technology, its people and processes, and how they all connect and work together. Merchants must educate and train staff to understand network security policies and procedures.
• Know when it’s time to move on. As in every relationship, there are times when you need to take stock of things and let go.  The same holds true for information stored on the network. Merchants tend to hold on to data when in reality, this information can be easily removed from the system which in turn minimizes the cardholder data environment and security risk.

We hope that merchants take these tips to heart to maintain strong relationships the loyalty of their customers.

Immediately following the New Year, you probably noticed a few changes.  The gym parking lot was jammed packed.  Every other commercial on TV was for some kind of home workout tape or weight loss solution. Nearly every store was highlighting the “new you.”

Not even thirty days have gone by and things are starting to change again.  People are falling off the bandwagon. Grocery stores are replacing the diet products with Valentine’s Day candy and the commercials for diet plans and fitness products have reverted back to ads about fast food chains and cars.

New Year’s Resolutions don’t last very long but there is one resolution that shouldn’t be let go.

Following the New Year, Hotel News Now featured a series of articles about New Year’s resolutions for hoteliers. One entire article in the series was dedicated to resolutions that hoteliers should consider in the area of data and network security. The highest priority “resolution” for hoteliers was encryption and tokenization of credit card data.

Hotels remain one of the most targeted businesses for data thieves. A quick fix to patch a security gap, or several to get through a PCI audit, simply can’t provide the long term, comprehensive protection needed to ensure that a hotel’s customers are safe from having their sensitive information stolen.

In order to ensure that customer data is safe, hoteliers need to evaluate end-to-end security solutions that can protect customers’ sensitive data while on the move and at rest. Today’s advanced cloud-based tokenization and encryption solutions are enabling hoteliers to become PCI compliant and beyond by removing customer data from the company’s network completely.

These solutions protect data on the move and at rest by encrypting and tokenizing data and storing it off of the network in a secure location. This ensures hotel patrons can rest easy because even if the information is compromised, the tokens are useless to data thieves.

But why is it so important for hoteliers to not give up on their resolution to better protect customer credit card data? Because it’s not just about the damage to the customer or the hotel brand; a data breach can hit a hotelier hard in the wallet.

The cost of data breaches are perpetually increasing. In addition to customers losing faith in the brand, companies that are hacked often find themselves footing the bill for expensive credit monitoring services for victims. They also expend resources on PR campaigns to help mitigate damage to the company’s reputation.

Although this time of year is often when New Year’s resolutions begin to die, hoteliers who made a resolution to better protect their customers’ valuable credit card data need to stay strong. With the cost of a breach rising and the hospitality industry the prime target for data thieves, they simply can’t afford to take their eye off the prize.

By Beth McGarrity

The past few weeks have been a whirlwind of activity as we prepared for one of the biggest retail shows of the year.  More than 24,000 retailers, technology providers, suppliers and partners gathered for the retail industry’s premier event, NRF 2012.   For any professional in the retail sector, the “Big Show” is the go-to affair for networking, business development, educational opportunities and much, much more.

What is most exciting about an event like NRF 2012 is seeing, first-hand, key innovations and learning about the future of the industry.  As I walked the show floor, networked with colleagues and attended breakout sessions, several major themes resonated that will clearly shape the years ahead:

• Developing More Customer-Centric Approaches: In today’s competitive marketplace, retailers need to better engage with customers, build stronger relationships and influence them through targeted and highly personalized communications and promotions – clearly tying back to the multi-channel theme.

• Don’t Forget “The Brand:” In a philosophical reversal of the multi-channel approach, some thought-leaders played up the importance of brand, especially when consumers are faced with many choices and channels.  As CNBC pointed out: “Shoppers don’t think about shopping a ‘channel.’ They think about shopping, and if you’re lucky they think about shopping a specific brand.”

• Big Data Goes Big Time: Retailers will step up their data gathering and mining processes to unleash the science behind truly influencing consumers.  This means that vast amounts of customer data, whether it is personal information, credit card data or purchasing patterns, will be collected, managed, sifted and acted upon.  While this data will certainly be used to develop more targeted marketing programs, it underscores the need for the most sophisticated data security solutions.

• Customer Are Willing to Share: Along the lines of “big data,” many retailers are seeing that customers are actually willing to share more personal information these days. This will create the perfect storm of copious amounts of new data mining techniques and the use of algorithms for fully understanding how consumers interact with brands.

• Going Mobile: While this one is clearly not a surprise, the development of next-generation mobile apps, and the payment security challenges that come with this new horizon, was top of mind at the event.  Convenience and efficiencies will certainly abound when retailers arm their sales associates with iPads and other mobile payment gadgets for instant credit card processing from any location within their stores.

• Zappos Breach: The Zappos breach news certainly made waves at the event and reinforced the hard reality that data breaches can happen to any retailer.   Fortunately, customer credit card numbers were not compromised because they were stored on a separate server.   And, as our SecurityCents readers know we always urge merchants to securely store all necessary payment data in a server outside of their network.

• Columbia Sportswear: Along the lines of payment security, we were very excited to announce that Merchant Link, along with our partners Equinox Payments and Voltage Security, has implemented a cutting-edge, reliable, cloud-based solution to protect sensitive payment data.  And, retail giant Columbia Sportswear served as pilot implementation partner – implementing this solution across its nationwide retail network.

• Protect All Points: In support of the Columbia Sportswear announcement, we also developed a unique microsite called “Protect All Points,” which highlights all the key points about this implementation.

Finally, be sure to check out the sessions from the event streamed here.  It’s almost as good as being there in person.  And, NRF has a highly active blog, so be sure to check out posts like this one that highlights digital retail trends.

The “Big Show” certainly delivered and clearly there will be many exciting times ahead for the retail industry.  See you all back at the Javitz Center next year!

We’ve all heard of flash mobs, or groups of people that meet in a particular place and do something fun, creative or unique, such as break out in dance or song. These flash mobs are an interesting phenomenon that have even broken into the mainstream, being parodied in advertisements and featured in TV shows.

But have you heard of flash attacks? They’re not nearly as innocuous and fun as flash mobs, and they can directly result in loss of money and damage to retailers’ brand reputation.

Flash attacks are what Gartner analyst, Avivah Litan, calls credit card skimming schemes, something we’ve discussed previously on the blog.  Essentially, credit card skimming involves individuals either tampering with, or otherwise replacing, credit card readers on point-of-sale (POS) devices within retail establishments. These tampered or replaced devices then compromise the credit card data of the cards that pass through them.

As described by Avivah in her latest blog post, these credit card skimming schemes, or flash attacks, are extremely sophisticated. More than simple acts of vandalism by random data thieves, these are highly-targeted, well-planned attacks by organized groups.

So how do these criminal operations work? Group ringleaders hire individuals to install skimmers into the POS devices or replace the equipment. From there, counterfeiters take the data and create cards, complete with pin numbers taped right on.

More individuals are recruited to then hit up ATM machines and other retail establishments where they can get cash or products that are easily resold (electronics, etc.). The attacks occur quickly and can take place in the country where the theft occurred or in other countries. The individuals withdrawing money or making purchases are instructed to pace themselves and otherwise avoid fraud detection systems.

Avivah’s blog post is an eye-opener and really highlights just how dubious and organized the people running these credit card skimming scams truly are. It’s frightening just how calculated, educated and efficient these attacks can be.

With the National Retail Federation (NRF) annual convention coming up next month, data theft and security issues facing retailers and merchants will be taking center stage. It’s important that retailers educate themselves about the attacks that are occurring, and familiarize themselves with the technologies and solutions available to help eliminate their risk. As the cost of a data breach continues to rise, no retailer can afford to be caught by surprise.

The cost of a data breach for retailers and merchants is rising every day, both in terms of dollars and brand reputation, taking into account costs for internal investigation, notification/crisis management and response. And soon, there may be another cost being levied on merchants from a different source: the government.

According to a recent article in the Financial Times, the European Union is considering a stiff fine for retailers if they fail to secure sensitive customer data. The size of the fine amounts to more than just a simple slap on the wrist. In fact, retailers breaching European Union privacy rules could be on the hook to pay a fine up to 5 percent of their annual revenue.

Although these rules are still in their infancy and, if passed, wouldn’t go into effect for as long as two years, they should still be a frightening proposition for all retailers. And it’s not just European retailers that should be concerned since the rules are expected to also apply to European subsidiaries of foreign companies.  It could also be an indicator of what may happen in the U.S.

If you think the rules may go without being enforced, you should think again. StorefrontBacktalk’s Evan Schuman wrote about this issue in a recent column, and speculated that the EU is likely to strictly enforce this legislation since they’re starved for cash and these fines could be a good way to raise money. Also, unlike credit card companies and other stakeholders that threaten to punish retailers, the government doesn’t necessarily have anything to lose from fining a retailer.

For example, Visa would probably think twice about punishing or terminating its relationship with Wal-Mart simply because the retail giant wasn’t on the cutting edge of data security. The loss of revenue from credit card transaction fees would simply be too great.

Although these rules could be years in the making, or never even see the light of day, they’re evidence that governments are starting to crack down on companies that aren’t making data security a priority. With 2011 being a banner year for cyber attacks and data theft, and the potential for the cost of a breach to continue to increase, the time is now for retailers to take a more serious look at their security posture.

With tokenization and encryption solutions available to retailers via the cloud, there is no reason why any company should not be PCI compliant and protected from data breaches. The costs are too high, both to the company’s coffers and its reputation.

Don’t let your company wait until it has to part with 5 percent of its annual revenue before you start to reevaluate how you store and protect payment card data.

By Michael Ryan

A little over one year ago, I authored a blog post in response to a new trend that was impacting retailers: skimming of credit card information in-flight directly from payment terminals in retail locations. It was around this time last year that Aldi, a discount grocer which operates 1,100 stores in 31 states, announced that terminals in 11 stores had been tampered with and were funneling credit card and PIN data to cyber criminals.

Despite the situation at Aldi, raising awareness of this problem, it’s still an issue for retailers one year later.

According to a recent article, Save Mart, a chain of grocery stores based out of Modesto, Ca., issued a consumer advisory warning customers that 20 of its locations were found to have card readers that were compromised. It wasn’t clear whether the devices were replaced or simply tampered with. Regardless, there was the potential for sensitive customer information to be stolen.

In today’s retail environment, where getting customers in and out of the store quickly with their purchases is paramount, many retail chains have installed self-checkout counters. It was the credit readers at the self-checkout counters that Save Mart had compromised, which raises red flags for other retailers utilizing similar technology.

With data thieves getting increasing bold and physically altering credit card readers, it’s becoming increasing important that retailers remain vigilant and alert. This is especially true right now during the busy holiday shopping season.

As we discussed in a recent post, retailers that have even suspected that data thieves have compromised sensitive financial information about customers have seen a significant impact on their wallets. From public relations campaigns to clear up negative press, to credit monitoring services for customers, companies are seeing the price tag of a data breach continue to increase.

Despite high profile breaches like the ones at Aldi and Michaels, POS systems and card readers at retail locations remain a significant security vulnerability for retail chains. With the cost of a breach skyrocketing and the sheer masses of holiday shoppers flooding retail outlets, now is the time to ensure that businesses do everything they can to protect themselves and their customers.

The top executives of retail companies have a list of business functions, products and services that they’ve been told they, “just have to have.”

Public relations, marketing, advertising…all considered a necessity if you want consumers to know you exist. Information security hasn’t always been at the top of that list, but retail executives are starting to wake up and realize the negative impact a data breach can have on their company.

Why the change? Data breaches are hitting retailers where it hurts – in their wallets.

Just this week, the Financial Times featured an article on the cost of data breaches and the need for data security. The article references British mega-chain, Marks & Spencer, which operates hundreds of M&S department stores and Simply Food markets in the UK, as well as more than 325 locations in countries such as China, India, Indonesia, and South Korea.

Marks & Spencer, which touts that around 21 million people visit its stores each week, was the victim of data thieves that stole customer email addresses from one of the company’s email marketing vendors. The exact cost of the breach wasn’t listed, but the company had to email all of their customers and warn them about the theft, which was undoubtedly a blow to their brand reputation.

Many other retailers that are the victims of data theft don’t get off that easily. Should financial or credit card information get compromised, credit monitoring services are often offered to customers at the company’s expense. Public relations, and crisis communications staff or vendors are then needed to help control the situation and make it “go away.” Information security experts are needed to find vulnerabilities and ensure they are resolved.

It’s this cost to the company that has retailers looking at data security much more seriously. According to the Financial Times article, retailers are even looking at insurance policies designed to help offset the cost of a data breach. However, technology has created an even better “insurance policy” against data theft. Retailers are eliminating the data from their networks completely by utilizing tokenization and encryption solutions. These solutions ensure that the data, should it be stolen, is useless to data thieves.

For retailers of all sizes, data security is more than something that the company “should look into.” As more globally-recognized brands and small merchants alike fall victim to data thieves, the need for data security becomes increasingly apparent. If the Financial Times article is any indication, retailers are starting to wake up and embrace data security, and that can only mean good things for customers all over the globe.

Chartered as a working group of Hotel Technology Next Generation (HTNG), at least sixteen major hotel groups from around the world plan to work together to develop an industry security framework for handling sensitive credit card data – this includes dramatically improving the security of credit card processing by and for hotels while significantly reducing overall costs.

Following is an exclusive podcast with Douglas C. Rice, Executive Vice President and CEO, Hotel Technology Next Generation (HTNG), who discusses this new working group.

Tokenization offers added layer of security to spa management software while reducing PCI scope

Merchant Link, a leading provider of payment gateway and data security solutions, today announced that its TransactionVault™ tokenization solution now fully integrates with industry leading spa and activity management software SpaSoft, providing an extra layer of payment security — while helping meet PCI compliance requirements — for spas and resorts.

Offered by PAR Springer-Miller, SpaSoft is a management and scheduling software solution for spas and resorts that now integrates with Merchant Link’s next-generation tokenization solution, which removes customer credit card data where it would be at risk from hackers. The data is instead stored in Merchant Link’s hosted vault. The combined solution helps reduce resorts, spas and health clubs Payment Card Industry Data Security Standards (PCI DSS) scope.

JC Resorts, a leader in the management and operation of premium golf and resort properties, has selected and is piloting the combined solution.  Having installed SpaSoft with TransactionVault in two of their largest properties in San Diego and Laguna Beach, JC Resorts now has a higher level of confidence in the security of their financial transaction data.

“We are always looking for solutions that will help us best manage our business while also ensuring that all of our transactions are fully secure,” said Diane Li, Chief Information Director, JC Resorts. “In addition, meeting current PCI compliance requirements can be very challenging. The new integration between SpaSoft and TransactionVault will allow us to be compliant and have the peace of mind knowing that we are ultimately protecting our guests.”

Since 2006, SpaSoft has interfaced with Merchant Link’s payment gateway solution and the integration with TransactionVault reinforces PAR Spring-Miller’s commitment to providing data security and PCI compliance solutions to its customers and users.  SpaSoft is currently in use in more than 900 locations.

“Providing tokenization with TransactionVault enhances the SpaSoft complete spa management solution. Our clients appreciate our system which is both feature-rich and fully secure when it comes to processing debit and credit card transactions,” said Victor Vesnaver, Senior Vice President, Sales and Marketing, PAR Springer-Miller Systems.  “Unfortunately, data breaches in the hospitality sector are on the rise and this new integration allows resort and spa operators to protect their guests from having their card information compromised.”

The PCI Security Standards Council recently released its tokenization guidance, which aims to provide greater clarity about how tokenization solutions relate to PCI DSS and impact compliance. In addition, the TransactionVault solution has been proven to significantly reduce merchants’ PCI DSS scope, according to an independent security assessment released by Coalfire Systems.

“Hospitality providers are constantly facing the threat of nefarious hackers who are very persistent in their efforts to obtain guest’s vital information,” said Dan Lane, President and CEO of Merchant Link.  “By integrating TransactionVault into SpaSoft, we are offering hospitality providers the most comprehensive line of defense against cyber criminals.”

About SpaSoft and PAR Springer-Miller Systems

An industry-standard for more than 10 years, SpaSoft is a fully integrated, dynamic activities management/scheduling software solution, specifically designed to meet the unique needs of resorts, day spas, medi-spas and health clubs. SpaSoft‘s integrated offering includes resource management, club membership, group management, inventory management, point-of-sale, yield management, loyalty proram, user-defined and standardized reporting, as well as client management and history.

SpaSoft is one of the many products offered by PAR Systems-Miller Systems Inc, the leading provider of hospitality management solutions. The extensive product line offered by PSMS meets the technology needs of all types of hospitality enterprises including city-center hotels, destination spa and golf properties, timeshare properties and casino resorts worldwide. For more information on SpaSoft or PAR Springer-Miller Systems, visit our website at www.spasoft.com.

About Merchant Link
Merchant Link is a leading provider of cloud-based payment gateway and data security solutions, removing the risk and hassle from credit card acceptance for more than 150,000 hotel, restaurant and retailers. Founded in 1993 and headquartered in Silver Spring, Md., Merchant Link currently enables more than 3 billion transactions annually for some of the world’s best-known merchants, providing connectivity to the major U.S. payment card processors. TransactionVault^TM, our tokenization solution, and TransactionShield^TM, our point-to-point encryption solution, mitigate the risk of a data compromise while lowering the cost and effort of PCI compliance. Further information is available at www.merchantlink.com. For our expert opinion on encryption, tokenization and PCI compliance, visit our blog at www.merchantlinksecuritycents.com.

.