Merchant Link SecurityCents

The top executives of retail companies have a list of business functions, products and services that they’ve been told they, “just have to have.”

Public relations, marketing, advertising…all considered a necessity if you want consumers to know you exist. Information security hasn’t always been at the top of that list, but retail executives are starting to wake up and realize the negative impact a data breach can have on their company.

Why the change? Data breaches are hitting retailers where it hurts – in their wallets.

Just this week, the Financial Times featured an article on the cost of data breaches and the need for data security. The article references British mega-chain, Marks & Spencer, which operates hundreds of M&S department stores and Simply Food markets in the UK, as well as more than 325 locations in countries such as China, India, Indonesia, and South Korea.

Marks & Spencer, which touts that around 21 million people visit its stores each week, was the victim of data thieves that stole customer email addresses from one of the company’s email marketing vendors. The exact cost of the breach wasn’t listed, but the company had to email all of their customers and warn them about the theft, which was undoubtedly a blow to their brand reputation.

Many other retailers that are the victims of data theft don’t get off that easily. Should financial or credit card information get compromised, credit monitoring services are often offered to customers at the company’s expense. Public relations, and crisis communications staff or vendors are then needed to help control the situation and make it “go away.” Information security experts are needed to find vulnerabilities and ensure they are resolved.

It’s this cost to the company that has retailers looking at data security much more seriously. According to the Financial Times article, retailers are even looking at insurance policies designed to help offset the cost of a data breach. However, technology has created an even better “insurance policy” against data theft. Retailers are eliminating the data from their networks completely by utilizing tokenization and encryption solutions. These solutions ensure that the data, should it be stolen, is useless to data thieves.

For retailers of all sizes, data security is more than something that the company “should look into.” As more globally-recognized brands and small merchants alike fall victim to data thieves, the need for data security becomes increasingly apparent. If the Financial Times article is any indication, retailers are starting to wake up and embrace data security, and that can only mean good things for customers all over the globe.

Chartered as a working group of Hotel Technology Next Generation (HTNG), at least sixteen major hotel groups from around the world plan to work together to develop an industry security framework for handling sensitive credit card data – this includes dramatically improving the security of credit card processing by and for hotels while significantly reducing overall costs.

Following is an exclusive podcast with Douglas C. Rice, Executive Vice President and CEO, Hotel Technology Next Generation (HTNG), who discusses this new working group.

Tokenization offers added layer of security to spa management software while reducing PCI scope

Merchant Link, a leading provider of payment gateway and data security solutions, today announced that its TransactionVault™ tokenization solution now fully integrates with industry leading spa and activity management software SpaSoft, providing an extra layer of payment security — while helping meet PCI compliance requirements — for spas and resorts.

Offered by PAR Springer-Miller, SpaSoft is a management and scheduling software solution for spas and resorts that now integrates with Merchant Link’s next-generation tokenization solution, which removes customer credit card data where it would be at risk from hackers. The data is instead stored in Merchant Link’s hosted vault. The combined solution helps reduce resorts, spas and health clubs Payment Card Industry Data Security Standards (PCI DSS) scope.

JC Resorts, a leader in the management and operation of premium golf and resort properties, has selected and is piloting the combined solution.  Having installed SpaSoft with TransactionVault in two of their largest properties in San Diego and Laguna Beach, JC Resorts now has a higher level of confidence in the security of their financial transaction data.

“We are always looking for solutions that will help us best manage our business while also ensuring that all of our transactions are fully secure,” said Diane Li, Chief Information Director, JC Resorts. “In addition, meeting current PCI compliance requirements can be very challenging. The new integration between SpaSoft and TransactionVault will allow us to be compliant and have the peace of mind knowing that we are ultimately protecting our guests.”

Since 2006, SpaSoft has interfaced with Merchant Link’s payment gateway solution and the integration with TransactionVault reinforces PAR Spring-Miller’s commitment to providing data security and PCI compliance solutions to its customers and users.  SpaSoft is currently in use in more than 900 locations.

“Providing tokenization with TransactionVault enhances the SpaSoft complete spa management solution. Our clients appreciate our system which is both feature-rich and fully secure when it comes to processing debit and credit card transactions,” said Victor Vesnaver, Senior Vice President, Sales and Marketing, PAR Springer-Miller Systems.  “Unfortunately, data breaches in the hospitality sector are on the rise and this new integration allows resort and spa operators to protect their guests from having their card information compromised.”

The PCI Security Standards Council recently released its tokenization guidance, which aims to provide greater clarity about how tokenization solutions relate to PCI DSS and impact compliance. In addition, the TransactionVault solution has been proven to significantly reduce merchants’ PCI DSS scope, according to an independent security assessment released by Coalfire Systems.

“Hospitality providers are constantly facing the threat of nefarious hackers who are very persistent in their efforts to obtain guest’s vital information,” said Dan Lane, President and CEO of Merchant Link.  “By integrating TransactionVault into SpaSoft, we are offering hospitality providers the most comprehensive line of defense against cyber criminals.”

About SpaSoft and PAR Springer-Miller Systems

An industry-standard for more than 10 years, SpaSoft is a fully integrated, dynamic activities management/scheduling software solution, specifically designed to meet the unique needs of resorts, day spas, medi-spas and health clubs. SpaSoft‘s integrated offering includes resource management, club membership, group management, inventory management, point-of-sale, yield management, loyalty proram, user-defined and standardized reporting, as well as client management and history.

SpaSoft is one of the many products offered by PAR Systems-Miller Systems Inc, the leading provider of hospitality management solutions. The extensive product line offered by PSMS meets the technology needs of all types of hospitality enterprises including city-center hotels, destination spa and golf properties, timeshare properties and casino resorts worldwide. For more information on SpaSoft or PAR Springer-Miller Systems, visit our website at www.spasoft.com.

About Merchant Link
Merchant Link is a leading provider of cloud-based payment gateway and data security solutions, removing the risk and hassle from credit card acceptance for more than 150,000 hotel, restaurant and retailers. Founded in 1993 and headquartered in Silver Spring, Md., Merchant Link currently enables more than 3 billion transactions annually for some of the world’s best-known merchants, providing connectivity to the major U.S. payment card processors. TransactionVault^TM, our tokenization solution, and TransactionShield^TM, our point-to-point encryption solution, mitigate the risk of a data compromise while lowering the cost and effort of PCI compliance. Further information is available at www.merchantlink.com. For our expert opinion on encryption, tokenization and PCI compliance, visit our blog at www.merchantlinksecuritycents.com.

.

By Beth McGarrity

It’s that time of year…tailgating, parties and football on the television.  And who can watch the games without the perfect snack?  As I was making my favorite recipe for a 7-layered bean dip for last Sunday’s Redskins game against the Giants, I got to thinking about the perfect recipe needed to protect the multiple layers that exist in the payment process.  There is no one magic ingredient that is going to secure your entire system.

So I sat down to write and share this recipe with our readers:

Ingredients

• 1 cup authentication
• 1 2/3 cups encryption
• 2 cups tokenization
• A pinch of education and training for both customers and internal resources
• A dash of trust

Directions

EVALUATE your network and determine access points and storage of sensitive information.

LAYER the security over your network using proven technologies to authenticate users and identify malicious traffic on your network.  In addition to security appliances including firewalls, intrusion prevention and detection systems, merchants should secure payment data in-flight and at rest by layering point-to-point encryption and tokenization solutions.

MONITOR your network for suspicious activity.

EDUCATE both your customers and employees on security best practices to reduce human error and minimize impact to your security posture.

UPDATE, as necessary. A perfect recipe for security has to be analyzed on a regular basis and evolve based on new and emerging threats.

End Result

If you follow these directions closely – much like you would in creating the ultimate 7-layered dip – you will bring your transaction security to a completely new level.  Each layer is critical to the overall success of your security strategy.  One weak layer can cause the whole “security dish” to be foul tasting, and even worse, cause your customers’ vital credit and debit card information to be compromised.

By Sue Zloth

Last month a couple of us talked with John Kindervag at Forrester Research.  We spent a portion of the discussion on PCI standards, talking about the pressures that merchants feel to comply and providing updates on what we’ve been doing with the Council in their working groups.

So I, particularly, was interested when I saw John’s blog on PCI.  He points out that merchants should have knowledge of the industry in which they serve, but also recognize the connections with other verticals that may or may not be apparently linked directly to their line of business. So whether you sell ice cream or designer jeans, you fall into the category of payment security because you process financial transactions.

Here is what John said in his blog:

Companies often demand to know what their peers in a particular vertical market are doing within the realm of information security before making new decisions. “We’re in retail” or “healthcare” or “financial services” they will say, “and we want to do what everyone else in our industry is doing.” Why? The TCP/IP revolution has changed everything, including how vertical markets should be viewed. In the old analog world, you could define yourself by your product or service, but no longer. Today it doesn’t matter if your company sells plastic flowers or insurance — what defines you is your data and how you handle it.

When advising Forrester clients on InfoSec, the first question I ask is, “what compliance mandates are you under?” Like it or not, compliance determines how data is handled and that defines your vertical in our data-driven society. For example, I often say that, “PCI is the world’s largest vertical market.” It is a single global standard that affects more companies than not. You may think you are a hotel and your vertical is hospitality, but if you handle credit cards your real vertical — from a data perspective — is PCI.

Data defines markets. Look at your data, your transactions, and your process, and map them to your compliance initiatives. That will determine your digital — not analog — vertical. Using this measure, you can determine your security baseline and compare yourself to companies who must handle data in the same manner as you to help guide your security decisions.

by Scott Franklin

Often, the thought of improving your company’s data security posture seems overwhelming. Not only are there questions of what to secure, but larger questions often arise about the desired end-state and how best to overcome the numeorius obstacles that arise when implementing any security or compliance program. For example, should compliance be the desired end-state, or is a broader notion of security a more appropriate goal? Equally, should data security be treated solely as a technology problem, or is it better to treat it as a business problem and push for board-level visibility?

Before too many possibilities start swimming in your head, here are 8 steps to help simplify your thinking:

1. Know where and how any PCI-related data, or other sensitive information, is stored, processed, or transmitted throughout your organization. This can be done by identifying all systems, processes, and interaction points that involve the acceptance, storage, processing, and transmission of credit card data. Consider how you manage and secure paper and electronic documents that contain sensitive data as well as what happens to any recorded Voice over IP calls. As part of that process develop an understanding of who has access to this sensitive data and consider limiting access based on user roles.

2. Know what is on your network and how your network is accessed. Inventory management is an important first step in improving your company’s data security posture. While taking stock of legitimate computers and WiFi access points, your IT team should also be on the lookout for rogue computers, insecure remote access points, and open wireless networks. One often overlooked source of access in hotels is a co-mingled guest/hotel business network. For the protection of all parties, the guest network and the hotel business network should both be protected by firewalls and maintain fully independent infrastructure.

3. Make security and compliance everyone’s responsibility. Remember that compliance is not just an IT security problem, it’s a business issue, and to be effective, it requires all employees to support and enforce the effort. Awareness campaigns are just the beginning of a more rigorous educational effort to promote awareness of organizational policies and procedures from the C-suite to the front desk.

4. While it’s tempting to store every last piece of data, a prudent company will retain data only as long as its required for business purposes and not a day longer. While this applies broadly to all data, it is particularly important to keep customer data no longer than absolutely needed. The bottom line here is that cyber thieves can’t steal what you don’t have; if you don’t have customer data hanging around, there’s nothing to steal!

5. Develop an Information Security (or Data Security) Plan/Program that addresses both internal and external threats. Make sure the plan covers all aspects of data security and protection and addresses all key constituents, including vendors, contractors, and partners. And then educate, educate, educate!

6. Make sure you’re using the right tool for the job. Tokenization and end-to-end encryption solutions can help provide protection of sensitive data throughout the entire operational life cycle. Using solutions such as these will reduce your PCI burden, result in bottom-line savings, and generally enhance the overall security posture of your company. Consider also using PCI compliant PMS systems (PA-DSS) and use TRSMs when possible.

7. While some aspects of your new data security plan do require spend, there are many steps that can be taken inexpensively (but have excellent return on investment), and some that are entirely free. For example, the use of strong passwords that are changed regularly (and always changed when new systems are installed) is completely free and an incredibly effective technique to increase your security posture. Another freebie is to update systems regularly; implement a patch management program to make sure all OS and application patches are installed in a timely fashion and make sure that unnecessary accounts are removed from systems. Other low-cost solutions include using endpoint protection software, such as anti-virus software, deploying firewalls, and conducting regular web application security scans.

8. And finally, don’t be afraid to ask for help. Your vendors should be able to assist you with rudimentary PCI compliance questions. At Merchant Link, key members of our team participate in PCI Council working groups and related industry forums so we are up to date on the latest information and can share our knowledge with our customers. For more daunting questions, consider engaging a QSA or another bona fide security expert for advice and guidance. While this may require upfront expenditure, the fee is going to be much less expensive than a breach. Then, just as you have an evacuation plan for a physical security emergency, consider developing a breach response plan so you know who to contact if a breach occurs – key contacts include the merchant bank as well as federal and state law enforcement agencies.

Remember, you’re not alone. Given that every organization that touches a credit card transaction is affected by PCI compliance issues there are thousands of IT security professionals facing the same complexities and similar issues to you. Listed below are some of my go-to security resources:

https://www.pcisecuritystandards.org/index.shtml
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
http://www2.visaeurope.com/documents/ais/hotelbreach_europe_2.pdf
http://www.crowell.com/pdf/SecurityBreachTable.pdf

by Beth McGarrity

Imagine what it’s like trying to secure a multi-billion dollar online and brick and mortar business.  That’s the task that Carlton Jones, Security Analyst at Staples, Inc. takes on every day.

We interviewed Carlton at RSA 2010 between sessions to find out what it takes to assure customers that each time they buy office supplies their credit card transaction is secure and their data is protected.

Watch the video below to learn about what guides Staples Inc.’s security philosophy from best of class investments to using business cases to making on-going process improvements.

by Beth McGarrity

It’s always interesting to find out what security practitioners, those out in the field, think about the security and compliance challenges they face day in and day out as they secure their networks and customer data.

A few months ago, when we were at the RSA show, we interviewed Jason Stead of Choice Hotels International to find out his thoughts about the security and compliance conundrum.  Does being compliant mean that a company is secure?  Or should compliance be a byproduct of best practice security activity?

Watch the video below to hear Jason’s thoughts.