Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ EMV ’

Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web.  Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
Why Credit Card Fraud Grows 
Missing the Mark on Secure Card Tech Will Haunt Any Issuer
<Tweet this article>
by Tracy Kitten
Payments card fraud is a growing concern for U.S. card issuers, yet few have taken dramatic steps to fight it.  Last week’s announcement that major card brands and domestic issuers are joining forces to create an EMV Migration Forum reflects at least some interest in enhancing payment-card security…….Click here to read more

Starbucks/Square partnership: what does it mean? <Tweet this article>
by Javelin Strategy & Research
The Starbucks/Square partnership certainly is among the major recent announcements related to in-store mobile payments, and has the potential to significantly help jump start adoption. While I don’t agree with some of the more euphoric comments that this one move is the singular event that ushers in mobile payments, it is a big deal……. Click here to read more

RetailNOW: The High Cost of POS Security Failures <Tweet this article>         
by Vertical Systems Reseller
Solution providers were given a wake up call about the perils of point-of-sale security breaches, on Monday, at RSPA’s RetailNOW convention. Secret Services Agent Jason Berryhill, a POS fraud specialist, addressed the packed audience and dropped some very serious statistics……. Click here to read more


What other interesting content have you come across? Leave a comment below and join the discussion!

Former Director of Service Delivery Turns Attention to Expanding Security Features and Payment Methods

SILVER SPRING, MD (May 30, 2012) – Merchant Link, a leading provider of payment gateway and data security solutions, has named Geoffrey Krieg as vice president of product management. Krieg first joined Merchant Link in 2003 as the Director of Service Delivery. He returns to the company after spending four years abroad consulting with major European e-commerce merchants.

“Geoff’s background in the processor and gateway industry, his expertise in e-commerce and alternative payment methods, along with his international experience provides the right leadership and vision for our product development strategy,” shared Dan Lane, President and CEO of Merchant Link.

Krieg brings over 20 years’ experience in the payments sector. A pioneer in working with Independent Sales Organizations (ISOs), Geoff began his career with the Bank of Boulder, as Division Officer responsible for growing the bank’s ISO program. In 1995, Geoff joined four members of the Bank of Boulder’s executive team in launching TransFirst, one of the top acquirers in the United States. Before TransFirst, he also spent time at Visa International and CIAN Systems.

“What differentiates Merchant Link from other payment providers is the extremely stable and flexible transaction environment we deliver to our customers,” said Krieg. “Moving forward we want to continue to offer the security and choice Merchant Link is known for, combined with feature-rich, multi-channel merchant support.”

From the old knuckle busters, to electronic transactions, to mobile wallets. The world of payments today is evolving at breakneck speed, with more change expected over the next few years than in the last few decades combined. At last week’s Electronic Transactions Association Annual Meeting & Expo, the message was loud and clear: keep up, remain versatile, and continue to innovate, or risk getting left behind.

Having attended the ETA show for many years, it’s interesting to experience the shift in focus. We’re not just talking about basic credit card processing anymore. For example, an exciting new wave of data mining is turning transaction data into marketing gold, providing valuable business intelligence for merchants, and a more personalized experience for consumers. It’ll be interesting to see the reaction as more of these programs are rolled out. I suspect merchants will be thrilled, but consumers may be wary given the high volume of marketing messages we are exposed to daily. But as long as these programs remain “opt-in” and provide real and relevant value, the outlook looks good.

As mobile wallets continue to evolve, which some predict will be the payment method of choice by 2020, I imagine we’ll see a shake-out with a select few companies rising to the top. As card types evolved years ago, most merchants came to accept MasterCard, VISA, American Express, Discover and Diner’s Club.  As mobile wallet options evolve, it will be interesting to see which options become standard.

When it comes to transaction security, the focus has shifted from technical problem to an essential and expected part of doing business. Various methods are still being discussed and debated and this year, many were wondering what EMV would mean for security.

Check out ETA’s conference highlights, photos and video here and we’ll hope to see you at the show in New Orleans next year!

By Mike Ryan

As anticipated, Visa announced the extension of the Technology Innovation Program (TIP) originally announced for non-U.S. markets back in February.  Reading through the document, it is clear that this is an attempt to get the market moving on two major Visa initiatives: near-field communications (NFC) and EMV.

As several analysts and my fellow bloggers have pointed out, this program says at least as much about Visa’s focus on NFC as it does about EMV. But, I’m more interested in what it doesn’t say.

First, the announcement doesn’t say that to qualify for PCI exemptions, 75 percent of the traffic needs to be EMV transactions.  It only says that the terminal must be EMV and NFC capable.  U.S. payment processors don’t support the standard today, so clearly no merchant would qualify. Obviously this is not an attempt to make the industry more secure or reduce fraud in the short term.

Second, you may have also noted that there are no liability shifts or protections from data breach penalties as there were in the global version of the program.  It seems that Visa knows that this program will not enhance security or prevent fraud, so while merchants may get a temporary reprieve from regulation they will still be subject to fines and penalties if they are breached

I’ll be honest…a part of me wants to applaud the effort to accelerate the NFC roll out because I want to use my phone to make purchases at the point-of-sale (POS).  However, I can’t do this with a clear conscience because my job is to help merchants become more secure and avoid the high cost of a data breach.

The reality is that EMV is still several years away.  While it will eventually help prevent some types of card-present fraud, it does nothing to protect cardholder data from being stolen from merchants’ networks.  The EMV message still sends card numbers in the clear — without point-to-point encryption (P2PE) and/or tokenization — so it essentially does nothing to protect data.

That data, if stolen, can still be used at the POS until EMV is widely adopted several years from now — or for the foreseeable future in card-not-present (CNP) fraud.  According to Javelin Strategy & Research’s most recent Identity Fraud Survey Report, CNP has outpaced card-present fraud for the first time ever.

Visa’s program doesn’t offer any new protection, so the penalties will continue to rest with the merchant.  So let’s start preparing for EMV and NFC, but don’t be fooled…unless you render the data useless, criminals will still try to steal that data and someone will ultimately pay the price when a breach occurs.

By Michael Ryan

With just days left before the ghosts and goblins come out to play, we are taking the time to dispel some of the most frightful myths that merchants face today.  Earlier this week, we shed some light on the common myth that EMV will cure all credit card security woes.  We also provided some clarity on a common myth that tokenization and encryption are the same.

Today’s myth is a bit ghostly in that it often flickers and is slowing fading away.

Spooky Myth of the Day: Full card numbers are required for chargeback resolution.

Visa recently published a great document – Visa Best Practices for Primary Account Number Storage and Truncation – which busts this long held card processing myth. Like the best lore, this one is firmly grounded in truth. As the document states in the opening paragraph, “Due to misinterpretation of Visa dispute processing rules, some acquirers require their merchants to unnecessarily store full Primary Account Numbers (PANs) for exception processing to resolve disputes.”

As we’ve said many times, it is critical for merchants to evaluate the information that is stored on their systems and eradicate data that is sensitive and not needed.  Merchants should only store information that is absolutely necessary or else they are making themselves prime targets for hackers seeking to steal data.

It may take some time to completely eradicate this myth but with Visa’s help we are confident the end is near.

Do you have a spooky myth to share? Include it in a comment below.

By Michael Ryan

It’s a frightening time of year with Halloween right around the corner.  To get our readers in the spirit of the holiday, we are dispelling the scariest of myths that impact merchants today and offering a bit of a treat.

Earlier this week, we discussed the battiness of considering EMV as the solution to all credit card security woes.  It is hardly the case, and nothing can really take away from a layered approach to security.   Today, we’ll look at the two technologies that are often layered together but have most merchants uncertain about the differences between the two.

Spooky Myth of the Day: Tokenization and Encryption are interchangeable terms.

With the recent buzz over encryption and tokenization being used to secure cardholder data the lines sometimes get blurred between the two terms. Thankfully the PCI Council will publish a guidance document early next year that will provide clarification. Until then the debate will continue because the definitions can overlap but for card processing purposes the line can be drawn based on how each may be used.

Here is a simple way to differentiate the two.

Tokenization is the replacement of a data element (such as a credit card number) with another data element the token. The token is typically assigned randomly and a mapping of the relationship between the two data elements stored in a secure environment.

Encryption on the other hand, is the process of transforming a data element using an algorithm to make it unreadable to anyone except those who possess the decryption key.

With today’s technology both tokenization and encryption can be incredibly secure by itself. It really comes down to how each may be used for securing cardholder data. Specifically it is possible to map tokens to a particular card number such that subsequent uses of that card always return the same token. This card-to-token relationship allows merchants to use their cardholder data for analytical purposes such as to understand a particular consumer’s behavior over time or across channels as well as for velocity tracking to root out and prevent fraudulent transactions.

The encryption solutions used to protect cardholder data today provide a unique value each time a card is used to prevent reverse engineering of encryption keys and algorithms. It is also impractical for security and storage reasons to house card-to-token mapping at the point of sale.

So the line is best drawn by how tokenization and encryption may be used… and like my fellow blogger recently said, we think they are used best when paired together… like chocolate and peanut butter! Encryption is ideally suited to be used by the point of entry to secure data in-flight while tokens may be used for storage and leveraged for analytics and fraud protection.

Visit us later this week for the next spooky myth.  If you have other myths that you’d like to add, include it in a comment below.

By Michael Ryan

It’s the time of year.  Ghouls and ghosts come out to play making most of us quake in our boots.  Some of us love it, others put up with it just to get the goodies and treats.  So in the spirit of Halloween, I’ve pulled together a list of myths for the week that may have merchants a bit confused.  As a treat, I will address these myths and provide our readers with more insight so that they can put these spooky myths in their graves for good.

Today, we’ll take a look at transaction security.  With the number of breaches that have occurred in the retail industry, this myth should really have you quivering in fear. The last thing any merchant wants to see is their name splashed across a news story pointing to the loss of thousands of customers’ credit card data.

Spooky Myth of the Day: EMV is all the transaction security I will need.

For those of you that don’t know, EMV comes from the letters of Europay, MasterCard and Visa, who are the three companies that developed this card standard for authenticating credit and debit card transactions at point-of-sale (POS) terminals and automated teller machines (ATMs).

When I am talking to merchants, I hear it all the time, “Won’t it be great when we have EMV in the US and my transaction security woes will be over?”  This is often followed by a debate over the time frame in which we’ll see this revolution.

But don’t be fooled by this myth.  The truth is that while several studies have shown how EMV has been effective in preventing fraud at the point of sale in brick and mortar environments it really only addresses counterfeit card creation and usage.

EMV transactions still transmit sensitive cardholder data in the clear so it does very little to mitigate PCI. Merchants processing EMV must still limit data storage and protect data that is stored.  EMV does not eliminate potential fraudulent activity with Mail Order or Telephone Order (MOTO) payment processing or with online transactions.

So while EMV may help us prevent fraud committed with counterfeit cards used at the physical point of sale, the data is not automatically secured in-flight or at rest and may be stolen and used to commit fraud in other ways. It is important to remember as well that the data only needs to be stolen (not used) for a merchant to face significant penalties and damage to their brand.

Don’t let these myths fool you.  Understand the limitations of EMV and ensure that you have a layered security approach that can secure data in-flight and at rest.

Visit us later this week for the next spooky myth.  If you have other myths that you’d like to add, include it in a comment below.