Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ encryption ’


…………………………………………………………………………………………………………………………………
Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web. Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
……………………………………………………………………………………………..………………………………….

Most Small Merchants Store Unencrypted Card Data <Tweet this article>
by Ed McKinley
The vast majority of small merchants are still storing unencrypted card data and most don’t even know it, according to statistics compiled by a security vendor.
To make matters worse, the stats improved only minutely over last year, according to SecurityMetrics Inc., the Orem, Utah-based security company………
Click here to read more

Organizations Fail to Realize the Implications of a Data Breach <Tweet this article>
by Help Net Security
New research by the Ponemon Institute revealed that 54 percent of respondents have experienced at least one data breach in the last year, with nearly a fifth (19 percent) experiencing more than four.
Perhaps more worryingly, those that have so far avoided a data breach demonstrated a real lack of awareness of the financial and long-term damage that a breach can have on a company…………….
Click here to read more

MasterCard Launches Credit Card With Built-in LCD, Keyboard  <Tweet this article>
by Adario Strange
Facing ever-mounting pressure from the likes of Square, Paypal, Google Wallet, and others, traditional credit card companies like Visa and MasterCard are facing technology-driven challenges unlike any they’ve seen before. And while the Internet appears to be the primary disruptive element powering those new challenges, MasterCard has decided that its strategy for competing with payment service upstarts lies in creating an innovative new card that is fully interactive…….……. Click here to read more

…………………………………………………………………………………………………………………………………
What other interesting content have you come across? Leave a comment below and join the discussion
……………………………………………………………………………………………..………………………………….

The retail industry continues to be plagued by point-of-sale attacks, with Barnes & Noble’s announcement on Wednesday that malware was somehow installed on the PIN pad devices at 63 stores. In their words, “the criminals planted bugs in the tampered PIN pad devices, allowing for the capture of credit card and PIN numbers.” The attack is reminiscent of the Micheals breach last spring where the thieves swapped out POS devices with compromised terminals that copied and wirelessly transmitted card details as they were swiped or entered.

Meanwhile, Verizon, known for its annual Data Breach Investigations Report, released new analysis this week designed to offer a better understanding of how data breaches occur in various industries, including retail. This snapshot report revealed franchise stores of larger “parent” retail chains are often the victims of a breach. Franchisee locations don’t always have the in-house resources or technical expertise to properly manage security. Furthermore, “tampering” was ranked as the #1 threat action in the retail agency according to Verizon’s report.

Barnes & Noble is not disclosing any details of the breach, citing an ongoing FBI investigation, so it’s impossible to know what exactly happened and therefore, what could have prevented it. However, by taking a proactive, layered approach to security, retailers can ensure they don’t become the next target. Some quick tips:

  • Make sure your point-of-sale terminal is tamper resistant.
  • Make sure there are secure authentication procedures in place for firmware updates.
  • Make sure you are alerted when and if anyone disconnects a terminal and monitor this closely.
  • Utilize strong encryption methodologies to protect data in-transit.

About 18 years ago, I facilitated a test for a pay at the table application for VeriFone. The system was extremely clunky but way ahead of its time, and only did one thing – process the payment tableside. The handheld devices were heavy and really confused the guests. During a site visit about two weeks later, I noticed most of them were gathering dust on a shelf under the POS system. The servers all agreed that while they definitely received higher tips using the handhelds, it just wasn’t worth the trouble.

Wow, have we come a long way! Now the application that the server can take to the table includes the menu, transmitting orders, payment processing and so much more. The quantum shift in our industry is a movement towards these tablet POS systems. At RSPA’s RetailNOW 2012 show, nearly all of the POS vendors were showcasing – or at least discussing – their tablet applications. Some applications resided solely on the tablet, while others used the device as an order entry point for the main POS server. They take up less space and give a cutting edge look to the POS system. The look is so sleek that while having lunch during the conference I glanced at an older POS sitting on the counter and remarked that it almost looked “old fashioned” now after seeing all of the tablets.

The one question I have of these systems is “Does it employ encryption at the swipe?” Most of the time the answer is “yes” which points to another shift in our industry. For a POS system to not include encryption at the swipe seems to me like a dangerous oversight. Combine encryption with tokenization, and you’re not only enhancing data security, you’re also effectively taking the POS system out of PCI scope. Why wouldn’t a developer go ahead and include both? Unfortunately, some make no mention of it at all.

Mobility is probably the biggest advantage of the tablet-based POS. A server can comfortably walk around the restaurant, transmit orders to the bar, kitchen or service station without ever leaving the floor. An expediter can deliver food without a trip to the workstation. I heard one example of a server ordering appetizers for a table and the dish arriving before completing the rest of table’s dinner order! QSR locations could use the tablet for guest ordering or “line busting.” All of this translates into faster table turnover and guest satisfaction. A secure credit card transaction can also be run tableside without the guest’s credit card ever “disappearing into the kitchen.”  Each application has its own approach, but I have noticed some drawbacks on some of them:

  1. One system seemed to require the guest to include the tip in the original authorization amount, which is very awkward.
  2. Some required the server to carry a printer which seemed clunky. I trust it is only a matter of time when a truly ergonomic mobile printer is developed.
  3. Some allow the guest to sign the tablet. This facilitates signature capture but requires the server carry two tablets, so their lifeline to the restaurant isn’t cut while the guest closes out their own ticket.

Cost is where a merchant should really examine what they are getting and the long term impact. There are some really inexpensive, entry level systems but long-term operating costs should be calculated. System developers need to make revenue somewhere. There are tablet applications for less than $50 plus the cost of the tablet and card reader. This would lead me to believe that the revenue will come from a fee built into the payment processing transaction costs. Bundling the fee is a convenient and beneficial model for some, but those with higher traffic could pay much more in the long run. For security purposes, any tablet application that does not include at a minimum, encryption at the point of swipe should be avoided. The security features may cost extra, but it is just not worth risking a breach.

One more note…two of the POS companies at the RetailNOW Show described open-architecture, cloud-based POS systems. The restaurateur would purchase a low-cost base application and then buy “add on” features from an app store. Innovative developers would then be encouraged to put their applications in the app store to participate in the revenue stream. A novel approach and it will be interesting to see if it catches on.

What are your thoughts on tablets at tables? Let us know by leaving a comment below.

Options to include hosted payment page and encryption

SILVER SPRING, MD (April 16, 2012) – Merchant Link, a leading provider of payment gateway and data security solutions, today announced that it is developing an innovative e-commerce solution for merchants to process payments securely in card-not-present environments.

Working closely with industry-leading partners, Merchant Link will offer two options to secure
e-commerce transactions and online payments:

  • Hosted Solution: This option will enable a secure process to route sensitive cardholder data directly from the checkout page to the Merchant Link gateway while preserving the look and feel of the merchant website, enabling a seamless user experience.
  • Encrypted Solution: This option will encrypt sensitive cardholder data at the moment of capture and prevent such data from being available to the e-commerce application or merchant.

Both options will significantly improve data security while reducing PCI scope and costs by blocking merchant access to cardholder data, the encryption and decryption environments, and to key management operations.

“This offering reflects our ongoing commitment to expand the breadth and depth of our services to provide merchants with all the options, security, support and flexibility they need when it comes to payments,” said Dan Lane, Merchant Link’s President and CEO.

The new solution is expected to be available by the end of the year.

As they often say in technology, you’re not wrong, just too early… and this may be the case with the mobile wallet.  Yes, the technology has been around for awhile.  But now that consumers have embraced their mobile devices and broadened their perspectives on payments, is it still not quite ready for primetime?

While 2012 was supposed to be the year of the mobile wallet, players like Google are still struggling to find merchants who are willing to support and embrace the new technology.  Recent attempts to hack into the Google Wallet application are not helping these players make their case.

Google Wallet requires a personal identification number (PIN) code and a phone lock screen, which the company claims provides a higher level of security than most credit cards have today.  However, this past month two incidents proved that the PIN code could be cracked.  These breaches also forced Google to discontinue the acceptance of prepaid cards.

While we know that there will continue to be a lot of hype around mobile commerce, we also clearly understand that adoption by merchants and processors will really depend on payment security.

To deny the possibility of an attack over a mobile payment network would be irresponsible.  Most merchants are awaiting further development in this area before they take that leap and adopt a mobile wallet solution.  Once the industry embraces an aggressive security strategy for mobile payments, we believe adoption by merchants will follow suit.

What do you think? Let us know by leaving a comment below.

By Yu-Ting Huang, Director, Global Product Marketing at Voltage

Regardless of whether the year 2012 will end the way the Mayans had predicted, retailers are moving forward with initiatives that can continue to grow their business. The general mood of the retailers at the National Retail Federation’s Big Show in New York earlier this month was a few rungs above cautious optimism. In addition to investing in ways to expand sales channels and understanding customer needs to increase revenues, corporations were also looking to build social stewardship into their businesses.

The buzz on the EXPO show floor was clearly about new devices that allow acceptance of mobile sales and payments, and the technologies that facilitate the management of store displays, supplies and analytics.

While the shiny new toys were eye-catching and inspiring, other aspects that are just as crucial to the success of a retail business were conspicuously missing from the conversation. I found it interesting that the security of customer data such as personal information, purchase history and preferences, and even payment data are not yet top of mind. There were a handful of vendors showing secure point-of-sale devices at the EXPO, but the coverage from the session presentations on this topic was thin.

Perhaps data security has been relegated to the “basic requirement of doing business” category and has become a non-topic. According to Visa, over 90% of both Level 1 and Level 2 merchants are PCI-DSS compliant. However, we continue to hear reports of data breaches, including the recent one from Zappos, which, incidentally, was a finalist for the ARIL Customer Service Award at the conference. (The breach notification went out to customers the day before the award luncheon.)

This goes to show that hackers never rest, and, therefore, as an industry we shouldn’t either. As we continue to invest in growing our businesses, it’s always good practice to take a moment to assess the integrity and security of what you have in place first. Making security a forefront topic in your business’ management can mean staying a step ahead of hackers– and this is where you should always strive to be.

For more information about Voltage Security visit www.voltage.com or follow them on Twitter at www.twitter.com/voltagesecurity.

Immediately following the New Year, you probably noticed a few changes.  The gym parking lot was jammed packed.  Every other commercial on TV was for some kind of home workout tape or weight loss solution. Nearly every store was highlighting the “new you.”

Not even thirty days have gone by and things are starting to change again.  People are falling off the bandwagon. Grocery stores are replacing the diet products with Valentine’s Day candy and the commercials for diet plans and fitness products have reverted back to ads about fast food chains and cars.

New Year’s Resolutions don’t last very long but there is one resolution that shouldn’t be let go.

Following the New Year, Hotel News Now featured a series of articles about New Year’s resolutions for hoteliers. One entire article in the series was dedicated to resolutions that hoteliers should consider in the area of data and network security. The highest priority “resolution” for hoteliers was encryption and tokenization of credit card data.

Hotels remain one of the most targeted businesses for data thieves. A quick fix to patch a security gap, or several to get through a PCI audit, simply can’t provide the long term, comprehensive protection needed to ensure that a hotel’s customers are safe from having their sensitive information stolen.

In order to ensure that customer data is safe, hoteliers need to evaluate end-to-end security solutions that can protect customers’ sensitive data while on the move and at rest. Today’s advanced cloud-based tokenization and encryption solutions are enabling hoteliers to become PCI compliant and beyond by removing customer data from the company’s network completely.

These solutions protect data on the move and at rest by encrypting and tokenizing data and storing it off of the network in a secure location. This ensures hotel patrons can rest easy because even if the information is compromised, the tokens are useless to data thieves.

But why is it so important for hoteliers to not give up on their resolution to better protect customer credit card data? Because it’s not just about the damage to the customer or the hotel brand; a data breach can hit a hotelier hard in the wallet.

The cost of data breaches are perpetually increasing. In addition to customers losing faith in the brand, companies that are hacked often find themselves footing the bill for expensive credit monitoring services for victims. They also expend resources on PR campaigns to help mitigate damage to the company’s reputation.

Although this time of year is often when New Year’s resolutions begin to die, hoteliers who made a resolution to better protect their customers’ valuable credit card data need to stay strong. With the cost of a breach rising and the hospitality industry the prime target for data thieves, they simply can’t afford to take their eye off the prize.

By Beth McGarrity

The past few weeks have been a whirlwind of activity as we prepared for one of the biggest retail shows of the year.  More than 24,000 retailers, technology providers, suppliers and partners gathered for the retail industry’s premier event, NRF 2012.   For any professional in the retail sector, the “Big Show” is the go-to affair for networking, business development, educational opportunities and much, much more.

What is most exciting about an event like NRF 2012 is seeing, first-hand, key innovations and learning about the future of the industry.  As I walked the show floor, networked with colleagues and attended breakout sessions, several major themes resonated that will clearly shape the years ahead:

  • Developing More Customer-Centric Approaches: In today’s competitive marketplace, retailers need to better engage with customers, build stronger relationships and influence them through targeted and highly personalized communications and promotions – clearly tying back to the multi-channel theme.

  • Don’t Forget “The Brand:” In a philosophical reversal of the multi-channel approach, some thought-leaders played up the importance of brand, especially when consumers are faced with many choices and channels.  As CNBC pointed out: “Shoppers don’t think about shopping a ‘channel.’ They think about shopping, and if you’re lucky they think about shopping a specific brand.”

  • Big Data Goes Big Time: Retailers will step up their data gathering and mining processes to unleash the science behind truly influencing consumers.  This means that vast amounts of customer data, whether it is personal information, credit card data or purchasing patterns, will be collected, managed, sifted and acted upon.  While this data will certainly be used to develop more targeted marketing programs, it underscores the need for the most sophisticated data security solutions.

  • Customer Are Willing to Share: Along the lines of “big data,” many retailers are seeing that customers are actually willing to share more personal information these days. This will create the perfect storm of copious amounts of new data mining techniques and the use of algorithms for fully understanding how consumers interact with brands.

  • Going Mobile: While this one is clearly not a surprise, the development of next-generation mobile apps, and the payment security challenges that come with this new horizon, was top of mind at the event.  Convenience and efficiencies will certainly abound when retailers arm their sales associates with iPads and other mobile payment gadgets for instant credit card processing from any location within their stores.

  • Zappos Breach: The Zappos breach news certainly made waves at the event and reinforced the hard reality that data breaches can happen to any retailer.   Fortunately, customer credit card numbers were not compromised because they were stored on a separate server.   And, as our SecurityCents readers know we always urge merchants to securely store all necessary payment data in a server outside of their network.

  • Columbia Sportswear: Along the lines of payment security, we were very excited to announce that Merchant Link, along with our partners Equinox Payments and Voltage Security, has implemented a cutting-edge, reliable, cloud-based solution to protect sensitive payment data.  And, retail giant Columbia Sportswear served as pilot implementation partner – implementing this solution across its nationwide retail network.

  • Protect All Points: In support of the Columbia Sportswear announcement, we also developed a unique microsite called “Protect All Points,” which highlights all the key points about this implementation.

Finally, be sure to check out the sessions from the event streamed here.  It’s almost as good as being there in person.  And, NRF has a highly active blog, so be sure to check out posts like this one that highlights digital retail trends.

The “Big Show” certainly delivered and clearly there will be many exciting times ahead for the retail industry.  See you all back at the Javitz Center next year!

By Beth McGarrity

This week kicks off NRF 2012, one of the largest shows for retailers, where new technologies, solutions and offerings are announced all week long.  In fact, we just announced a new integrated solution for Columbia Sportswear to secure payment transactions across 54 retail locations.  So, when I was scanning headlines today, I was surprised to see that Zappos.com was in the headlines, but not in a positive way.  The major online retailer had fallen prey to data thieves.

Yet, as I continued reading, a statement caught my eye –

Zappos said that hackers gained access to customers’ names, e-mail addresses, billing and shipping addresses, phone numbers, and the last four digits of credit card numbers and encrypted passwords.

Full credit card numbers and other payment info were stored on a separate server which was not hacked, the company said.

Bravo! Well done. In most of the big retail breaches that we’ve blogged about here, our main message has been to remove sensitive card data from the network.  Most retailers continue to leave information on their servers that contain payment card details, and often this information is forgotten.  So when a hacker gets into the network, they hit a gold mine.

While Zappos is still a victim of a hack, they stored all payment details on a separate server and therefore were able to contain the impact to their customers.  Whenever we have discussions with merchants, we often make the recommendation that they securely store all necessary payment data in a server outside of their network, so that it can not be accessed by a thief that may break in.  It also reduces a retailer’s cardholder data environment, which eases the burden of PCI compliance.

Many retailers have been scrambling to meet PCI DSS 2.0 compliance by the Jan. 1, 2012 deadline.  But are they really compliant?

During its annual IT Security Summits and Catalyst events, and at its Security & Risk Summit in EMEA, Gartner conducted a series of kiosk-based surveys with 383 IT managers and found that almost a fifth of firms are not compliant with the Payment Card Industry (PCI) Data Security Standards (DSS).

Lawrence Pingree, research director at Gartner, blames this non-compliance on increasing pressure on firms’ IT budgets, even though the PCI Security Standards Council continues to reinforce that failure to comply can negatively impact both merchants and their consumers.

The reality is that merchants need to go beyond compliance and implement multiple layers of security to ensure that customer data is protected.   PCI compliance is certainly an important part of this, but it’s only one piece of the puzzle.  And, for those organizations who are not yet compliant, we urge you to take the necessary steps to meet PCI DSS. You can access the “User Survey Analysis: 2012 Security Buying Behaviors and Budget Trends” report from Gartner here.