Merchant Link SecurityCents

These days, merchants are being told they can save money by using a client-to-processor connection or “direct driver” vs. a hosted payment gateway in the cloud. Are these claims really true? What do merchants stand to lose by sending transaction data directly from their point-of-sale system to a processor?

A hosted payment gateway facilitates the secure transfer of information between a point of payment (your POS) and the payment processor or bank. The gateway acts as a translator, traffic cop and bodyguard – interpreting and directing data streams through a secure route to the appropriate destination, quickly and accurately.

Merchants considering both options should keep in mind:

1. Choice: A gateway connects merchants to a variety of processors and often offers the flexibility to switch payment providers quickly and efficiently, enabling a merchant to best manage its payment acceptance fees. Merchants with franchisees can offer them the choice of processors and maintain a secure and consistent payments acceptance process across their brand.  Merchants can also use the gateway to route different card types to specified hosts, saving them money by reducing processor’s switching fees.  A quality gateway assures that a merchant is not locked in to a particular processor’s technology that is hard to “unravel” if they decide to change.
2. Support: A quality gateway provider has the unique ability to track down and efficiently resolve problems no matter where an issue occurs within the life cycle of a transaction; saving merchant’s time and money by eliminating “finger pointing” between POS providers and payment processors.  The more complex the merchant environment, the more a gateway is needed.  A gateway can help a merchant quickly resolve payments hassles and get back to managing their business.
3. Cost: While most gateway providers charge a subscription or per-transaction fee, merchants should take into account the ongoing investment they will have to make in new software and/or a POS upgrades when considering a client-to-processor connection. The merchant is then locked in to technology that will soon be dated.  In contrast, a cloud-based payment gateway is easily implemented and maintained.  Configuration changes are usually performed at the gateway without interrupting business at the site when software and payment scheme updates are required.

Savvy business owners know that the only way to separate claims from reality and determine what’s best for their business is to educate themselves, talk to other merchants who are utilizing similar solutions, and ask a whole lot of questions. Check out this informative presentation and let us know what you think by leaving a comment below.

By Michael Ryan

While many of us were sitting on the couch, fighting our food-induced comas during the Thanksgiving holiday, merchants were scrambling to prepare for an onslaught of customers that were eager to take advantage of Black Friday deals.

Black Friday, which seems to start earlier and earlier each year, not only marks the busiest time of the year for merchants, but also predicts shopping trends, consumer confidence and the state of the economy for the coming year.

And this year’s Black Friday was in no way a disappointment. Shoppers showed up in droves and spent a record amount of money over the weekend. Black Friday spending this year was up 16% from the $45 billion consumers spent last year, according to a recently released survey by the National Retail Federation.

And that sales momentum continued into Cyber Monday, as many shoppers took to retailer’s sites looking for the best deals. Eight in ten retailers were prepared, offering special promotions to please these online shoppers.

Even more interesting is the number of shoppers that relied on their smartphones and other mobile devices to shop online. Compared to last year, the number of mobile users shopping online doubled.

And we don’t doubt that all these numbers are real. We saw it in our own operations. For example, our retail transaction volume for one of our large retail chain clients was a whopping 44% higher on Black Friday this year as compared to last year, and 38% higher on Cyber Monday.

In light of the retailers’ success, both in stores and online, it is importance to stress that consumer confidence drives continued sales and brand trust. During the busiest shopping season of the year, retailers cannot afford to suffer from a data breach and leaked consumer credit card information.

Now, more than ever, retailers must be diligent, which is why we’ve developed these three simple tips for merchant to keep in mind:

• Know the network. Every retailer should understand where cardholder data is stored on the network. Are there proper security controls in place to protect this data? Ensure data is properly protected according to PCI standards.
• If it is not needed, remove it. Many retailers keep cardholder data on the system even when it is not necessary.  Nothing is more exciting to potential attackers than hitting the jackpot of payment information.
• It’s not just technology, its people and processes. Merchants must educate and train staff to understand network security issues.  Yes, the IT department must be aware, but it is just as important for cashiers to understand the risks and be trained to spot suspicious activity.

Retailers have a lot on their plate as they strive to hit their numbers during this holiday shopping season, but security shouldn’t be a leftover thought. The cost of a breach can not only cost retailers millions of dollars, but will hurt consumers’ confidence and trust in the retailer’s brand. With such a significant impact, can the retail industry  afford not to unwrap some extra security this holiday season?

We are coming to the end of the year, when everyone takes a look back and reflects on the past 12 months and tries to determine the trends that will impact the coming year. Many industries are facing a sobering outlook for 2012 and looking to do more with less.

The hospitality sector in particular has struggled with the economic downturn the past few years. Steve Short, president of NetLink Resource Group, says that it is still possible for hospitality executives to achieve their goals by investing in smart IT projects to drive business growth.

By smart, I assume he means that these IT projects should help the company meet business objectives while simultaneously saving the company money. My guess is that many will look to implement cloud solutions that require less management and maintenance.

But specifically, the hospitality sector should focus on investment in projects that secure their sensitive customer data and by extension, their brand reputation. The potential return on investment includes simplified PCI compliance. Technology solutions such as point-to-point encryption and tokenization have been reviewed by the PCI Council, resulting in documents that guide executives on how to properly implement these solutions.

As budgets decrease and focus on ROI increases. making sense of the dollars and cents is more challenging ever. But given the cost of compliance, and the cost of a potential data breach, the hospitality sector should seriously consider and measure the ROI of protecting their data.

To read more from Steve Short and his predictions, check out his blog on HTFP Connect.

We have always highlighted how damage experienced after a data breach can have  lasting negative effects on brand equity and reputation.  A recent survey of nearly 850 executives, conducted by the Ponemon Institute, reinforced this by reporting that the average time it takes to restore an organization’s reputation after a breach is one year.

Following is a podcast with Dr. Larry Ponemon who discusses this study and what companies can do to best protect their reputations after a breach from the ITAC blog.

The top executives of retail companies have a list of business functions, products and services that they’ve been told they, “just have to have.”

Public relations, marketing, advertising…all considered a necessity if you want consumers to know you exist. Information security hasn’t always been at the top of that list, but retail executives are starting to wake up and realize the negative impact a data breach can have on their company.

Why the change? Data breaches are hitting retailers where it hurts – in their wallets.

Just this week, the Financial Times featured an article on the cost of data breaches and the need for data security. The article references British mega-chain, Marks & Spencer, which operates hundreds of M&S department stores and Simply Food markets in the UK, as well as more than 325 locations in countries such as China, India, Indonesia, and South Korea.

Marks & Spencer, which touts that around 21 million people visit its stores each week, was the victim of data thieves that stole customer email addresses from one of the company’s email marketing vendors. The exact cost of the breach wasn’t listed, but the company had to email all of their customers and warn them about the theft, which was undoubtedly a blow to their brand reputation.

Many other retailers that are the victims of data theft don’t get off that easily. Should financial or credit card information get compromised, credit monitoring services are often offered to customers at the company’s expense. Public relations, and crisis communications staff or vendors are then needed to help control the situation and make it “go away.” Information security experts are needed to find vulnerabilities and ensure they are resolved.

It’s this cost to the company that has retailers looking at data security much more seriously. According to the Financial Times article, retailers are even looking at insurance policies designed to help offset the cost of a data breach. However, technology has created an even better “insurance policy” against data theft. Retailers are eliminating the data from their networks completely by utilizing tokenization and encryption solutions. These solutions ensure that the data, should it be stolen, is useless to data thieves.

For retailers of all sizes, data security is more than something that the company “should look into.” As more globally-recognized brands and small merchants alike fall victim to data thieves, the need for data security becomes increasingly apparent. If the Financial Times article is any indication, retailers are starting to wake up and embrace data security, and that can only mean good things for customers all over the globe.

With the holiday shopping season fast approaching, most of us are dreading the full parking lots, long lines and busy malls. Finding the perfect gift amid the frenzy can be a challenge. Similarly, when merchants set out to purchase a new technology solution, it can invoke a certain amount of dread.

As merchants grapple with the ongoing challenges of payment security and PCI compliance, now is the time to embrace new technologies such as point-to-point encryption (P2PE) as part of an overall risk management strategy.

Merchants can ease the shopping process by arming themselves with the following questions.  By asking these questions first, it will be easier to find a solution that meets their unique needs.

1. Is the P2PE solution a hardware or software solution or both?
2. Is the vendor well established in the payments industry?
3. Does the solution encrypt both swiped cards and manually entered cards?
4. Does the solution encrypt online transactions, as well as on-site or card-present transactions?
5. Has the vendor solution been evaluated by a trusted Qualified Security Assessor (QSA)?
6. Is the P2PE solution integrated with the property management or point-of-sale system or is the encrypting device standalone?
7. What happens if the encrypting device fails? What is the fall back scenario?
8. Where is the HSM located in the solution? Where is the data decrypted exactly?
9. Does the P2PE solution integrate with a tokenization system?
10. Can the solution function effectively without tokenization?
11. How does the encrypting device handle non-payment cards such as employee cards, gift cards and airline/membership cards?
12. How does the vendor secure communication between their network and the merchant’s systems?
13. Is the solution tamper resistant? What happens if an attempted breach occurs?
14. Does the solution support format-preserving encryption?

As we all know, hackers are continually targeting merchants with new and creative tactics. Merchants must stay one step ahead of them and employ the best means and methods available. According to Bob Russo, general manager, PCI Security Standards Council, “If implemented in accordance with PCI requirements, P2PE solutions can significantly reduce a merchant’s card data environment, mitigate potential breaches and simplify PCI DSS validation efforts.”

So don’t let solution shopping overwhelm and stress you out. Submit these questions to prospective vendors to help ensure a painless experience.

By Troy Mechura

Most merchants often assume that PCI compliance is a laborious effort and all the new technologies that the PCI Council is offering guidance on offers a new layer to the complexity.

Most merchants that believe that compliance is a monstrous effort are overwhelmed with the process.  It doesn’t have to be so daunting if you think of compliance with a long-term view.

Just think of what happens when you haven’t cleaned your house in months.  When you begin the process, it seems like you will never finish.  But if you clean your house, room by room every week, it would be a much more simple process.  The same principle applies for compliance.

Merchants need to embrace the fact that compliance is now a part of a routine to safeguard the network and critical assets.  Evaluate the network, identify the data that is stored and clean house, making sure that any data that is old and no longer needed is removed.  Implementing best practices including vulnerability scanning, assessments and regular PCI checks and balances will help simplify compliance.

The fact is that the PCI Council is working with the vendor community to identify technologies that can simplify and properly secure the PCI compliance experience, making it easier for merchants to protect data in the card holder environment.  They have also built in longer timelines for notification and implementation of new rules.

Recently, the Council released tokenization guidelines and additional guidance on virtualization and point-to-point encryption.  These technologies allow for merchants to get a handle on securing sensitive data and in some cases, even reduce the scope of PCI Compliance.  Tokenization, for example, can reduce PCI scope as it removes data off the network completely.  It helps merchants’ clean house on a regular basis.

As one of the members that contributed to the Tokenization guidance, we understand the need for merchants to minimize risk.  In fact, at Merchant Link we remove data completely and use multiple layers of authentication to ensure that transaction requests can only be accessed by someone who is authorized.  But more than that, we urge that merchants use a multiple layered approach.

By combining best practices, new technology solutions and creating a routine for PCI compliance, the monstrous load of work, is no longer as complex and there is less work and less work for the merchant.

For more helpful tips on reducing the burden of PCI, visit the PCI Council’s website for training and education.

Chartered as a working group of Hotel Technology Next Generation (HTNG), at least sixteen major hotel groups from around the world plan to work together to develop an industry security framework for handling sensitive credit card data – this includes dramatically improving the security of credit card processing by and for hotels while significantly reducing overall costs.

Following is an exclusive podcast with Douglas C. Rice, Executive Vice President and CEO, Hotel Technology Next Generation (HTNG), who discusses this new working group.

If you’re like me, you spend time during your daily commute at the local Starbucks, standing in line, waiting for your caffeine fix. As you eagerly await your turn in line, reciting your order repeatedly in your mind to ensure you don’t mess it up, you see individuals approach the register and pay for their cappuccinos, coffees, espressos and other concoctions with…their cellphones?

The scenario of a barista scanning their mobile device and account information being transferred through a point-of-sale system raises some red flags in the minds of consumers. Yet studies by credit card giants, such as MasterCard, show that customers aren’t so adverse to the increased adoption of mobile payments.

In fact, results of a recent study they conducted showed that 62 percent of Americans with cell phones would welcome paying for purchases with a mobile device.  It really becomes a psychology issue rather than a pure technology issue. Does the convenience of the purchase outweigh the security concerns in their minds?

With that in mind, younger generations are more likely to embrace mobile payments and feel more comfortable without a wallet than without a mobile device.  That could mean that mobile payments and a society without cash are clearly around the corner. Right?

Well, not completely. The customer is only one half of the equation for mobile payment adoption. The other half is the merchant, and right now, merchants are simply not seeing the potential return on their mobile payment investment. That’s because the switch to mobile payments involves much more than just training your staff to add “cell phone” to the list of ways customers can cover their tab.

To embrace mobile payments, a merchant’s point of sale, payment processing, and device management systems need to be overhauled. Most importantly, additional security concerns need to be addressed.

With advanced tokenization and encryption solutions being embraced by merchants, the customer’s invaluable credit card information can be protected from the time of the card swipe through the rest of the transaction lifecycle.

Most of us in the industry understand that the movement to secure mobile payments is only in the beginning stages and that solutions are in development to secure these types of transactions in the future. However, until merchants see enough benefit in embracing mobile devices as forms of payment to cover their investment in upgrades to their point of sale, payment processing and security systems, a cashless society could remain simply a pipedream.

By Beth McGarrity

Now in its eight year, October is known for its annual National Cyber Security Awareness Month, which is sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance (NCSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Each year, there is a theme which strives to educate and drive awareness for cyber security issues.  What I like about this year’s theme is that it demonstrates the responsibility that each individual has when it comes to cyber security.

With the theme of, “Our Shared Responsibility,” it doesn’t matter if you are the merchant, the employee, the vendor or the home user –we all play a serious role in securing online environments.

In an effort to share in this responsibility, our blog will focus this month on education across the ecosystem.  It goes beyond understanding specific technology solutions to understanding the psychology behind user actions and unveiling common myths of security standards and solutions so that users can stay safe online and shore up cyber security efforts.

If there is a topic that you’d like to see from us on the blog, please drop us a comment below.  Or if you’d like to guest blog for us this month, let us know and we’ll provide you with our editorial guidelines.