Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ End to End Encryption ’

With more than 25,000 guests visiting each month, Fantasy Springs Resort Casino, owned by the Cabazon Band of Mission Indians, is known for providing luxurious accommodations, the finest cuisine, exciting entertainment, and a world-class casino.

Fantasy Springs is also on the cutting-edge when it comes to payments and transaction security.  Following is an exclusive podcast with Don Lindsey, Fantasy Springs Resort Casino’s Director of Information Technology, who discusses transaction security trends and their use of tokenization.

By Mike Ryan

A new report from Javelin Strategy & Research was released last month on tokenization and end-to-end encryption.   The report offers a lot of great insight into tokenization, though the way in which they define card-based tokens is different from the way Merchant Link defines them and is worthy of note.  From the report:

Using tokenization per transaction: If a customer uses card A at store A and then walks across the street and uses the same card at store B, the two transactions will have different results. It is also true that if the customer uses card A in store A and then returns a few minutes later and has another transaction at the same POS terminal with the same card, the customer will have two different encryption results.

Using tokenization per card: If a customer uses card A at store A and then walks across the street and uses the same card at store B, the two transactions will have the same results. It is also true that if the customer uses card A in store A and then returns a few minutes later and has another transaction at the same POS terminal with the same card, the customer will have the same tokenization results.

It is not always the case that card-based solutions would return the same token across merchants. Merchant Link’s tokenization solution, TransactionVaultTM, allows the same card to return the same token over time but only within a given chain. So in the example above the token returned for card A will be the same each time at merchant A but will return a different token at merchant B.

Card-based tokens provide several advantages over transaction-based solutions including allowing for order history look up by card number if the customer has misplaced a receipt. This is a very common practice for most retailers today but can be difficult with transaction-based tokens. Additionally, card-based tokens allow merchants to access data analytics to monitor for fraud or for marketing purposes.

We find that our customers are leery of card-based tokenization when the tokens are shared outside of a chain, especially if tokens may be reused for subsequent authorizations or refunds. The potential for fraud in those situations is higher, which is why Merchant Link’s solution uses card-based tokens but only within a “chain.”  A chain may be defined in numerous ways to include multiple brands under one corporate parent or exclude franchisors based on business and security requirements.

The debate between card-based and transaction-based tokens will continue. As Javelin points out, card-based tokens that are shared across chains could be problematic. However if tokens are only used within a chain those concerns quickly fade away and the advantages gained in the area of data usability make  card-based solutions very attractive for retailers.

By Sue Zloth

You like potato and I like potahto , You like tomato and I like tomahto;
Potato, potahto, tomato, tomahto! Let’s call the whole thing off!

When it comes to the security industry one thing is certain; there is a whole alphabet soup of acronyms used to talk about technology and many people often use different names to talk about the same technology.

This issue was brought in to sharp relief recently when the PCI Council released their first guidance document on Point to Point Encryption.   At first I was a little mystified, had there been some significant change in the types of technology the payments card industry was using?  As it turns out the PCI Council had simply created an alternate reference for End-to-End Encryption – a term that has been pretty well agreed upon by the payments card industry for some time now.  In fact, at Merchant Link, we’ve always used End-to-End and recently announced our E2EE solution.

While industry shorthand has certainly shaped our conversations and product naming, the terminology of End-to-End encryption is, if one was to dig deep, not technically correct.  End-to-End would mean all the way from the point of swipe, through the gateway, up to the processor, out through the card networks and all the way to the issuer.  The end point, past the processor is the part that is still a pipe dream; it may happen in the future, just not any time soon.

PCI’s key argument for the change in terminology was to redefine the cardholder data environment and to make it clear what is and is not secure, as well as define what is in scope. This clarification was needed.

So, despite some initial hesitation and some other vendors’ insistence that their products really do secure the end points, the PCI Council’s guidance on calling these technologies Point to Point is well taken. The new naming convention allows for greater flexibility in what we currently identify as points and what we might include in the future.

So if we consider the accuracy of the terminology and accept that the PCI Council has already taken a stand on what to call it, we’ve decided to make a change. Merchant Link  will now change from E2EE to P2PE to ensure consistency with industry norms and with guiding principles we agree with.

By Sue Zloth

The Merchant Link team is back in the office today after a great few days at the PCI Community Meeting in Orlando.  It was fantastic to catch-up with our customers, prospects, and partners on the show floor and my mind is busy mulling over what I learned in the sessions about the upcoming changes to the PCI standard.

What struck me most about this year’s show was how attendance has grown for the meeting; this year, there were more than 1000 participants.  From this level of participation it is clear that organizations are taking their PCI obligations very seriously.  The increased participation also changes the nature of the meeting from a niche event to one where there are a lot of networking opportunities and avenues for discussion.  I believe it demonstrates a maturity in the industry.

However, I also think the overwhelming attendance hints at how eager people are for clarification of the standard and for any additional information.  While there was still a lot of ‘wait and see’ at the meeting itself, the PCI  SSC has demonstrated a clear commitment to providing additional guidance with the announcement of guidance documents on End-to-End Encryption and Tokenization and a revamped, easier-to-use website.

The guidelines will be released on October 5th and will provide clarification on how a properly implemented End-to-End (E2EE) solution will simplify the PCI compliance process by reducing scope.

But now that this meeting is over, the hard work of making sure that good security practices guides every decision continues.  For me, I’m looking forward to getting back into working with our customers as they implement Merchant Link’s TransactionVault® and End-to-End Encryption solutions and continuing my work on the PCI Scoping SIG for Tokenization.

by Tim Kinsella

When Visa released its suggested best practices for tokenization on July 16th, those of us in the industry knew it was just the beginning of a much broader debate on what these guidelines meant and whether or not they really were the best practices.

Merchant Link’s stance is very clear: while Visa’s best practices are a good start and we laud their endorsement of tokenization, there is more to be done. Just what needs to be done and how it needs to happen should be a source of great debate among not only solution providers, but also merchants.

Ericka Chickowski has certainly added to the debate in her recent piece in Dark Reading where she offers four best practices for tokenization. Her suggestions focus on:

1. Generating random tokens
2. Engaging a third party solution to create robust solutions
3. Ensuring that the server is PCI-compliant
4. Creating a multifaceted solution – one which includes both tokenization and encryption

What do you think? Leave us a comment with your insights.

Originally featured on Tnooz

Day Four: Protecting data at rest and data in motion – Tokenization and encryption

credit card4

As you may have noticed, VISA recently came out with guidelines for tokenization. This is after they already established guidelines for point encryption solutions.

Most believe that this latest guidance is indicative of what we will be seeing in the future from the PCI Security Standards Council.

The use of both tokenization and encryption is necessary to ensure protection of credit card information that is stored as well as information that is in transit.

But first, we must understand how each technology works.

Tokenization is the replacement of a data element (such as a credit card number) with another data element which serves as a reference to the original.

This replacement data element is also known as a token.

This token/reference number is stored in a hotel’s computer systems instead of the real credit card number so that if someone tries to steal the credit card number, all they end up with is a non-actionable token that has no value.

The value of a token is that it cannot be decrypted, derived, cracked, or reverse engineered to discover the original value.

Encryption on the other hand, is the process of transforming a data element using an algorithm to make it unreadable to anyone except those who possess the decryption key.

While both have their place, tokenization is more effective at removing data, as encrypted data is dependent on the strength of the encryption as algorithms as well as secure key management practices.

The best security strategy is a layered one where merchants employ both tokenization (to secure data at-rest) and encryption (to secure data in-flight).

By utilizing both technologies, hotel operators and merchants can reduce the scope of their PCI compliance audits, by ensuring data doesn’t reside in full on internal systems.

Originally featured on Tnooz

Day Three: On the horizon… What’s next for PCI DSS?credit card3

Recently, VISA, one of the founding members of the PCI Council, made headlines by developing global industry best practices for tokenization.

This guidance was provided to merchants, vendors, and service providers in an effort to promote safe merchant environments.

Tokenization is the process through which a credit card’s primary account number is replaced by a proxy, with no mathematical relationship back to the original number.

By replacing the account number, merchants and processors limit the sensitive data that is stored on their systems thereby significantly reducing the risk that that sensitive data could be stolen by hackers.

Could this guidance be a preview to what is on the horizon for PCI DSS?

We hope so.

The PCI Council continues to work on developing guidelines that will help merchants eliminate sensitive card data from payment systems in order to simplify data security and compliance efforts.

While we hear a great deal about the threats to consumer credit card security, we don’t hear that much about the issues facing merchants, just criticism and finger pointing when they suffer a breach.

At Merchant Link we understand how complicated it is for merchants to navigate their way through the payment processing system to ensure the safety and security of their customers’ personal information.

Our CTO, Dan Lane, spends a lot of time thinking about these problems and devising solutions for merchants who are confronted with a lack of resources and too many vendors touting too many products.

In the video below Dan outlines his top tips and suggestions for merchants looking to protect their brand and their customers against ever-evolving threats.