Merchant Link SecurityCents

Fresh off the road from a busy Spring schedule of conferences and events such as the recent RIS Retail Technology Conference and MICROS Retail Conference, I reflected on some of the latest trends in retail I picked up on in various sessions, conversations and reports.

Customers are King; Mobile Use and Commerce Increasing
Mobile has placed even more power into the hands of today’s consumer, with the ability to check competitors’ prices while in store (a phenomenon known as “showrooming”) and so retailers are being forced to adopt new pricing and promotional tactics. Marketing investments are focused on mining more data and using it to provide more customized promotions to increase engagement and loyalty. To keep up with today’s tech-savvy consumers, retailers are also increasingly adopting mobile point-of-sale solutions. We’re seeing some POS providers leveraging the tablet form factor, integrating barcode scanners and mag stripe readers into handheld devices that double as a tool to offer on-demand product information to shoppers wherever they are in the store.
 
Profits Are Up; Retailers Reinvesting Again
According to the NRF Foundation’s recently released Retail Horizons: Benchmarks for 2011, Forecasts for 2012, retailers have returned to profitability after the economic downturn. The survey revealed that marketing and advertising spend is up, as well as investment in IT upgrades, e-commerce and leadership development.
 
P2PE Emerging as Key Data Security Strategy
Point-to-point encryption (P2PE) is gaining greater momentum as one of the most effective ways for retailers to secure on- and offline and mobile payments, with the added benefit of reducing PCI scope. Unfortunately, hackers continue to target retailers, with their favorite method being to target data “in transit,” as it moves through and from the merchant environment. Attackers in 2011 were more successful at harvesting data in transit than any other method, according to the Trustwave’s 2012 Global Security Report. Meanwhile, the PCI Council just released updated point-to-point encryption requirements as well as a fact sheet outlining how merchants can securely accept payments using mobile devices with actionable recommendations on partnering with a P2PE solution provider to securely accept payments and meet PCI DSS compliance obligations.

So those are a few of the key trends I’ve observed.

What are you seeing and experiencing? Share your comments and thoughts below.

From the old knuckle busters, to electronic transactions, to mobile wallets. The world of payments today is evolving at breakneck speed, with more change expected over the next few years than in the last few decades combined. At last week’s Electronic Transactions Association Annual Meeting & Expo, the message was loud and clear: keep up, remain versatile, and continue to innovate, or risk getting left behind.

Having attended the ETA show for many years, it’s interesting to experience the shift in focus. We’re not just talking about basic credit card processing anymore. For example, an exciting new wave of data mining is turning transaction data into marketing gold, providing valuable business intelligence for merchants, and a more personalized experience for consumers. It’ll be interesting to see the reaction as more of these programs are rolled out. I suspect merchants will be thrilled, but consumers may be wary given the high volume of marketing messages we are exposed to daily. But as long as these programs remain “opt-in” and provide real and relevant value, the outlook looks good.

As mobile wallets continue to evolve, which some predict will be the payment method of choice by 2020, I imagine we’ll see a shake-out with a select few companies rising to the top. As card types evolved years ago, most merchants came to accept MasterCard, VISA, American Express, Discover and Diner’s Club.  As mobile wallet options evolve, it will be interesting to see which options become standard.

When it comes to transaction security, the focus has shifted from technical problem to an essential and expected part of doing business. Various methods are still being discussed and debated and this year, many were wondering what EMV would mean for security.

Check out ETA’s conference highlights, photos and video here and we’ll hope to see you at the show in New Orleans next year!

Motion Computing, a leading global provider of tablet PCs and supporting mobility solutions, recently announced the availability of the Motion® CL900 SlateMate™ – the first tablet PC with an integrated magnetic stripe reader and barcode scanner. The tablet integrates Merchant Link’s TransactionShield solution to ensure cardholder data is never vulnerable while it’s being processed.
 
Following is an exclusive podcast with Mike Stinson, VP of Marketing at Motion Computing, who discusses trends in mobile point-of-sale solutions and the tablet form factor in retail environments.

With 2011 and the “Year of the Data Breach” behind us, the hospitality sector still faces a world of challenges when it comes to payment security.  As such, many in the industry are wondering what’s next when it comes to payment technology and security best practices.  The SecurityCents blog aims to answer this question and much more in a series of podcasts with experts who will shine a light on trends for the next 12 months.

Today, we are speaking with Abby Lorden, the editor-in-chief of Hospitality Technology Magazine, who provides key insights into the latest issues and product innovations hospitality providers will be focused on in 2012.

As they often say in technology, you’re not wrong, just too early… and this may be the case with the mobile wallet.  Yes, the technology has been around for awhile.  But now that consumers have embraced their mobile devices and broadened their perspectives on payments, is it still not quite ready for primetime?

While 2012 was supposed to be the year of the mobile wallet, players like Google are still struggling to find merchants who are willing to support and embrace the new technology.  Recent attempts to hack into the Google Wallet application are not helping these players make their case.

Google Wallet requires a personal identification number (PIN) code and a phone lock screen, which the company claims provides a higher level of security than most credit cards have today.  However, this past month two incidents proved that the PIN code could be cracked.  These breaches also forced Google to discontinue the acceptance of prepaid cards.

While we know that there will continue to be a lot of hype around mobile commerce, we also clearly understand that adoption by merchants and processors will really depend on payment security.

To deny the possibility of an attack over a mobile payment network would be irresponsible.  Most merchants are awaiting further development in this area before they take that leap and adopt a mobile wallet solution.  Once the industry embraces an aggressive security strategy for mobile payments, we believe adoption by merchants will follow suit.

What do you think? Let us know by leaving a comment below.

By Yu-Ting Huang, Director, Global Product Marketing at Voltage

Regardless of whether the year 2012 will end the way the Mayans had predicted, retailers are moving forward with initiatives that can continue to grow their business. The general mood of the retailers at the National Retail Federation’s Big Show in New York earlier this month was a few rungs above cautious optimism. In addition to investing in ways to expand sales channels and understanding customer needs to increase revenues, corporations were also looking to build social stewardship into their businesses.

The buzz on the EXPO show floor was clearly about new devices that allow acceptance of mobile sales and payments, and the technologies that facilitate the management of store displays, supplies and analytics.

While the shiny new toys were eye-catching and inspiring, other aspects that are just as crucial to the success of a retail business were conspicuously missing from the conversation. I found it interesting that the security of customer data such as personal information, purchase history and preferences, and even payment data are not yet top of mind. There were a handful of vendors showing secure point-of-sale devices at the EXPO, but the coverage from the session presentations on this topic was thin.

Perhaps data security has been relegated to the “basic requirement of doing business” category and has become a non-topic. According to Visa, over 90% of both Level 1 and Level 2 merchants are PCI-DSS compliant. However, we continue to hear reports of data breaches, including the recent one from Zappos, which, incidentally, was a finalist for the ARIL Customer Service Award at the conference. (The breach notification went out to customers the day before the award luncheon.)

This goes to show that hackers never rest, and, therefore, as an industry we shouldn’t either. As we continue to invest in growing our businesses, it’s always good practice to take a moment to assess the integrity and security of what you have in place first. Making security a forefront topic in your business’ management can mean staying a step ahead of hackers– and this is where you should always strive to be.

For more information about Voltage Security visit www.voltage.com or follow them on Twitter at www.twitter.com/voltagesecurity.

By Beth McGarrity

The past few weeks have been a whirlwind of activity as we prepared for one of the biggest retail shows of the year.  More than 24,000 retailers, technology providers, suppliers and partners gathered for the retail industry’s premier event, NRF 2012.   For any professional in the retail sector, the “Big Show” is the go-to affair for networking, business development, educational opportunities and much, much more.

What is most exciting about an event like NRF 2012 is seeing, first-hand, key innovations and learning about the future of the industry.  As I walked the show floor, networked with colleagues and attended breakout sessions, several major themes resonated that will clearly shape the years ahead:

• Developing More Customer-Centric Approaches: In today’s competitive marketplace, retailers need to better engage with customers, build stronger relationships and influence them through targeted and highly personalized communications and promotions – clearly tying back to the multi-channel theme.

• Don’t Forget “The Brand:” In a philosophical reversal of the multi-channel approach, some thought-leaders played up the importance of brand, especially when consumers are faced with many choices and channels.  As CNBC pointed out: “Shoppers don’t think about shopping a ‘channel.’ They think about shopping, and if you’re lucky they think about shopping a specific brand.”

• Big Data Goes Big Time: Retailers will step up their data gathering and mining processes to unleash the science behind truly influencing consumers.  This means that vast amounts of customer data, whether it is personal information, credit card data or purchasing patterns, will be collected, managed, sifted and acted upon.  While this data will certainly be used to develop more targeted marketing programs, it underscores the need for the most sophisticated data security solutions.

• Customer Are Willing to Share: Along the lines of “big data,” many retailers are seeing that customers are actually willing to share more personal information these days. This will create the perfect storm of copious amounts of new data mining techniques and the use of algorithms for fully understanding how consumers interact with brands.

• Going Mobile: While this one is clearly not a surprise, the development of next-generation mobile apps, and the payment security challenges that come with this new horizon, was top of mind at the event.  Convenience and efficiencies will certainly abound when retailers arm their sales associates with iPads and other mobile payment gadgets for instant credit card processing from any location within their stores.

• Zappos Breach: The Zappos breach news certainly made waves at the event and reinforced the hard reality that data breaches can happen to any retailer.   Fortunately, customer credit card numbers were not compromised because they were stored on a separate server.   And, as our SecurityCents readers know we always urge merchants to securely store all necessary payment data in a server outside of their network.

• Columbia Sportswear: Along the lines of payment security, we were very excited to announce that Merchant Link, along with our partners Equinox Payments and Voltage Security, has implemented a cutting-edge, reliable, cloud-based solution to protect sensitive payment data.  And, retail giant Columbia Sportswear served as pilot implementation partner – implementing this solution across its nationwide retail network.

• Protect All Points: In support of the Columbia Sportswear announcement, we also developed a unique microsite called “Protect All Points,” which highlights all the key points about this implementation.

Finally, be sure to check out the sessions from the event streamed here.  It’s almost as good as being there in person.  And, NRF has a highly active blog, so be sure to check out posts like this one that highlights digital retail trends.

The “Big Show” certainly delivered and clearly there will be many exciting times ahead for the retail industry.  See you all back at the Javitz Center next year!

Avivah Litan is a vice president and distinguished analyst in Gartner Research and is a renowned expert in the area of payments security.   She regularly publishes key industry research reports with regards to PCI compliance, has a well-read blog and is often quoted in the media discussing PCI compliance and payment security – among other things. Following is an exclusive podcast with Avivah Litan who discusses key payment security trends and highlights the value of end-to-end encryption and tokenization.

If you’re like me, you spend time during your daily commute at the local Starbucks, standing in line, waiting for your caffeine fix. As you eagerly await your turn in line, reciting your order repeatedly in your mind to ensure you don’t mess it up, you see individuals approach the register and pay for their cappuccinos, coffees, espressos and other concoctions with…their cellphones?

The scenario of a barista scanning their mobile device and account information being transferred through a point-of-sale system raises some red flags in the minds of consumers. Yet studies by credit card giants, such as MasterCard, show that customers aren’t so adverse to the increased adoption of mobile payments.

In fact, results of a recent study they conducted showed that 62 percent of Americans with cell phones would welcome paying for purchases with a mobile device.  It really becomes a psychology issue rather than a pure technology issue. Does the convenience of the purchase outweigh the security concerns in their minds?

With that in mind, younger generations are more likely to embrace mobile payments and feel more comfortable without a wallet than without a mobile device.  That could mean that mobile payments and a society without cash are clearly around the corner. Right?

Well, not completely. The customer is only one half of the equation for mobile payment adoption. The other half is the merchant, and right now, merchants are simply not seeing the potential return on their mobile payment investment. That’s because the switch to mobile payments involves much more than just training your staff to add “cell phone” to the list of ways customers can cover their tab.

To embrace mobile payments, a merchant’s point of sale, payment processing, and device management systems need to be overhauled. Most importantly, additional security concerns need to be addressed.

With advanced tokenization and encryption solutions being embraced by merchants, the customer’s invaluable credit card information can be protected from the time of the card swipe through the rest of the transaction lifecycle.

Most of us in the industry understand that the movement to secure mobile payments is only in the beginning stages and that solutions are in development to secure these types of transactions in the future. However, until merchants see enough benefit in embracing mobile devices as forms of payment to cover their investment in upgrades to their point of sale, payment processing and security systems, a cashless society could remain simply a pipedream.

By Sue Zloth

When Google made the announcement that it was launching a new mobile wallet backed by MasterCard and Visa, we knew that the industry needed to get a better hold on mobile payment security standards.

So what has the PCI Council thought about all of this?

The Council has been evaluating mobile communication devices and the payment application landscape.  The current focus is on determining the need for advice, guidance or re-evaluation of existing PCI requirements for mobile payment transactions.

Recently, the Council issued a statement on PA-DSS and mobile payment acceptance applications that provides specific detail on the types of mobile payment acceptance applications that can meet PA-DSS requirements, and those that require additional examination from the Council.

The Council’s Mobile Working Group, which includes representatives of each payment brand, put mobile payment acceptance applications into three categories based on type of underlying platform [according to  guidance document]:

• Mobile Payment Acceptance Application Category 1 – The category includes payment applications that operate only on a PTS-approved mobile device

• Mobile Payment Acceptance Application Category 2 – Payment applications which meets all of the following criteria;
  • payment application is only provided as a complete solution ―bundled with a specific mobile device by the vendor;
  • underlying mobile device is purpose built (by design or by constraint) with a single function of performing payment acceptance; and
  • payment application, when installed on the ”bundled” mobile device [as assessed by the Payment Application Qualifed Security Assessor (PA-QSA) and explicitly documented in the payment application’s Report on Validation, provides an environment which allows the merchant to meet and maintain PCI DSS compliance.

• Mobile Payment Acceptance Application Category 3 – Payment application operates on any consumer electronic handheld device (e.g., smart phone, tablet or PDA) that is not solely dedicated to payment acceptance for transaction processing

Guidance in the third category is not being addressed by the Council at this time.  It is a very important category given the growing trend of mobile payments and it needs to be addressed.  However, in the meantime, the Council plans to release additional guidance on the other categories by the end of 2011.