Merchant Link SecurityCents

Fresh off the road from a busy Spring schedule of conferences and events such as the recent RIS Retail Technology Conference and MICROS Retail Conference, I reflected on some of the latest trends in retail I picked up on in various sessions, conversations and reports.

Customers are King; Mobile Use and Commerce Increasing
Mobile has placed even more power into the hands of today’s consumer, with the ability to check competitors’ prices while in store (a phenomenon known as “showrooming”) and so retailers are being forced to adopt new pricing and promotional tactics. Marketing investments are focused on mining more data and using it to provide more customized promotions to increase engagement and loyalty. To keep up with today’s tech-savvy consumers, retailers are also increasingly adopting mobile point-of-sale solutions. We’re seeing some POS providers leveraging the tablet form factor, integrating barcode scanners and mag stripe readers into handheld devices that double as a tool to offer on-demand product information to shoppers wherever they are in the store.
 
Profits Are Up; Retailers Reinvesting Again
According to the NRF Foundation’s recently released Retail Horizons: Benchmarks for 2011, Forecasts for 2012, retailers have returned to profitability after the economic downturn. The survey revealed that marketing and advertising spend is up, as well as investment in IT upgrades, e-commerce and leadership development.
 
P2PE Emerging as Key Data Security Strategy
Point-to-point encryption (P2PE) is gaining greater momentum as one of the most effective ways for retailers to secure on- and offline and mobile payments, with the added benefit of reducing PCI scope. Unfortunately, hackers continue to target retailers, with their favorite method being to target data “in transit,” as it moves through and from the merchant environment. Attackers in 2011 were more successful at harvesting data in transit than any other method, according to the Trustwave’s 2012 Global Security Report. Meanwhile, the PCI Council just released updated point-to-point encryption requirements as well as a fact sheet outlining how merchants can securely accept payments using mobile devices with actionable recommendations on partnering with a P2PE solution provider to securely accept payments and meet PCI DSS compliance obligations.

So those are a few of the key trends I’ve observed.

What are you seeing and experiencing? Share your comments and thoughts below.

Author:  Laura Kirby-Meck

There are many signs out there that the global economy is beginning to improve. In addition to the recent jobs report and the Dow hitting its highest mark since 2008, there also seems to be a renewed energy and hope that this long-running economic malaise will finally come to an end.

One sector that seems to be bouncing back is the hospitality industry.  According to a recent report from Global Industry Analysts (GIA), the global hotel industry is poised to reach $479 billion by 2015.  Some key factors pushing this along are luxury hotels recovering quicker than other segments of the industry, as well as the demand for hotel rooms and services increasing — creating new construction opportunities as properties expand.

The report rightly points out that hotels are increasingly becoming targets for criminal attacks and cyber breaches.  Conversely, hoteliers have been trimming their IT dollars post-recession, even in the face of hackers trying to steal vital data.

While cost savings are important, cutting back in the area of payment security could have an even deeper business and reputational impact if a data breach were to occur and we would encourage hoteliers to take a look at the efficiencies that new encryption and tokenization solutions offer for both reducing PCI scope and enhancing security.

It is exciting to see that certain segments of the economy are poised for a major comeback.  Though as business opportunities expand for the hotel industry, payment security should remain paramount.  Even during the good times a breach can cause irreparable business damage.

You can access the full report here.

www.strategyr.com/Hotel_Industry_Market_Report.asp

Many retailers have been scrambling to meet PCI DSS 2.0 compliance by the Jan. 1, 2012 deadline.  But are they really compliant?

During its annual IT Security Summits and Catalyst events, and at its Security & Risk Summit in EMEA, Gartner conducted a series of kiosk-based surveys with 383 IT managers and found that almost a fifth of firms are not compliant with the Payment Card Industry (PCI) Data Security Standards (DSS).

Lawrence Pingree, research director at Gartner, blames this non-compliance on increasing pressure on firms’ IT budgets, even though the PCI Security Standards Council continues to reinforce that failure to comply can negatively impact both merchants and their consumers.

The reality is that merchants need to go beyond compliance and implement multiple layers of security to ensure that customer data is protected.   PCI compliance is certainly an important part of this, but it’s only one piece of the puzzle.  And, for those organizations who are not yet compliant, we urge you to take the necessary steps to meet PCI DSS. You can access the “User Survey Analysis: 2012 Security Buying Behaviors and Budget Trends” report from Gartner here.

By Beth McGarrity

As the year comes to a close, and TV personalities from Oprah to Ellen to Barbara Walters highlight their favorite things and most fascinating stories in 2011,  I thought I’d take a moment to reflect on my favorite SecurityCents posts and industry news and share them with you.

PCI Announces Guidance for Merchants.

Merchants were provided with an abundance of guidance this year on emerging technologies that assist with compliance and securing sensitive data.  The first documents were released in late 2010 and focused on point-to-point encryption followed by tokenization and virtualization.  In the New Year, the Council will focus on three new areas including cloud, risk assessment and e-commerce security.

Validation from Coalfire Systems.

It’s easy for vendors to say that their product or solution is going to help merchants reduce the scope of PCI compliance.  In some cases, it’s really just unsubstantiated marketing hype.  At Merchant Link, we invest significantly in R&D to ensure that our solutions really do reduce PCI scope and we wanted to offer our customers a third-party validation of this fact.  Coalfire evaluated our TransactionVault™ and TransactionShield™ solutions for tokenization and encryption and confirmed our findings.

Avivah Litan Talks Tokenization.

We had the honor of featuring Avivah Litan on a podcast recently to discuss payment security.  As a renowned expert in this area, Avivah regularly publishes industry research and opinions on her own blog that we avidly follow here at Merchant Link.  For this podcast, Avivah focused on key trends in payment security, specifically as it relates to point-to-point encryption and tokenization.

Google Wallet Meets MasterCard and NFC.

Its here!  Finally…well…sort of.  The technology for mobile wallets has been around for awhile, but the concept hasn’t caught on very well. Then Google entered the market with the mobile wallet, using Near Field Communications (NFC) to allow for data exchange with point-of-sale (POS) technologies. From the payment side, the company partnered with MasterCard and Citi to allow users to pair credit cards to their phones.  It’s been an interesting progression to watch and something we will certainly keep an eye out for as the issues surrounding secure payment transactions will be top of mind for merchants.

What else is on your list of favorite things from 2011?  Share them with us by posting a comment below.

With the holiday shopping season fast approaching, most of us are dreading the full parking lots, long lines and busy malls. Finding the perfect gift amid the frenzy can be a challenge. Similarly, when merchants set out to purchase a new technology solution, it can invoke a certain amount of dread.

As merchants grapple with the ongoing challenges of payment security and PCI compliance, now is the time to embrace new technologies such as point-to-point encryption (P2PE) as part of an overall risk management strategy.

Merchants can ease the shopping process by arming themselves with the following questions.  By asking these questions first, it will be easier to find a solution that meets their unique needs.

1. Is the P2PE solution a hardware or software solution or both?
2. Is the vendor well established in the payments industry?
3. Does the solution encrypt both swiped cards and manually entered cards?
4. Does the solution encrypt online transactions, as well as on-site or card-present transactions?
5. Has the vendor solution been evaluated by a trusted Qualified Security Assessor (QSA)?
6. Is the P2PE solution integrated with the property management or point-of-sale system or is the encrypting device standalone?
7. What happens if the encrypting device fails? What is the fall back scenario?
8. Where is the HSM located in the solution? Where is the data decrypted exactly?
9. Does the P2PE solution integrate with a tokenization system?
10. Can the solution function effectively without tokenization?
11. How does the encrypting device handle non-payment cards such as employee cards, gift cards and airline/membership cards?
12. How does the vendor secure communication between their network and the merchant’s systems?
13. Is the solution tamper resistant? What happens if an attempted breach occurs?
14. Does the solution support format-preserving encryption?

As we all know, hackers are continually targeting merchants with new and creative tactics. Merchants must stay one step ahead of them and employ the best means and methods available. According to Bob Russo, general manager, PCI Security Standards Council, “If implemented in accordance with PCI requirements, P2PE solutions can significantly reduce a merchant’s card data environment, mitigate potential breaches and simplify PCI DSS validation efforts.”

So don’t let solution shopping overwhelm and stress you out. Submit these questions to prospective vendors to help ensure a painless experience.

By Michael Ryan

This week, our team is down in Arizona for the North American PCI Community Meeting.  Each year we look forward to this event as it offers us a chance to network with Qualified Security Assessors (QSAs) and fellow Special Interest Group (SIG) members as well as others in the community and discuss the issues that are facing merchants both big and small.

In fact, the discussions are quite helpful as this is really the time for the PCI Council to outline programs, resources and goals for the coming year.  One of the most interesting aspects is to learn what the Council will provide guidance on next.

Merchant Link has been a part of the SIGs for both tokenization and point-to-point encryption (P2PE) and continues to offer our expertise in an effort to provide guidance to merchants.

We were excited to see that right before the meeting this year, the Council announced guidelines for P2PE focused on hardware-based implementations.  The 96-page document provides guidance on securing systems and devices, implementing monitoring and response processes, developing and maintaining secure applications, protecting sensitive data, and using secure cryptographic key management methodologies.  Interestingly enough, the Council has said that even with these guidelines, merchants should only use applications that have been validated to be PCI compliant.  This list is targeted to post on their website in spring 2012.

Perhaps, this delay, along with the delays for the tokenization guidelines and virtualization guidelines is why the Council is taking a new approach to SIGs.  For 2012, the SIGs will be manned by a Council member to ensure that the group stays on task and will only have a term of 12 months.

Over the last couple months, many proposals were made for what guidance should come next.  The proposals were short-listed and voting will take place on the PCI portal.  I’m looking forward to seeing what’s on the agenda for next year.

By Mike Ryan

As anticipated, Visa announced the extension of the Technology Innovation Program (TIP) originally announced for non-U.S. markets back in February.  Reading through the document, it is clear that this is an attempt to get the market moving on two major Visa initiatives: near-field communications (NFC) and EMV.

As several analysts and my fellow bloggers have pointed out, this program says at least as much about Visa’s focus on NFC as it does about EMV. But, I’m more interested in what it doesn’t say.

First, the announcement doesn’t say that to qualify for PCI exemptions, 75 percent of the traffic needs to be EMV transactions.  It only says that the terminal must be EMV and NFC capable.  U.S. payment processors don’t support the standard today, so clearly no merchant would qualify. Obviously this is not an attempt to make the industry more secure or reduce fraud in the short term.

Second, you may have also noted that there are no liability shifts or protections from data breach penalties as there were in the global version of the program.  It seems that Visa knows that this program will not enhance security or prevent fraud, so while merchants may get a temporary reprieve from regulation they will still be subject to fines and penalties if they are breached

I’ll be honest…a part of me wants to applaud the effort to accelerate the NFC roll out because I want to use my phone to make purchases at the point-of-sale (POS).  However, I can’t do this with a clear conscience because my job is to help merchants become more secure and avoid the high cost of a data breach.

The reality is that EMV is still several years away.  While it will eventually help prevent some types of card-present fraud, it does nothing to protect cardholder data from being stolen from merchants’ networks.  The EMV message still sends card numbers in the clear — without point-to-point encryption (P2PE) and/or tokenization — so it essentially does nothing to protect data.

That data, if stolen, can still be used at the POS until EMV is widely adopted several years from now — or for the foreseeable future in card-not-present (CNP) fraud.  According to Javelin Strategy & Research’s most recent Identity Fraud Survey Report, CNP has outpaced card-present fraud for the first time ever.

Visa’s program doesn’t offer any new protection, so the penalties will continue to rest with the merchant.  So let’s start preparing for EMV and NFC, but don’t be fooled…unless you render the data useless, criminals will still try to steal that data and someone will ultimately pay the price when a breach occurs.

Independent Assessment by Industry Leading PCI QSA, Finds That Merchant Link’s Encryption and Tokenization Solutions Enhance Transaction Security for Merchants.

Merchant Link’s TransactionShield™ and TransactionVault™ solutions can significantly reduce merchants’ PCI DSS scope, according to an independent security assessment released today by Coalfire Systems, Inc, a Payment Card Industry (PCI) Qualified Security Assessor (QSA) and Payment Application Qualified Security Assessor (PA-QSA) company.

Merchant Link’s TransactionShield is a point-to-point encryption (P2PE) solution that ensures that customer data is secure from the moment their credit card is swiped.  Merchant Link’s TransactionVault tokenization solution removes customer credit card data where it would be at risk from hackers. The data is instead stored in Merchant Link’s hosted vault.  The combination of TransactionShield and TransactionVault secure both data in-flight and data at rest, and reduce the cost and effort of attaining and maintaining PCI compliance.

“Merchants continue to be plagued by data breaches caused by inadequate security controls or applications which allow access to sensitive payment card data,” said Kennet Westby, president and COO of Coalfire.  ”Merchant Link’s comprehensive offering including both tokenization and encryption can provide significant risk mitigation of data compromise and is one of the most effective data security controls available to merchants today.”

“Merchants are currently burdened with having to keep all customer data secure while also meeting challenging PCI requirements,” said Dan Lane, President and CEO of Merchant Link.  ”Coalfire’s assessment of our P2PE and tokenization solutions further validates that Merchant Link can provide transaction security solutions that go beyond current PCI requirements, ultimately allowing merchants to focus on their core businesses.”

Coalfire’s assessment, which included technical testing, architectural assessment, industry analysis, compliance validation and peer review, found that:

• TransactionShield will leverage multiple encrypting point of interaction (POI) devices deployed in the merchant network and a Merchant Link-hosted decryption system which eliminates the transmittal of cleartext cardholder data through the entire merchant network.
• TransactionVault can eliminate post authorization storage of cardholder data from a merchant’s network by storing it in Merchant Link’s PCI DSS compliant data centers.
• TransactionShield is aligned with Visa Best Practices for Data Field Encryption published by VISA in October 2009, as well as guidance provided in the Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance published by PCI SSC in October 2010.
• TransactionVault is aligned with Visa Best Practices for Tokenization guidance published by VISA in July 2010.
• Properly deployed, implementation of the TransactionShield and TransactionVault solutions together can effectively remove merchant retail POS systems from the scope of PCI DSS by:
  • Capturing card data only via a TransactionShield integrated POS application and encrypting Point of Interaction (POI) device;
  • Strongly encrypting card data at the TransactionShield point of capture in a secure, restricted access, encrypting POI device, where the merchant has no ability to decrypt the card data;
  • Storing only card data tokens post authorization as returned by TransactionVault.

To learn more about Merchant Link’s TransactionShield and TransactionVault, and obtain the report, click here.

About Coalfire

Coalfire is a leading, independent IT Audit and Compliance firm that provides information technology (IT) audit, security assessment and IT compliance management solutions.  The company has grown rapidly since being founded in 2001 and now completes more than 1,000 projects annually in retail, financial services, healthcare, government and utilities.  Coalfire has developed a new generation of technology-enabled IT Compliance Management Tools under the Navis brand.  These tools enable Coalfire to efficiently deliver governance, risk and compliance (GRC) services and keep pace with rapidly changing regulations and best practices.  Coalfire’s solutions are adapted to requirements under emerging data privacy legislation, including the PCI Data Security Standard, Gramm-Leach-Bliley Act, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA. For more information, please visit www.coalfiresystems.com

About Merchant Link

Merchant Link is a leading provider of cloud-based payment gateway and data security solutions, removing the risk and hassle from credit card acceptance for more than 150,000 hotel, restaurant and retailers. Founded in 1993 and headquartered in Silver Spring, Md., Merchant Link currently enables more than 3 billion transactions annually for some of the world’s best-known merchants, providing connectivity to the major U.S. payment card processors. TransactionVault™, our tokenization solution, and TransactionShield™, our point-to-point encryption solution, mitigate the risk of a data compromise while lowering the cost and effort of PCI compliance. Further information is available at www.merchantlink.com.

By Sue Zloth

Last fall the PCI Council announced guidance on point-to-point encryption (P2PE) to help merchants protect their customers’ payment card information. Since then, merchants have had P2PE implementation on their minds.

Recently I’ve been a part of a working group that is evaluating technologies and determining the best ones to secure payment transactions and help reduce scope for PCI. One thing that’s becoming clear is that tokenization cannot be left out of the mix.

As a part of the PCI Special Interest Group (SIG) on tokenization, I’ve been evaluating this technology and offering recommendations for guidance. Although the guidance won’t be out until late spring, I wanted to share some educational information about tokenization that could benefit our readers.

Each week, I’ll post an article about what tokenization is, the types of tokenization, its benefits for merchants and some simple considerations before implementing a tokenization solution.

So what is tokenization?

In its simplest form, tokenization is data substitution.

What does that mean? Well, let’s say that you have the following credit card number:

4467 9388 2077 1234

(Don’t worry, I made this number up).

Hypothetically, if this card number were stolen, it would have a significant value to the thief. The bad guy could sell your number to other bad guys or could simply use your credit card to buy things on your dime.

However, if that same credit card number were tokenized, the real numbers would be replaced by other numbers that have no value at all. The tokens are worthless, replacing the original number with ones that don’t have any value:

1234 5678 9012 1234

This way, if the card is stolen, it can’t be used to make purchases and would be of no use to the bad guys.

It is impossible for a thief to crack the code and derive the real credit card number from the token. The real credit card information is sent to a centralized and highly secure server to be stored.

Next up in this series: Token Types

By Todd Reed

It is hard to believe the year is already ending. Recently, my colleague wrote a blog post looking back at the issues that impacted the retail industry in 2010. Many of these issues hit the vertical that I work in—hotel and lodging. Yet when I look back there are a few things in particular that were unique to hotels.

Target Practice
One could say 2010 was the year a target was placed on the back of this industry. After several notable hotel breaches, it was reported that the hotel and lodging sector of the hospitality industry was the #1 target for hackers. One of the top five Hotel Chains reported several breaches followed by one of the top ten Resort Management Companies as well as several others in between. Hotels were being targeted because of the large amount of credit card data in their systems and because a majority of them neglect to implement the most basic security precautions, making it easy for hackers to access this information through a property management system (PMS) or point-of-sale system (POS).

While the industry is working on creating standards for securing credit card data and network systems that hold sensitive consumer data, they are not yet as advanced as retail merchants. Retail has long suffered targeted attacks and is proactively seeking solutions that can protect the full cycle of a payment transaction. After this year, I expect that the hotel industry will also be proactive in its approach and seeking both tokenization and encryption solutions to protect its customers.

Creating a Standard
The industry has not stayed stagnant in the wake of attacks. In fact, several groups have come together to create standards that will help the hotel and lodging industry. In October, the Payment Card Industry Security Standards Council (PCI SSC) revised merchant requirements when accepting or transferring credit card data. Version 2.0 of the standards was mainly revisions and clarification of existing guidance. But for the first time, guidance was provided for point-to-point encryption (P2PE). Soon, guidance will also be issued for tokenization as well. Merchants will be able to turn to this guidance as they determine an appropriate solution to secure their data.

The Hotel Technology Next Generation Group (HTNG) has also been working to develop standards for merchants. The group provided a list of helpful resources for hoteliers this year, including a new Wiki with updates on working group efforts and details on products and services that have met HTNG standards.

Implementing a Solution
Hotel IT professionals are now working fast to familiarize themselves with all the basic security measures that need to be in place and are implementing new strategies. Some hotels have already taken more advanced measures to protect credit card data. Tokenization and encryption will be the key for this industry. One solution alone will not be the answer to protecting the hotel industry from attack, but a combined approach to security with advanced technologies is a necessary step in the right direction.