Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ PA-DSS ’

Merchant Link is pleased to announce the addition of Ben Jared as Director of Business Development for its retail vertical. Previously Ben served as Area Sales Director for ACI Worldwide, Inc. and ISD Corporation where he was instrumental in doubling their retail customer base within five years. 

Jared joins Merchant Link with more than 26 years of sales, marketing, and product management experience within the financial, retail, and high tech industries. He brings deep expertise in domestic and international payment processing, payment security techniques, and PCI and PA-DSS compliance.

“Ben’s in-depth understanding of all sides of a retailer’s business – from technology to operations – allows him to take a consultative approach that busy CIOs appreciate as they navigate the complex world of payments today,” said Laura Kirby-Meck, Executive Vice President of Sales and Marketing for Merchant Link. “I’m confident Ben will be a huge asset as we continue expanding our presence in the retail market.”

“Merchant Link’s solutions have clear benefits for retailers looking for greater flexibility and peace of mind when it comes to payments and compliance,” said Jared. “I’m excited for the opportunity to draw upon my experience to drive growth in this channel.”

By Beth McGarrity

Last year, The PCI Security Standards Council updated its three standards: the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements, and the Payment Application Data Security Standards (PA DSS). And the Council believes that organizations around the world have begun to adopt these new standards, making financial transactions safer for everyone and moving us closer to a global standard.

Amidst the encouraging signs of progress, Eduardo Perez, chairman of the PCI Security Standards Council, reminds us in the April issue of SC Magazine that:

  • Technology can only go so far to protect you
  • People and processes are key to a strong security strategy
  • If you don’t need the data – don’t store it

Innovations in security technology will surely help organizations meet the latest PCI standards, but in order to realize effective results, merchants must be proactive about preventing breaches. Otherwise, game changing technologies like tokenization and point-to-point encryption will not be effectively utilized.

Likewise, consumers should be cautious about where they do business and demand that merchants be accountable for their actions regarding credit card security.

As we all know, being PCI compliant will only go so far. Merchants must think “beyond compliance.”

by Dan Lane

With all the changes introduced by the revisions to the PCI-DSS standard in recent weeks, it’s worth taking a critical look at your payments system infrastructure to make sure you have the technology in place to process transactions securely.

One thing we have noticed when discussing PCI-DSS compliance with our customers and prospects is that they have questions about whether a payment gateway still simplifies their electronic payment processing now that tokenization and point-to-point encryption (P2PE) solutions are being touted as the new security catch-alls.  Some payment and technology providers are introducing support for tokenization and P2P encryption, and so the gateway – a secure high-speed payments network that connects a point-of-sale terminal to payment processors – might be considered an unnecessary layer.

Still, what makes the most sense is for companies to use all of these solutions in combination as a layered defense against breaches.

And since payment gateways are designed to support more complex merchant environments, the gateway provides not only an added layer of defense, it also allows for processor choice and the peace of mind that comes with having a solution that is supported end to end.

Flexibility and Control: Avoid Vendor Lock-In

A gateway connects merchants to all major processors and offers the flexibility to switch between processors and payment providers quickly and efficiently, keeping the merchant in control of their offerings and rates.  Merchants with franchisees can offer them the choice of processors and maintain a secure and consistent payments acceptance process across their brand.

Service and Support When Issues Occur

Tokenization and P2PE solutions will distance the merchant further from the actionable credit card numbers, so when problems do occur, it’s critical that the payment gateway or security provider offering the security service takes responsibility to resolve it.  Without access to the card data for problem resolution, the merchant needs to ensure that their vendors offer high-touch support to access information and immediately remediate problems.

Five Questions to Ask

If you are a merchant who is considering tokenization or P2P encryption and considering a gateway and or a direct-to-processor solution, here are five important questions to ask:

  1. What kind of support can I expect when my batches fail or I need to resolve a payments-related problem? Will you take responsibility for helping with the resolution?
  2. How complex is the set-up and installation across all my stores?
  3. How easily will I be able to change processors when my processor contract expires?
  4. How tightly integrated is the security with my point-of-sale and merchant network?
  5. Will I have to invest in new software?

Let us know your thoughts below.

By Troy Mechura

The two major payment gateways that provide services to Panasonic SMP users have taken a leadership role in the industry by expressing serious concerns about the security of SMP.  We haven’t heard much from other members of the payments community or even from the software provider itself.  We have heard that many users have been charged with PCI non-compliance fees on top of their regular monthly fees.  While everyone is working hard to ensure that only PA-DSS validated applications are traversing their payment networks, SMP is flying under the radar and getting little attention.

A Little Background…

SMP version 3.0 (only) was grandfathered in under the old PABP rules for 24 months (set to expire 11-15-10) but there is no mention of this grandfathering on the new comprehensive PA-DSS list even though other payment applications were transferred over.  Was this an oversight?  It is a pretty important issue to go unnoticed.  Regardless, we have seen very few merchants using version 3.0.  Most are still using 2.x versions or the last version – 3.5.   Therefore, the vast majority of SMP users are not using a version that is listed on either the outdated PABP list or the new PA-DSS list.

No one seems to want to take a stand on the security of SMP, except the two major payment gateways.  As fines and penalties go, both are in a relatively neutral position in the payment stream and both have expressed grave concerns.  Why such silence from everyone else? And who will be responsible in case of a breach?  Some of the first questions that will likely arise are:

  • What version of SMP were you running at the time of the breach?
  • Where is that version listed as a validated application?
  • Did your dealer, processor, or auditor tell you it was OK to run that version?
  • Did you get this guidance in writing?

There is one thing for certain, SMPLink – built by Bunt Software to install on SMP systems – passed the rigorous PA-DSS validation audit and is compliant according to PA-DSS standards.  Combine this with Merchant Link’s TransactionVault® tokenization technology, and SMP users can run state-of-the-art technology on their Panasonic SMP systems without buying new hardware.

Merchants should not mistake silence for security when it comes to their SMP system.  Visit today to learn more.

By Sue Zloth

This week our team is going to be attending the Fourth Annual PCI Community Meeting and I expect it to be action packed.

While the updates to the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) have already been revealed, the meeting offers a chance for us to obtain additional insight from the PCI Council and discuss the new versions with peers and others in the industry and provide feedback.  The official changes will likely be published next month with real impact taking effect at the beginning of the year.

I don’t expect anything ground breaking, but the meeting will still offer a significant forum for us.  The major card brands, QSAs, vendors in financial, retail and lodging will all be in attendance and each will likely have feedback to share.

As part of the overall discussion, our team is specifically interested in discussing the importance of a layered approach to security using both tokenization and encryption.

If you are attending the show, please stop by and say hello. I’ll be at our booth #42 from 12-1 pm on Wednesday.  As a member of one of the PCI SSC Special Interest Groups (SIGs), I can answer questions you may have about the upcoming guidance we are developing for the Council for Tokenization.

If you are unable to make the event, stay tuned…we will be sharing more thoughts from the meeting on SecurityCents later this week.

by Scott Franklin

Often, the thought of improving your company’s data security posture seems overwhelming. Not only are there questions of what to secure, but larger questions often arise about the desired end-state and how best to overcome the numeorius obstacles that arise when implementing any security or compliance program. For example, should compliance be the desired end-state, or is a broader notion of security a more appropriate goal? Equally, should data security be treated solely as a technology problem, or is it better to treat it as a business problem and push for board-level visibility?

Before too many possibilities start swimming in your head, here are 8 steps to help simplify your thinking:

1. Know where and how any PCI-related data, or other sensitive information, is stored, processed, or transmitted throughout your organization. This can be done by identifying all systems, processes, and interaction points that involve the acceptance, storage, processing, and transmission of credit card data. Consider how you manage and secure paper and electronic documents that contain sensitive data as well as what happens to any recorded Voice over IP calls. As part of that process develop an understanding of who has access to this sensitive data and consider limiting access based on user roles.

2. Know what is on your network and how your network is accessed. Inventory management is an important first step in improving your company’s data security posture. While taking stock of legitimate computers and WiFi access points, your IT team should also be on the lookout for rogue computers, insecure remote access points, and open wireless networks. One often overlooked source of access in hotels is a co-mingled guest/hotel business network. For the protection of all parties, the guest network and the hotel business network should both be protected by firewalls and maintain fully independent infrastructure.

3. Make security and compliance everyone’s responsibility. Remember that compliance is not just an IT security problem, it’s a business issue, and to be effective, it requires all employees to support and enforce the effort. Awareness campaigns are just the beginning of a more rigorous educational effort to promote awareness of organizational policies and procedures from the C-suite to the front desk.

4. While it’s tempting to store every last piece of data, a prudent company will retain data only as long as its required for business purposes and not a day longer. While this applies broadly to all data, it is particularly important to keep customer data no longer than absolutely needed. The bottom line here is that cyber thieves can’t steal what you don’t have; if you don’t have customer data hanging around, there’s nothing to steal!

5. Develop an Information Security (or Data Security) Plan/Program that addresses both internal and external threats. Make sure the plan covers all aspects of data security and protection and addresses all key constituents, including vendors, contractors, and partners. And then educate, educate, educate!

6. Make sure you’re using the right tool for the job. Tokenization and end-to-end encryption solutions can help provide protection of sensitive data throughout the entire operational life cycle. Using solutions such as these will reduce your PCI burden, result in bottom-line savings, and generally enhance the overall security posture of your company. Consider also using PCI compliant PMS systems (PA-DSS) and use TRSMs when possible.

7. While some aspects of your new data security plan do require spend, there are many steps that can be taken inexpensively (but have excellent return on investment), and some that are entirely free. For example, the use of strong passwords that are changed regularly (and always changed when new systems are installed) is completely free and an incredibly effective technique to increase your security posture. Another freebie is to update systems regularly; implement a patch management program to make sure all OS and application patches are installed in a timely fashion and make sure that unnecessary accounts are removed from systems. Other low-cost solutions include using endpoint protection software, such as anti-virus software, deploying firewalls, and conducting regular web application security scans.

8. And finally, don’t be afraid to ask for help. Your vendors should be able to assist you with rudimentary PCI compliance questions. At Merchant Link, key members of our team participate in PCI Council working groups and related industry forums so we are up to date on the latest information and can share our knowledge with our customers. For more daunting questions, consider engaging a QSA or another bona fide security expert for advice and guidance. While this may require upfront expenditure, the fee is going to be much less expensive than a breach. Then, just as you have an evacuation plan for a physical security emergency, consider developing a breach response plan so you know who to contact if a breach occurs – key contacts include the merchant bank as well as federal and state law enforcement agencies.

Remember, you’re not alone. Given that every organization that touches a credit card transaction is affected by PCI compliance issues there are thousands of IT security professionals facing the same complexities and similar issues to you. Listed below are some of my go-to security resources:

By Don Bunt, President of Bunt Software

July 1st brought some significant changes impacting merchants using Panasonic SMP. New rules regarding card practices took effect and included PCI DSS changes as developed by the PCI Security Standards Council.

When Panasonic decided to concentrate on their workstation business last year, they discontinued support for their software products, including the System Manager Pro (SMP) point-of-sale software. That left nearly 3,500 merchants and quick service restaurants (QSR) at a loss. As the SMP software is no longer certified to the current PCI rules, merchants using SMP fell out of compliance with PCI.

Merchants failing to comply with the new standards can incur substantial fines, or worse, be prevented from accepting credit cards.

This is serious business. I am not trying to scare you. Yes, of course, I have something to sell, but the fact is that without utilizing PCI compliant POS software, merchants are facing exposure to a possible breach of cardholder data.

The good news is that Bunt Software and Merchant Link have partnered to create a PCI compliant solution for Panasonic SMP users. SMPLink™ is a payment interface that replaces the existing SMP credit interface. The software is immediately available for merchants and QSRs.

In addition, SMPLink has been PA-DSS validated. A key standard under PA-DSS is removing sensitive data after authorization. Using Merchant Link’s TransactionVault® technology, credit card data is tokenized and removed from the POS system, thus, lowering the risk of data breaches and dramatically reducing PCI compliance efforts for the merchant.

For users of Panasonic SMP that are looking to make the switch, this is an easy solution that will allow you to remain PCI compliant and will give you the peace of mind that sensitive data is secure.

P.S. I have also created a forum called Old Skool Pos Forum where owners and dealers of old school point-of-sales systems can chat and interact as well as ask for support.