Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ payment security ’

The BIG Show, NRF in New York, is just a few days away and looking at the sessions, I see there will be plenty of talk about the “omni-channel” shopper and “tokenization” as a data security strategy. Retailers who are looking to enhance the security of their payment data while it moves though various card-present and card-not-present environments should know that not all tokens are created equal.

An effective token should address the following needs:

  • It should be usable in all systems where a Primary Account Number (PAN) is used today as an identifier. It should be seamless and not require rewriting of those systems.
  • It should protect the PAN and not be an encrypted form of the PAN.
  • It should be unique per card number to allow for analytics and reporting. This type of token is known as a card-based or “multi-use” token.
  • It should transcend any single sales channel, but be unique across a single enterprise. This provides additional protection in that the use of the token is limited to that enterprise, further reducing its potential value to thieves.
  • When needed, it should be possible to retrieve the original PAN from a token under highly controlled and defined scenarios.

Recent studies reveal that the majority of consumers shop cross-channel, within the same buying cycle. They may see something in a window, research it online, stop at the store to look at it, and finally buy it online. In order to best serve that customer, today’s merchants need systems and tools that provide the consumer with the same experience and options across all of its sales channels. Many tokenization systems today are unique to a particular sales channel. This can be because they are processor-based, or developed internally by a group responsible for only a single channel. Quite often merchants utilize different processors for their e-commerce and their brick and mortar transactions. Ideally though, your tokenization system accommodates ALL channels and scenarios.

Stop by our booth at NRF and ask our tokenization experts how our multi-use tokens can help your organization secure payment data, reduce PCI scope, track customer behavior and ensure a consistent experience across channels.

For any business – especially those involved in storing, processing or transmitting payment data – information is one of its most important assets. Protecting this information is vital for maintaining customer trust and brand reputation. Beyond having the right security systems, technologies and procedures in place, business owners need to make sure that each and every employee is aware of the role that they play in protecting that important asset.

At Merchant Link, we recently wrapped up our annual Security Awareness Week. Guided by our Learning and Development Team, employees participated in educational trainings and activities that reinforced company security policies and provide information on the latest security threats, challenges and trends. This week on the blog, we’ll share some of the key tips and information we learned to benefit our readers.

Who are criminals targeting?
In March, we highlighted key findings of the 2012 Verizon Data Breach Incident Report.  As in years past, hospitality, retail and financial sectors topped the list.  Criminals tend to go where there’s money to be made and these industries have a high ratio of credit card transactions.  Within these industries,  a whopping 67% of breaches occurred in smaller organizations – level 3 & 4 merchants – that typically don’t have the staff or resources to employ full time security departments.

How are attackers gaining access?
It is important to remember that most data thieves are professional criminals deliberately trying to steal information they can turn into cash.  It makes sense that they would target the “low hanging fruit”.  The Verizon report shows a substantial increase in the number of breaches directly attributed to non-compliant smaller merchants and organizations.  Statistics clearly show that targeted companies have developed a complacency or even ambivalence towards security.  Whether large or small there are a variety of ways thieves can attack your business.

Stolen login credentials are the most common access point.  These credentials are often obtained through social engineering.  Social engineering employs many methods designed to manipulate a person into providing sensitive information that can be used to access personal data, plant a virus or otherwise gain access to your network.  Almost half (46%) of stolen credentials were obtained by telephone and 37% were obtained in person-to-person encounters, according to the Verizon report. 

Accommodation/Food Service providers should also be aware that POS terminals have the highest percentage of user device compromises (35%).  Methods range from installing devices to capturing cardholder data from magnetic stripes to duplicating manager cards or installing malware applications to track keystrokes.  Merchants should ensure their POS system is listed on the PCI DSS website of validated payment applications and approved PIN security devices.

One of the most surprising things revealed in the data breach studies is that it comes down to basic common sense, which as it turns out is not all that common.  Breach studies increasingly show signs that basic security practices are not being exercised. It is similar to leaving your home or your car unlocked and wondering why you had a break in.  Business owners who do not implement basic common sense security practices simply invite an attack and compromise.

What can you do to protect your business and customers?
The good news is there are some simple, basic steps you can implement that will have a big impact on your overall security risk.

  • Implement a firewall on remote access services.
  • Change default credentials of point-of-sale (POS) systems and other Internet-facing devices.
  • If a third party vendor is handling the two items above, make sure they’ve actually completed these tasks.
  • Make sure your POS is a PCI DSS compliant application.
  • Eliminate PAN (Primary Account Number) data on-site.

Still not sure how to proceed?  Partner with a payment security expert who can offer you guidance and support on an implementation strategy that makes sense for your business. 

Finally, ask yourself this question…
The impact of a data breach to any business can be very serious.  In addition to fines and legal fees, you may completely lose the ability to process credit cards.  Consider how much time and money you have available for security awareness training and PCI compliance and ask yourself “What is my company’s reputation worth?”  Would you shop at a store or use a bank that allowed your credit card number to be stolen?

With 2011 and the “Year of the Data Breach” behind us, the hospitality sector still faces a world of challenges when it comes to payment security.  As such, many in the industry are wondering what’s next when it comes to payment technology and security best practices.  The SecurityCents blog aims to answer this question and much more in a series of podcasts with experts who will shine a light on trends for the next 12 months.

Today, we are speaking with Abby Lorden, the editor-in-chief of Hospitality Technology Magazine, who provides key insights into the latest issues and product innovations hospitality providers will be focused on in 2012.

Listen to internet radio with SecurityCents on Blog Talk Radio

As they often say in technology, you’re not wrong, just too early… and this may be the case with the mobile wallet.  Yes, the technology has been around for awhile.  But now that consumers have embraced their mobile devices and broadened their perspectives on payments, is it still not quite ready for primetime?

While 2012 was supposed to be the year of the mobile wallet, players like Google are still struggling to find merchants who are willing to support and embrace the new technology.  Recent attempts to hack into the Google Wallet application are not helping these players make their case.

Google Wallet requires a personal identification number (PIN) code and a phone lock screen, which the company claims provides a higher level of security than most credit cards have today.  However, this past month two incidents proved that the PIN code could be cracked.  These breaches also forced Google to discontinue the acceptance of prepaid cards.

While we know that there will continue to be a lot of hype around mobile commerce, we also clearly understand that adoption by merchants and processors will really depend on payment security.

To deny the possibility of an attack over a mobile payment network would be irresponsible.  Most merchants are awaiting further development in this area before they take that leap and adopt a mobile wallet solution.  Once the industry embraces an aggressive security strategy for mobile payments, we believe adoption by merchants will follow suit.

What do you think? Let us know by leaving a comment below.

Author:  Laura Kirby-Meck

There are many signs out there that the global economy is beginning to improve. In addition to the recent jobs report and the Dow hitting its highest mark since 2008, there also seems to be a renewed energy and hope that this long-running economic malaise will finally come to an end.

One sector that seems to be bouncing back is the hospitality industry.  According to a recent report from Global Industry Analysts (GIA), the global hotel industry is poised to reach $479 billion by 2015.  Some key factors pushing this along are luxury hotels recovering quicker than other segments of the industry, as well as the demand for hotel rooms and services increasing — creating new construction opportunities as properties expand.

The report rightly points out that hotels are increasingly becoming targets for criminal attacks and cyber breaches.  Conversely, hoteliers have been trimming their IT dollars post-recession, even in the face of hackers trying to steal vital data.

While cost savings are important, cutting back in the area of payment security could have an even deeper business and reputational impact if a data breach were to occur and we would encourage hoteliers to take a look at the efficiencies that new encryption and tokenization solutions offer for both reducing PCI scope and enhancing security.

It is exciting to see that certain segments of the economy are poised for a major comeback.  Though as business opportunities expand for the hotel industry, payment security should remain paramount.  Even during the good times a breach can cause irreparable business damage.

You can access the full report here.


By Yu-Ting Huang, Director, Global Product Marketing at Voltage

Regardless of whether the year 2012 will end the way the Mayans had predicted, retailers are moving forward with initiatives that can continue to grow their business. The general mood of the retailers at the National Retail Federation’s Big Show in New York earlier this month was a few rungs above cautious optimism. In addition to investing in ways to expand sales channels and understanding customer needs to increase revenues, corporations were also looking to build social stewardship into their businesses.

The buzz on the EXPO show floor was clearly about new devices that allow acceptance of mobile sales and payments, and the technologies that facilitate the management of store displays, supplies and analytics.

While the shiny new toys were eye-catching and inspiring, other aspects that are just as crucial to the success of a retail business were conspicuously missing from the conversation. I found it interesting that the security of customer data such as personal information, purchase history and preferences, and even payment data are not yet top of mind. There were a handful of vendors showing secure point-of-sale devices at the EXPO, but the coverage from the session presentations on this topic was thin.

Perhaps data security has been relegated to the “basic requirement of doing business” category and has become a non-topic. According to Visa, over 90% of both Level 1 and Level 2 merchants are PCI-DSS compliant. However, we continue to hear reports of data breaches, including the recent one from Zappos, which, incidentally, was a finalist for the ARIL Customer Service Award at the conference. (The breach notification went out to customers the day before the award luncheon.)

This goes to show that hackers never rest, and, therefore, as an industry we shouldn’t either. As we continue to invest in growing our businesses, it’s always good practice to take a moment to assess the integrity and security of what you have in place first. Making security a forefront topic in your business’ management can mean staying a step ahead of hackers– and this is where you should always strive to be.

For more information about Voltage Security visit or follow them on Twitter at

By Beth McGarrity

The past few weeks have been a whirlwind of activity as we prepared for one of the biggest retail shows of the year.  More than 24,000 retailers, technology providers, suppliers and partners gathered for the retail industry’s premier event, NRF 2012.   For any professional in the retail sector, the “Big Show” is the go-to affair for networking, business development, educational opportunities and much, much more.

What is most exciting about an event like NRF 2012 is seeing, first-hand, key innovations and learning about the future of the industry.  As I walked the show floor, networked with colleagues and attended breakout sessions, several major themes resonated that will clearly shape the years ahead:

  • Developing More Customer-Centric Approaches: In today’s competitive marketplace, retailers need to better engage with customers, build stronger relationships and influence them through targeted and highly personalized communications and promotions – clearly tying back to the multi-channel theme.

  • Don’t Forget “The Brand:” In a philosophical reversal of the multi-channel approach, some thought-leaders played up the importance of brand, especially when consumers are faced with many choices and channels.  As CNBC pointed out: “Shoppers don’t think about shopping a ‘channel.’ They think about shopping, and if you’re lucky they think about shopping a specific brand.”

  • Big Data Goes Big Time: Retailers will step up their data gathering and mining processes to unleash the science behind truly influencing consumers.  This means that vast amounts of customer data, whether it is personal information, credit card data or purchasing patterns, will be collected, managed, sifted and acted upon.  While this data will certainly be used to develop more targeted marketing programs, it underscores the need for the most sophisticated data security solutions.

  • Customer Are Willing to Share: Along the lines of “big data,” many retailers are seeing that customers are actually willing to share more personal information these days. This will create the perfect storm of copious amounts of new data mining techniques and the use of algorithms for fully understanding how consumers interact with brands.

  • Going Mobile: While this one is clearly not a surprise, the development of next-generation mobile apps, and the payment security challenges that come with this new horizon, was top of mind at the event.  Convenience and efficiencies will certainly abound when retailers arm their sales associates with iPads and other mobile payment gadgets for instant credit card processing from any location within their stores.

  • Zappos Breach: The Zappos breach news certainly made waves at the event and reinforced the hard reality that data breaches can happen to any retailer.   Fortunately, customer credit card numbers were not compromised because they were stored on a separate server.   And, as our SecurityCents readers know we always urge merchants to securely store all necessary payment data in a server outside of their network.

  • Columbia Sportswear: Along the lines of payment security, we were very excited to announce that Merchant Link, along with our partners Equinox Payments and Voltage Security, has implemented a cutting-edge, reliable, cloud-based solution to protect sensitive payment data.  And, retail giant Columbia Sportswear served as pilot implementation partner – implementing this solution across its nationwide retail network.

  • Protect All Points: In support of the Columbia Sportswear announcement, we also developed a unique microsite called “Protect All Points,” which highlights all the key points about this implementation.

Finally, be sure to check out the sessions from the event streamed here.  It’s almost as good as being there in person.  And, NRF has a highly active blog, so be sure to check out posts like this one that highlights digital retail trends.

The “Big Show” certainly delivered and clearly there will be many exciting times ahead for the retail industry.  See you all back at the Javitz Center next year!

Many retailers have been scrambling to meet PCI DSS 2.0 compliance by the Jan. 1, 2012 deadline.  But are they really compliant?

During its annual IT Security Summits and Catalyst events, and at its Security & Risk Summit in EMEA, Gartner conducted a series of kiosk-based surveys with 383 IT managers and found that almost a fifth of firms are not compliant with the Payment Card Industry (PCI) Data Security Standards (DSS).

Lawrence Pingree, research director at Gartner, blames this non-compliance on increasing pressure on firms’ IT budgets, even though the PCI Security Standards Council continues to reinforce that failure to comply can negatively impact both merchants and their consumers.

The reality is that merchants need to go beyond compliance and implement multiple layers of security to ensure that customer data is protected.   PCI compliance is certainly an important part of this, but it’s only one piece of the puzzle.  And, for those organizations who are not yet compliant, we urge you to take the necessary steps to meet PCI DSS. You can access the “User Survey Analysis: 2012 Security Buying Behaviors and Budget Trends” report from Gartner here.

By Beth McGarrity

As the year comes to a close, and TV personalities from Oprah to Ellen to Barbara Walters highlight their favorite things and most fascinating stories in 2011,  I thought I’d take a moment to reflect on my favorite SecurityCents posts and industry news and share them with you.

PCI Announces Guidance for Merchants.

Merchants were provided with an abundance of guidance this year on emerging technologies that assist with compliance and securing sensitive data.  The first documents were released in late 2010 and focused on point-to-point encryption followed by tokenization and virtualization.  In the New Year, the Council will focus on three new areas including cloud, risk assessment and e-commerce security.

Validation from Coalfire Systems.

It’s easy for vendors to say that their product or solution is going to help merchants reduce the scope of PCI compliance.  In some cases, it’s really just unsubstantiated marketing hype.  At Merchant Link, we invest significantly in R&D to ensure that our solutions really do reduce PCI scope and we wanted to offer our customers a third-party validation of this fact.  Coalfire in conjunction with APS, evaluated our TransactionVault™ and TransactionShield™ solutions for tokenization and encryption and confirmed our findings.

Avivah Litan Talks Tokenization.

We had the honor of featuring Avivah Litan on a podcast recently to discuss payment security.  As a renowned expert in this area, Avivah regularly publishes industry research and opinions on her own blog that we avidly follow here at Merchant Link.  For this podcast, Avivah focused on key trends in payment security, specifically as it relates to point-to-point encryption and tokenization.

Google Wallet Meets MasterCard and NFC.

Its here!  Finally…well…sort of.  The technology for mobile wallets has been around for awhile, but the concept hasn’t caught on very well. Then Google entered the market with the mobile wallet, using Near Field Communications (NFC) to allow for data exchange with point-of-sale (POS) technologies. From the payment side, the company partnered with MasterCard and Citi to allow users to pair credit cards to their phones.  It’s been an interesting progression to watch and something we will certainly keep an eye out for as the issues surrounding secure payment transactions will be top of mind for merchants.

What else is on your list of favorite things from 2011?  Share them with us by posting a comment below.

Merchant Link recently has named Laura Kirby-Meck as executive vice president of sales and marketing. Laura is a hospitality industry veteran with more than twenty years of experience leading successful sales teams and implementing marketing strategies to position leading hospitality companies in the market.

Following is an exclusive podcast with Laura who discusses payment security trends for the hospitality sector and beyond.

Listen to internet radio with SecurityCents on Blog Talk Radio