Merchant Link SecurityCents

With 2011 and the “Year of the Data Breach” behind us, the hospitality sector still faces a world of challenges when it comes to payment security.  As such, many in the industry are wondering what’s next when it comes to payment technology and security best practices.  The SecurityCents blog aims to answer this question and much more in a series of podcasts with experts who will shine a light on trends for the next 12 months.

Today, we are speaking with Abby Lorden, the editor-in-chief of Hospitality Technology Magazine, who provides key insights into the latest issues and product innovations hospitality providers will be focused on in 2012.

As they often say in technology, you’re not wrong, just too early… and this may be the case with the mobile wallet.  Yes, the technology has been around for awhile.  But now that consumers have embraced their mobile devices and broadened their perspectives on payments, is it still not quite ready for primetime?

While 2012 was supposed to be the year of the mobile wallet, players like Google are still struggling to find merchants who are willing to support and embrace the new technology.  Recent attempts to hack into the Google Wallet application are not helping these players make their case.

Google Wallet requires a personal identification number (PIN) code and a phone lock screen, which the company claims provides a higher level of security than most credit cards have today.  However, this past month two incidents proved that the PIN code could be cracked.  These breaches also forced Google to discontinue the acceptance of prepaid cards.

While we know that there will continue to be a lot of hype around mobile commerce, we also clearly understand that adoption by merchants and processors will really depend on payment security.

To deny the possibility of an attack over a mobile payment network would be irresponsible.  Most merchants are awaiting further development in this area before they take that leap and adopt a mobile wallet solution.  Once the industry embraces an aggressive security strategy for mobile payments, we believe adoption by merchants will follow suit.

What do you think? Let us know by leaving a comment below.

Author:  Laura Kirby-Meck

There are many signs out there that the global economy is beginning to improve. In addition to the recent jobs report and the Dow hitting its highest mark since 2008, there also seems to be a renewed energy and hope that this long-running economic malaise will finally come to an end.

One sector that seems to be bouncing back is the hospitality industry.  According to a recent report from Global Industry Analysts (GIA), the global hotel industry is poised to reach $479 billion by 2015.  Some key factors pushing this along are luxury hotels recovering quicker than other segments of the industry, as well as the demand for hotel rooms and services increasing — creating new construction opportunities as properties expand.

The report rightly points out that hotels are increasingly becoming targets for criminal attacks and cyber breaches.  Conversely, hoteliers have been trimming their IT dollars post-recession, even in the face of hackers trying to steal vital data.

While cost savings are important, cutting back in the area of payment security could have an even deeper business and reputational impact if a data breach were to occur and we would encourage hoteliers to take a look at the efficiencies that new encryption and tokenization solutions offer for both reducing PCI scope and enhancing security.

It is exciting to see that certain segments of the economy are poised for a major comeback.  Though as business opportunities expand for the hotel industry, payment security should remain paramount.  Even during the good times a breach can cause irreparable business damage.

You can access the full report here.

www.strategyr.com/Hotel_Industry_Market_Report.asp

By Yu-Ting Huang, Director, Global Product Marketing at Voltage

Regardless of whether the year 2012 will end the way the Mayans had predicted, retailers are moving forward with initiatives that can continue to grow their business. The general mood of the retailers at the National Retail Federation’s Big Show in New York earlier this month was a few rungs above cautious optimism. In addition to investing in ways to expand sales channels and understanding customer needs to increase revenues, corporations were also looking to build social stewardship into their businesses.

The buzz on the EXPO show floor was clearly about new devices that allow acceptance of mobile sales and payments, and the technologies that facilitate the management of store displays, supplies and analytics.

While the shiny new toys were eye-catching and inspiring, other aspects that are just as crucial to the success of a retail business were conspicuously missing from the conversation. I found it interesting that the security of customer data such as personal information, purchase history and preferences, and even payment data are not yet top of mind. There were a handful of vendors showing secure point-of-sale devices at the EXPO, but the coverage from the session presentations on this topic was thin.

Perhaps data security has been relegated to the “basic requirement of doing business” category and has become a non-topic. According to Visa, over 90% of both Level 1 and Level 2 merchants are PCI-DSS compliant. However, we continue to hear reports of data breaches, including the recent one from Zappos, which, incidentally, was a finalist for the ARIL Customer Service Award at the conference. (The breach notification went out to customers the day before the award luncheon.)

This goes to show that hackers never rest, and, therefore, as an industry we shouldn’t either. As we continue to invest in growing our businesses, it’s always good practice to take a moment to assess the integrity and security of what you have in place first. Making security a forefront topic in your business’ management can mean staying a step ahead of hackers– and this is where you should always strive to be.

For more information about Voltage Security visit www.voltage.com or follow them on Twitter at www.twitter.com/voltagesecurity.

By Beth McGarrity

The past few weeks have been a whirlwind of activity as we prepared for one of the biggest retail shows of the year.  More than 24,000 retailers, technology providers, suppliers and partners gathered for the retail industry’s premier event, NRF 2012.   For any professional in the retail sector, the “Big Show” is the go-to affair for networking, business development, educational opportunities and much, much more.

What is most exciting about an event like NRF 2012 is seeing, first-hand, key innovations and learning about the future of the industry.  As I walked the show floor, networked with colleagues and attended breakout sessions, several major themes resonated that will clearly shape the years ahead:

• Developing More Customer-Centric Approaches: In today’s competitive marketplace, retailers need to better engage with customers, build stronger relationships and influence them through targeted and highly personalized communications and promotions – clearly tying back to the multi-channel theme.

• Don’t Forget “The Brand:” In a philosophical reversal of the multi-channel approach, some thought-leaders played up the importance of brand, especially when consumers are faced with many choices and channels.  As CNBC pointed out: “Shoppers don’t think about shopping a ‘channel.’ They think about shopping, and if you’re lucky they think about shopping a specific brand.”

• Big Data Goes Big Time: Retailers will step up their data gathering and mining processes to unleash the science behind truly influencing consumers.  This means that vast amounts of customer data, whether it is personal information, credit card data or purchasing patterns, will be collected, managed, sifted and acted upon.  While this data will certainly be used to develop more targeted marketing programs, it underscores the need for the most sophisticated data security solutions.

• Customer Are Willing to Share: Along the lines of “big data,” many retailers are seeing that customers are actually willing to share more personal information these days. This will create the perfect storm of copious amounts of new data mining techniques and the use of algorithms for fully understanding how consumers interact with brands.

• Going Mobile: While this one is clearly not a surprise, the development of next-generation mobile apps, and the payment security challenges that come with this new horizon, was top of mind at the event.  Convenience and efficiencies will certainly abound when retailers arm their sales associates with iPads and other mobile payment gadgets for instant credit card processing from any location within their stores.

• Zappos Breach: The Zappos breach news certainly made waves at the event and reinforced the hard reality that data breaches can happen to any retailer.   Fortunately, customer credit card numbers were not compromised because they were stored on a separate server.   And, as our SecurityCents readers know we always urge merchants to securely store all necessary payment data in a server outside of their network.

• Columbia Sportswear: Along the lines of payment security, we were very excited to announce that Merchant Link, along with our partners Equinox Payments and Voltage Security, has implemented a cutting-edge, reliable, cloud-based solution to protect sensitive payment data.  And, retail giant Columbia Sportswear served as pilot implementation partner – implementing this solution across its nationwide retail network.

• Protect All Points: In support of the Columbia Sportswear announcement, we also developed a unique microsite called “Protect All Points,” which highlights all the key points about this implementation.

Finally, be sure to check out the sessions from the event streamed here.  It’s almost as good as being there in person.  And, NRF has a highly active blog, so be sure to check out posts like this one that highlights digital retail trends.

The “Big Show” certainly delivered and clearly there will be many exciting times ahead for the retail industry.  See you all back at the Javitz Center next year!

Many retailers have been scrambling to meet PCI DSS 2.0 compliance by the Jan. 1, 2012 deadline.  But are they really compliant?

During its annual IT Security Summits and Catalyst events, and at its Security & Risk Summit in EMEA, Gartner conducted a series of kiosk-based surveys with 383 IT managers and found that almost a fifth of firms are not compliant with the Payment Card Industry (PCI) Data Security Standards (DSS).

Lawrence Pingree, research director at Gartner, blames this non-compliance on increasing pressure on firms’ IT budgets, even though the PCI Security Standards Council continues to reinforce that failure to comply can negatively impact both merchants and their consumers.

The reality is that merchants need to go beyond compliance and implement multiple layers of security to ensure that customer data is protected.   PCI compliance is certainly an important part of this, but it’s only one piece of the puzzle.  And, for those organizations who are not yet compliant, we urge you to take the necessary steps to meet PCI DSS. You can access the “User Survey Analysis: 2012 Security Buying Behaviors and Budget Trends” report from Gartner here.

By Beth McGarrity

As the year comes to a close, and TV personalities from Oprah to Ellen to Barbara Walters highlight their favorite things and most fascinating stories in 2011,  I thought I’d take a moment to reflect on my favorite SecurityCents posts and industry news and share them with you.

PCI Announces Guidance for Merchants.

Merchants were provided with an abundance of guidance this year on emerging technologies that assist with compliance and securing sensitive data.  The first documents were released in late 2010 and focused on point-to-point encryption followed by tokenization and virtualization.  In the New Year, the Council will focus on three new areas including cloud, risk assessment and e-commerce security.

Validation from Coalfire Systems.

It’s easy for vendors to say that their product or solution is going to help merchants reduce the scope of PCI compliance.  In some cases, it’s really just unsubstantiated marketing hype.  At Merchant Link, we invest significantly in R&D to ensure that our solutions really do reduce PCI scope and we wanted to offer our customers a third-party validation of this fact.  Coalfire evaluated our TransactionVault™ and TransactionShield™ solutions for tokenization and encryption and confirmed our findings.

Avivah Litan Talks Tokenization.

We had the honor of featuring Avivah Litan on a podcast recently to discuss payment security.  As a renowned expert in this area, Avivah regularly publishes industry research and opinions on her own blog that we avidly follow here at Merchant Link.  For this podcast, Avivah focused on key trends in payment security, specifically as it relates to point-to-point encryption and tokenization.

Google Wallet Meets MasterCard and NFC.

Its here!  Finally…well…sort of.  The technology for mobile wallets has been around for awhile, but the concept hasn’t caught on very well. Then Google entered the market with the mobile wallet, using Near Field Communications (NFC) to allow for data exchange with point-of-sale (POS) technologies. From the payment side, the company partnered with MasterCard and Citi to allow users to pair credit cards to their phones.  It’s been an interesting progression to watch and something we will certainly keep an eye out for as the issues surrounding secure payment transactions will be top of mind for merchants.

What else is on your list of favorite things from 2011?  Share them with us by posting a comment below.

Merchant Link recently has named Laura Kirby-Meck as executive vice president of sales and marketing. Laura is a hospitality industry veteran with more than twenty years of experience leading successful sales teams and implementing marketing strategies to position leading hospitality companies in the market.

Following is an exclusive podcast with Laura who discusses payment security trends for the hospitality sector and beyond.

These days, merchants are being told they can save money by using a client-to-processor connection or “direct driver” vs. a hosted payment gateway in the cloud. Are these claims really true? What do merchants stand to lose by sending transaction data directly from their point-of-sale system to a processor?

A hosted payment gateway facilitates the secure transfer of information between a point of payment (your POS) and the payment processor or bank. The gateway acts as a translator, traffic cop and bodyguard – interpreting and directing data streams through a secure route to the appropriate destination, quickly and accurately.

Merchants considering both options should keep in mind:

1. Choice: A gateway connects merchants to a variety of processors and often offers the flexibility to switch payment providers quickly and efficiently, enabling a merchant to best manage its payment acceptance fees. Merchants with franchisees can offer them the choice of processors and maintain a secure and consistent payments acceptance process across their brand.  Merchants can also use the gateway to route different card types to specified hosts, saving them money by reducing processor’s switching fees.  A quality gateway assures that a merchant is not locked in to a particular processor’s technology that is hard to “unravel” if they decide to change.
2. Support: A quality gateway provider has the unique ability to track down and efficiently resolve problems no matter where an issue occurs within the life cycle of a transaction; saving merchant’s time and money by eliminating “finger pointing” between POS providers and payment processors.  The more complex the merchant environment, the more a gateway is needed.  A gateway can help a merchant quickly resolve payments hassles and get back to managing their business.
3. Cost: While most gateway providers charge a subscription or per-transaction fee, merchants should take into account the ongoing investment they will have to make in new software and/or a POS upgrades when considering a client-to-processor connection. The merchant is then locked in to technology that will soon be dated.  In contrast, a cloud-based payment gateway is easily implemented and maintained.  Configuration changes are usually performed at the gateway without interrupting business at the site when software and payment scheme updates are required.

Savvy business owners know that the only way to separate claims from reality and determine what’s best for their business is to educate themselves, talk to other merchants who are utilizing similar solutions, and ask a whole lot of questions. Check out this informative presentation and let us know what you think by leaving a comment below.

When the PCI Security Standards Council (PCI SSC) holds its election for Special Interest Groups (SIGS), it often provides a true window into the future of payment security.  One could actually consider the outcome of the SIG elections a true crystal ball if you will.

Last year, for example, our experts participated in the PCI SIGs for point-to-point encryption and tokenization.  We saw these technologies as reaching a tipping point in the hospitality, retail and lodging industries.

This year, the organization received 500 votes from more merchants, financial institutions, service providers and associations for the initiatives they want to prioritize in 2012, which included cloud computing, e-commerce security and risk assessment.  All of which, are top of mind for merchants as online and mobile transactions become more prevalent.

In addition, PCI SSC received votes from many organizations outside of North America, showcasing how finding global payment security solutions will be a priority.  Here’s what Jeremy King, European Director, PCI Security Standards Council, had to say in the PCI Council’s official press release:

“This is our first SIG election and I’m really pleased with the turnout, with a quarter of all of our Participating Organizations voting. Most impressively, a third of our votes came from outside North America showing that involvement in the Council’s activity and development of PCI Standards and resources to help secure the payment chain is truly a global endeavor.  I’m looking forward to close collaboration between the Council and SIG membership.”

The SIGs have often resulted in guidance for interpreting and implementing the PCI Standards – in such areas as wireless security, EMV chip, point-to-point encryption and virtualized environments. So we will be offering our own opinions and watching with anticipation to see what they will recommend in these new areas.

And while there is no such thing as a real crystal ball, the SIG elections clearly provide a glimpse into the future of payments and PCI compliance.