Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ PCI DSS ’

Merchant Link is proud to announce the signing of a multi-year contract with Phoenix Managed Networks.

The deal will see Merchant Link offer its customers Phoenix’s award-winning Payment Card Industry Data Security Standard (PCI DSS) firewall service coupled with breach insurance. This latest product addition complements Merchant Link’s current portfolio and is designed to secure a merchant’s IT network and customer cardholder data while protecting businesses from the high costs of an attack.

The new firewall service is a cloud-based management service with an on-site security appliance that locks down the point-of-sale (POS) system and segregates payment traffic from all other corporate IT data.

Trevor Fall, Executive Vice President for North American Sales for Phoenix Managed Networks, commented “We are delighted to have signed with Merchant Link. They have an excellent market standing and a client base of tens of thousands of retail, hotel and restaurant businesses across the USA that will benefit from the added layers of security at the point-of-sale.”

The solution requires no technical expertise on behalf of the user to install or manage, making it an ideal service for small-to-medium sized businesses or franchisees. The router further simplifies compliance with PCI standards. Key benefits include:

  • Addresses the PCI DSS requirement to install and maintain a firewall configuration.
  • Simplifies the process by pre–populating the PCI DSS Self Assessment Questionnaire (SAQ) document.
  • Includes $100,000 of breach insurance in the event of a security breach.
  • Detects and blocks network intrusions or rogue devices being plugged into the network.
  • Guards the POS network from internal and external threats 24x7x365.
  • Assists network administrators by issuing real-time status alerts for potential network or security issues and monitoring staff productivity with available reports on Internet usage.
  • Ensures minimum business interruption with the option to connect to a 3G network in the event the existing wire connection fails.
  • Supported by a fully managed, PCI compliant, cloud-based system that configures and monitors each connection.

Fall added: “The Ponemon Institute recently reported that cyber-attacks have more than doubled over the past three years, while the financial impact increased by nearly 40 percent. It’s now essential businesses deploy the right mix of security solutions to detect and protect against evolving threats.”

Geoff Krieg, Vice President of Product Management for Merchant Link, said “We see this offering as particularly attractive for businesses that want an easy-to-implement firewall solution that meets PCI requirements and allows merchants to segment their network so that POS terminals are isolated from other PCs. We continually look to partner with innovative companies such as Phoenix Managed Networks to help us expand the breadth and depth of our services to merchants and look forward to embarking on a successful relationship.”

Now that the July 4th sparklers have all burned out we head into the long hot days of summer.  These lazy days are filled with beach vacations, barbecues and picnics, and lounging in the sun. In part 2 of our Security Awareness blog series we focus on some alarming trends towards data security and PCI compliance in small businesses.  Unfortunately, according to a recent study commissioned by The Hartford Financial Services Group, the attitude of small business owners looks a lot like a summer vacation when it comes to their approach to data security.  According to the survey, many small business owners (Level 4 merchants) simply do not believe they are at risk of a data breach, when in fact; attacks on smaller businesses are increasing.  The bottom line: data thieves don’t take vacation, and are always attempting to steal your customer’s credit card information. ControlScan described it as “The Perfect Storm of Complacency” in their 2011 survey of level 4 merchant attitudes regarding compliance with the Payment Card Data Security Standard (PCI DSS).  The survey revealed that merchants have a nonchalant attitude with regards to sensitive cardholder data and observed:

  • Risk of financial losses doesn’t seem to be a big motivator for Level 4 merchants to aggressively comply with the PCI DSS.
  • A sizeable minority of Level 4 merchants continue to believe that PCI compliance does not make their business more secure.
  • Little progress has been made in increasing awareness of PCI compliance among small merchants.

 While small business owners want to focus on managing and growing their business more than the details of data security and PCI compliance, the threats and risks remain. Thankfully, there are some great resources out there that can help, including:

 So enjoy the lazy days of summer but don’t get lazy when it comes to data security and your company’s reputation!  We invite you to share your experiences, questions and comments below.

For any business – especially those involved in storing, processing or transmitting payment data – information is one of its most important assets. Protecting this information is vital for maintaining customer trust and brand reputation. Beyond having the right security systems, technologies and procedures in place, business owners need to make sure that each and every employee is aware of the role that they play in protecting that important asset.

At Merchant Link, we recently wrapped up our annual Security Awareness Week. Guided by our Learning and Development Team, employees participated in educational trainings and activities that reinforced company security policies and provide information on the latest security threats, challenges and trends. This week on the blog, we’ll share some of the key tips and information we learned to benefit our readers.

Who are criminals targeting?
In March, we highlighted key findings of the 2012 Verizon Data Breach Incident Report.  As in years past, hospitality, retail and financial sectors topped the list.  Criminals tend to go where there’s money to be made and these industries have a high ratio of credit card transactions.  Within these industries,  a whopping 67% of breaches occurred in smaller organizations – level 3 & 4 merchants – that typically don’t have the staff or resources to employ full time security departments.

How are attackers gaining access?
It is important to remember that most data thieves are professional criminals deliberately trying to steal information they can turn into cash.  It makes sense that they would target the “low hanging fruit”.  The Verizon report shows a substantial increase in the number of breaches directly attributed to non-compliant smaller merchants and organizations.  Statistics clearly show that targeted companies have developed a complacency or even ambivalence towards security.  Whether large or small there are a variety of ways thieves can attack your business.

Stolen login credentials are the most common access point.  These credentials are often obtained through social engineering.  Social engineering employs many methods designed to manipulate a person into providing sensitive information that can be used to access personal data, plant a virus or otherwise gain access to your network.  Almost half (46%) of stolen credentials were obtained by telephone and 37% were obtained in person-to-person encounters, according to the Verizon report. 

Accommodation/Food Service providers should also be aware that POS terminals have the highest percentage of user device compromises (35%).  Methods range from installing devices to capturing cardholder data from magnetic stripes to duplicating manager cards or installing malware applications to track keystrokes.  Merchants should ensure their POS system is listed on the PCI DSS website of validated payment applications and approved PIN security devices.

One of the most surprising things revealed in the data breach studies is that it comes down to basic common sense, which as it turns out is not all that common.  Breach studies increasingly show signs that basic security practices are not being exercised. It is similar to leaving your home or your car unlocked and wondering why you had a break in.  Business owners who do not implement basic common sense security practices simply invite an attack and compromise.

What can you do to protect your business and customers?
The good news is there are some simple, basic steps you can implement that will have a big impact on your overall security risk.

  • Implement a firewall on remote access services.
  • Change default credentials of point-of-sale (POS) systems and other Internet-facing devices.
  • If a third party vendor is handling the two items above, make sure they’ve actually completed these tasks.
  • Make sure your POS is a PCI DSS compliant application.
  • Eliminate PAN (Primary Account Number) data on-site.

Still not sure how to proceed?  Partner with a payment security expert who can offer you guidance and support on an implementation strategy that makes sense for your business. 

Finally, ask yourself this question…
The impact of a data breach to any business can be very serious.  In addition to fines and legal fees, you may completely lose the ability to process credit cards.  Consider how much time and money you have available for security awareness training and PCI compliance and ask yourself “What is my company’s reputation worth?”  Would you shop at a store or use a bank that allowed your credit card number to be stolen?

The big day is just around the corner.  With only days left, how can you show your significant other how much you care?

According to New Online Spending Index conducted by Javelin Strategy & Research, 19 percent of shoppers will spend more money on gifts.

The National Retailer Federation’s (NRF) conducts an annual Valentine’s Day Consumer Intentions and Actions survey and this year found that the average person will spend more than they have over the past 10 years, reaching a spending total of $17.6 billion.

Shopping surges happen throughout the year and it often makes us wonder if merchants are prepared to secure all that consumer payment data.  Both of these recent surveys indicate that safe and secure shopping is critical for both online and traditional brick and mortar merchants.  Flowers and chocolates are always favorite gifts around this time of year, but according to Javelin, 60 percent of those surveyed plan on purchasing something else.

Jewelry merchants should be especially vigilant. Last year, the day after Valentine’s Day, several jewelry stores were under attack from hackers.  Day’s Jewelers, with five stores across Maine and New Hampshire, suffered a breach from outside hackers and nearly 1,000 customers who purchased items from Day’s reported fraudulent activity on their cards.

So don’t let the big day break any hearts or wallets.  Retailers must protect that trust of their customers and can do so by following a few simple tips that we often talk about on this blog:

  • It’s all in the heart — of the network that is. Every retailer should understand where cardholder data is stored on the network. Are there proper security controls in place to protect this data? Ensure data is properly protected according to PCI standards.
  • Focus on the relationship. It’s not just technology, its people and processes, and how they all connect and work together. Merchants must educate and train staff to understand network security policies and procedures.
  • Know when it’s time to move on. As in every relationship, there are times when you need to take stock of things and let go.  The same holds true for information stored on the network. Merchants tend to hold on to data when in reality, this information can be easily removed from the system which in turn minimizes the cardholder data environment and security risk.

We hope that merchants take these tips to heart to maintain strong relationships the loyalty of their customers.

By Beth McGarrity

Verizon Business just issued the results of its 2011 Payment Card Industry Compliance Report and the findings are a bit sobering.  More than three-quarters of enterprises audited in the past two years for compliance with the Payment Card Industry Data Security Standard failed to pass their initial evaluation.

Of the 100 firms evaluated by accredited Verizon assessment teams, only 21percent were found fully compliant at the completion of their Initial Report on Compliance (IROC) – meaning that 79 percent of the organizations evaluated essentially failed the first test.

In addition, according to Verizon, these findings indicate a pattern of backsliding after organizations achieve compliance.  The reasons for this are likely fatigue and complacency.  Businesses may think that compliance is not something that needs to be constantly monitored and updated.

The report revealed that the requirements organizations are struggling with the most are:

  • 3 – Protect stored cardholder data
  • 10 – Track and monitor access
  • 11 – Regularly test systems and processes
  • 12 – Maintain security policies

When it comes to protecting stored cardholder data and reducing PCI scope, one of the most effective ways to do that is by implementing a tokenization solution. The PCI Council recently stated that “storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s effort to implement PCI DSS requirements.”

As Jen Mack, director of PCI Consulting Services for Verizon, highlighted in an interview with, failure to meet PCI compliance standards can leave organizations vulnerable to breaches. “Are more breaches possible? Honestly, I think it’s a real possibility, unless these organizations get serious,” says Mack.

Tokenization offers added layer of security to spa management software while reducing PCI scope

Merchant Link, a leading provider of payment gateway and data security solutions, today announced that its TransactionVault™ tokenization solution now fully integrates with industry leading spa and activity management software SpaSoft, providing an extra layer of payment security — while helping meet PCI compliance requirements — for spas and resorts.

Offered by PAR Springer-Miller, SpaSoft is a management and scheduling software solution for spas and resorts that now integrates with Merchant Link’s next-generation tokenization solution, which removes customer credit card data where it would be at risk from hackers. The data is instead stored in Merchant Link’s hosted vault. The combined solution helps reduce resorts, spas and health clubs Payment Card Industry Data Security Standards (PCI DSS) scope.

JC Resorts, a leader in the management and operation of premium golf and resort properties, has selected and is piloting the combined solution.  Having installed SpaSoft with TransactionVault in two of their largest properties in San Diego and Laguna Beach, JC Resorts now has a higher level of confidence in the security of their financial transaction data.

“We are always looking for solutions that will help us best manage our business while also ensuring that all of our transactions are fully secure,” said Diane Li, Chief Information Director, JC Resorts. “In addition, meeting current PCI compliance requirements can be very challenging. The new integration between SpaSoft and TransactionVault will allow us to be compliant and have the peace of mind knowing that we are ultimately protecting our guests.”

Since 2006, SpaSoft has interfaced with Merchant Link’s payment gateway solution and the integration with TransactionVault reinforces PAR Spring-Miller’s commitment to providing data security and PCI compliance solutions to its customers and users.  SpaSoft is currently in use in more than 900 locations.

“Providing tokenization with TransactionVault enhances the SpaSoft complete spa management solution. Our clients appreciate our system which is both feature-rich and fully secure when it comes to processing debit and credit card transactions,” said Victor Vesnaver, Senior Vice President, Sales and Marketing, PAR Springer-Miller Systems.  “Unfortunately, data breaches in the hospitality sector are on the rise and this new integration allows resort and spa operators to protect their guests from having their card information compromised.”

The PCI Security Standards Council recently released its tokenization guidance, which aims to provide greater clarity about how tokenization solutions relate to PCI DSS and impact compliance. In addition, the TransactionVault solution has been proven to significantly reduce merchants’ PCI DSS scope, according to an independent security assessment released by Coalfire Systems.

“Hospitality providers are constantly facing the threat of nefarious hackers who are very persistent in their efforts to obtain guest’s vital information,” said Dan Lane, President and CEO of Merchant Link.  “By integrating TransactionVault into SpaSoft, we are offering hospitality providers the most comprehensive line of defense against cyber criminals.”

About SpaSoft and PAR Springer-Miller Systems

An industry-standard for more than 10 years, SpaSoft is a fully integrated, dynamic activities management/scheduling software solution, specifically designed to meet the unique needs of resorts, day spas, medi-spas and health clubs. SpaSoft‘s integrated offering includes resource management, club membership, group management, inventory management, point-of-sale, yield management, loyalty proram, user-defined and standardized reporting, as well as client management and history.

SpaSoft is one of the many products offered by PAR Systems-Miller Systems Inc, the leading provider of hospitality management solutions. The extensive product line offered by PSMS meets the technology needs of all types of hospitality enterprises including city-center hotels, destination spa and golf properties, timeshare properties and casino resorts worldwide. For more information on SpaSoft or PAR Springer-Miller Systems, visit our website at

About Merchant Link
Merchant Link is a leading provider of cloud-based payment gateway and data security solutions, removing the risk and hassle from credit card acceptance for more than 150,000 hotel, restaurant and retailers. Founded in 1993 and headquartered in Silver Spring, Md., Merchant Link currently enables more than 3 billion transactions annually for some of the world’s best-known merchants, providing connectivity to the major U.S. payment card processors. TransactionVaultTM, our tokenization solution, and TransactionShieldTM, our point-to-point encryption solution, mitigate the risk of a data compromise while lowering the cost and effort of PCI compliance. Further information is available at For our expert opinion on encryption, tokenization and PCI compliance, visit our blog at


Originally published by SC Magazine, reported by

The use of a tokenization solution does not eliminate a merchant’s need to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS), the industry group responsible for managing payment security guidelines said in a new document released Friday.

“The misconception is that I can buy one of these [tokenization solutions] and be PCI compliant,” Bob Russo, general manager of the PCI Security Standards Council, told “That’s not the case.”

A mature and properly deployed tokenization solution can, however, simplify the requirements of PCI DSS by taking systems that no longer contain sensitive credit card numbers out of the scope of the standard, according to the 23-page supplement released by the PCI Council.

Meanwhile, Sue Zloth, product group manager at payment data security provider Merchant Link, a member of the PCI Council’s tokenization task force, told on Friday that she believes the document is a good first step, though it may lead to some confusion and deter adoption.

Zloth took issue with a section that discusses the need to evaluate whether a token itself could be used – in lieu of cardholder data – to perform a transaction.

The document states that so-called “high-value tokens,” which can be used as a form of payment, could be monetized by an attacker or used to generate fraudulent transactions.

The council introduced a valid concern –  that certain tokens could be valuable to attackers — but “fell down” by failing to describe how a tokenization system could adequately protect tokens from being fraudulently used, Zloth said.

“A properly implemented system will know who is sending transactions and will not allow anyone to send transactions with a token,” she added.

To read this full story go to

By Sue Zloth

Today, the PCI Council officially released the Tokenization Guidelines document.  As a member of the task force, I can tell you that we’ve been working on this guidance for the better part of two years, so we are happy to see that it has finally been released publicly.  The guidance provides much-needed direction on how to implement a tokenization solution and how it may reduce the scope of the cardholder data environment (CDE).

Already, there have been a lot of questions and conversation around this.  In fact, a lot of buzz has been circulating early this morning.  The first question is “Does Merchant Link meet these guidelines?”  We do.  The second question is, “Are tokens in- or out-of-scope?”

Specifically, the guidelines state that to be considered out-of-scope for PCI DSS, the tokens would need to have no value to an attacker attempting to retrieve personal account numbers (PANs).  In addition, the guidelines state that tokens that can be used for a transaction can be in scope for PCI DSS, even if the tokens can’t directly be used to retrieve PAN or other cardholder data.  For solutions which support these types of tokens, the guidelines state that there must be additional controls in place to detect and prevent fraudulent transactions.  This is where I feel the Council’s document fell short…when they introduced this concept that tokens may potentially be back in scope without providing guidance as to how to keep them out of scope.

Here at Merchant Link, we developed our TransactionVaultTM tokenization solution to minimize the risk of cardholder data theft for our merchants.  We use multiple layers of authentication to confirm that the originator of a tokenization, de-tokenization or payment request is an authorized user.  For example, we won’t simply accept a transaction request from anyone. They need to authenticate themselves to us before we will perform their transaction request.

Additionally, our tokens can only be used to perform a transaction at the merchant that was the original recipient of the token.  If we receive a request to perform a transaction using that token from any other merchant, it won’t work.

But ultimately, what we urge for all of our merchants is a layered approach utilizing point-to-point encryption and tokenization together, providing the needed level of security to protect cardholder data and reduce the risk. The Council agrees and is pushing merchants to combine both technologies.

By Sue Zloth

When Google made the announcement that it was launching a new mobile wallet backed by MasterCard and Visa, we knew that the industry needed to get a better hold on mobile payment security standards.

So what has the PCI Council thought about all of this?

The Council has been evaluating mobile communication devices and the payment application landscape.  The current focus is on determining the need for advice, guidance or re-evaluation of existing PCI requirements for mobile payment transactions.

Recently, the Council issued a statement on PA-DSS and mobile payment acceptance applications that provides specific detail on the types of mobile payment acceptance applications that can meet PA-DSS requirements, and those that require additional examination from the Council.

The Council’s Mobile Working Group, which includes representatives of each payment brand, put mobile payment acceptance applications into three categories based on type of underlying platform [according to  guidance document]:

  • Mobile Payment Acceptance Application Category 1 – The category includes payment applications that operate only on a PTS-approved mobile device
  • Mobile Payment Acceptance Application Category 2 – Payment applications which meets all of the following criteria;
    • payment application is only provided as a complete solution ―bundled with a specific mobile device by the vendor;
    • underlying mobile device is purpose built (by design or by constraint) with a single function of performing payment acceptance; and
    • payment application, when installed on the ”bundled” mobile device [as assessed by the Payment Application Qualifed Security Assessor (PA-QSA) and explicitly documented in the payment application’s Report on Validation, provides an environment which allows the merchant to meet and maintain PCI DSS compliance.
  • Mobile Payment Acceptance Application Category 3 – Payment application operates on any consumer electronic handheld device (e.g., smart phone, tablet or PDA) that is not solely dedicated to payment acceptance for transaction processing

Guidance in the third category is not being addressed by the Council at this time.  It is a very important category given the growing trend of mobile payments and it needs to be addressed.  However, in the meantime, the Council plans to release additional guidance on the other categories by the end of 2011.

Independent Assessment by Industry Leading PCI QSA, Finds That Merchant Link’s Encryption and Tokenization Solutions Enhance Transaction Security for Merchants.

Merchant Link’s TransactionShield™ and TransactionVault™ solutions can significantly reduce merchants’ PCI DSS scope, according to an independent security assessment released today by Coalfire Systems, Inc, a Payment Card Industry (PCI) Qualified Security Assessor (QSA) and Payment Application Qualified Security Assessor (PA-QSA) company.

Merchant Link’s TransactionShield is a point-to-point encryption (P2PE) solution that ensures that customer data is secure from the moment their credit card is swiped.  Merchant Link’s TransactionVault tokenization solution removes customer credit card data where it would be at risk from hackers. The data is instead stored in Merchant Link’s hosted vault.  The combination of TransactionShield and TransactionVault secure both data in-flight and data at rest, and reduce the cost and effort of attaining and maintaining PCI compliance.

“Merchants continue to be plagued by data breaches caused by inadequate security controls or applications which allow access to sensitive payment card data,” said Kennet Westby, president and COO of Coalfire.  ”Merchant Link’s comprehensive offering including both tokenization and encryption can provide significant risk mitigation of data compromise and is one of the most effective data security controls available to merchants today.”

“Merchants are currently burdened with having to keep all customer data secure while also meeting challenging PCI requirements,” said Dan Lane, President and CEO of Merchant Link.  ”Coalfire’s assessment of our P2PE and tokenization solutions further validates that Merchant Link can provide transaction security solutions that go beyond current PCI requirements, ultimately allowing merchants to focus on their core businesses.”

Coalfire’s assessment, which included technical testing, architectural assessment, industry analysis, compliance validation and peer review, found that:

  • TransactionShield will leverage multiple encrypting point of interaction (POI) devices deployed in the merchant network and a Merchant Link-hosted decryption system which eliminates the transmittal of cleartext cardholder data through the entire merchant network.
  • TransactionVault can eliminate post authorization storage of cardholder data from a merchant’s network by storing it in Merchant Link’s PCI DSS compliant data centers.
  • TransactionShield is aligned with Visa Best Practices for Data Field Encryption published by VISA in October 2009, as well as guidance provided in the Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance published by PCI SSC in October 2010.
  • TransactionVault is aligned with Visa Best Practices for Tokenization guidance published by VISA in July 2010.
  • Properly deployed, implementation of the TransactionShield and TransactionVault solutions together can effectively remove merchant retail POS systems from the scope of PCI DSS by:
    • Capturing card data only via a TransactionShield integrated POS application and encrypting Point of Interaction (POI) device;
    • Strongly encrypting card data at the TransactionShield point of capture in a secure, restricted access, encrypting POI device, where the merchant has no ability to decrypt the card data;
    • Storing only card data tokens post authorization as returned by TransactionVault.

To learn more about Merchant Link’s TransactionShield and TransactionVault, and obtain the report, click here.

About Coalfire

Coalfire is a leading, independent IT Audit and Compliance firm that provides information technology (IT) audit, security assessment and IT compliance management solutions.  The company has grown rapidly since being founded in 2001 and now completes more than 1,000 projects annually in retail, financial services, healthcare, government and utilities.  Coalfire has developed a new generation of technology-enabled IT Compliance Management Tools under the Navis brand.  These tools enable Coalfire to efficiently deliver governance, risk and compliance (GRC) services and keep pace with rapidly changing regulations and best practices.  Coalfire’s solutions are adapted to requirements under emerging data privacy legislation, including the PCI Data Security Standard, Gramm-Leach-Bliley Act, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA. For more information, please visit

About Merchant Link

Merchant Link is a leading provider of cloud-based payment gateway and data security solutions, removing the risk and hassle from credit card acceptance for more than 150,000 hotel, restaurant and retailers. Founded in 1993 and headquartered in Silver Spring, Md., Merchant Link currently enables more than 3 billion transactions annually for some of the world’s best-known merchants, providing connectivity to the major U.S. payment card processors. TransactionVault™, our tokenization solution, and TransactionShield™, our point-to-point encryption solution, mitigate the risk of a data compromise while lowering the cost and effort of PCI compliance. Further information is available at