Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ PCI Security Standards Council ’

With the holiday shopping season fast approaching, most of us are dreading the full parking lots, long lines and busy malls. Finding the perfect gift amid the frenzy can be a challenge. Similarly, when merchants set out to purchase a new technology solution, it can invoke a certain amount of dread.

As merchants grapple with the ongoing challenges of payment security and PCI compliance, now is the time to embrace new technologies such as point-to-point encryption (P2PE) as part of an overall risk management strategy.

Merchants can ease the shopping process by arming themselves with the following questions.  By asking these questions first, it will be easier to find a solution that meets their unique needs.

  1. Is the P2PE solution a hardware or software solution or both?
  2. Is the vendor well established in the payments industry?
  3. Does the solution encrypt both swiped cards and manually entered cards?
  4. Does the solution encrypt online transactions, as well as on-site or card-present transactions?
  5. Has the vendor solution been evaluated by a trusted Qualified Security Assessor (QSA)?
  6. Is the P2PE solution integrated with the property management or point-of-sale system or is the encrypting device standalone?
  7. What happens if the encrypting device fails? What is the fall back scenario?
  8. Where is the HSM located in the solution? Where is the data decrypted exactly?
  9. Does the P2PE solution integrate with a tokenization system?
  10. Can the solution function effectively without tokenization?
  11. How does the encrypting device handle non-payment cards such as employee cards, gift cards and airline/membership cards?
  12. How does the vendor secure communication between their network and the merchant’s systems?
  13. Is the solution tamper resistant? What happens if an attempted breach occurs?
  14. Does the solution support format-preserving encryption?

As we all know, hackers are continually targeting merchants with new and creative tactics. Merchants must stay one step ahead of them and employ the best means and methods available. According to Bob Russo, general manager, PCI Security Standards Council, “If implemented in accordance with PCI requirements, P2PE solutions can significantly reduce a merchant’s card data environment, mitigate potential breaches and simplify PCI DSS validation efforts.”

So don’t let solution shopping overwhelm and stress you out. Submit these questions to prospective vendors to help ensure a painless experience.

By Michael Ryan

This week, our team is down in Arizona for the North American PCI Community Meeting.  Each year we look forward to this event as it offers us a chance to network with Qualified Security Assessors (QSAs) and fellow Special Interest Group (SIG) members as well as others in the community and discuss the issues that are facing merchants both big and small.

In fact, the discussions are quite helpful as this is really the time for the PCI Council to outline programs, resources and goals for the coming year.  One of the most interesting aspects is to learn what the Council will provide guidance on next.

Merchant Link has been a part of the SIGs for both tokenization and point-to-point encryption (P2PE) and continues to offer our expertise in an effort to provide guidance to merchants.

We were excited to see that right before the meeting this year, the Council announced guidelines for P2PE focused on hardware-based implementations.  The 96-page document provides guidance on securing systems and devices, implementing monitoring and response processes, developing and maintaining secure applications, protecting sensitive data, and using secure cryptographic key management methodologies.  Interestingly enough, the Council has said that even with these guidelines, merchants should only use applications that have been validated to be PCI compliant.  This list is targeted to post on their website in spring 2012.

Perhaps, this delay, along with the delays for the tokenization guidelines and virtualization guidelines is why the Council is taking a new approach to SIGs.  For 2012, the SIGs will be manned by a Council member to ensure that the group stays on task and will only have a term of 12 months.

Over the last couple months, many proposals were made for what guidance should come next.  The proposals were short-listed and voting will take place on the PCI portal.  I’m looking forward to seeing what’s on the agenda for next year.

Originally published by SC Magazine, reported by

The use of a tokenization solution does not eliminate a merchant’s need to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS), the industry group responsible for managing payment security guidelines said in a new document released Friday.

“The misconception is that I can buy one of these [tokenization solutions] and be PCI compliant,” Bob Russo, general manager of the PCI Security Standards Council, told “That’s not the case.”

A mature and properly deployed tokenization solution can, however, simplify the requirements of PCI DSS by taking systems that no longer contain sensitive credit card numbers out of the scope of the standard, according to the 23-page supplement released by the PCI Council.

Meanwhile, Sue Zloth, product group manager at payment data security provider Merchant Link, a member of the PCI Council’s tokenization task force, told on Friday that she believes the document is a good first step, though it may lead to some confusion and deter adoption.

Zloth took issue with a section that discusses the need to evaluate whether a token itself could be used – in lieu of cardholder data – to perform a transaction.

The document states that so-called “high-value tokens,” which can be used as a form of payment, could be monetized by an attacker or used to generate fraudulent transactions.

The council introduced a valid concern –  that certain tokens could be valuable to attackers — but “fell down” by failing to describe how a tokenization system could adequately protect tokens from being fraudulently used, Zloth said.

“A properly implemented system will know who is sending transactions and will not allow anyone to send transactions with a token,” she added.

To read this full story go to

by Tim Kinsella

My kids are like most kids.  They are into most sports, particularly baseball and basketball, and hanging out with friends.  More recently, video games have taken their place in our household.  So when I saw that there was a major security breach on the PlayStation Network, I realized that my world and my kid’s world had collided.

My immediate response was to make sure that my credit card information was safe.

Thankfully, all the credit card information on the system was encrypted preventing the hackers from obtaining this valuable data. Unfortunately, not all the data was encrypted leaving the 77 million users still vulnerable to some kind of identity theft.

It got me thinking about security standards.  Most credit card merchants today realize the impact of a breach. We’ve been educating merchants for years on using tokenization and encryption solutions to protect sensitive payment data.  So why don’t all companies utilize encryption or tokenization solutions to protect their customers’ data? And if they do, why aren’t they using encryption for all important data?

The Payment Card Industry Security Standard sets requirements for companies that process credit card information in order to prevent theft or fraud. One requirement is to encrypt any data that is transferred on public networks.  The fact is that all data that can be used for fraud needs to be evaluated and protected.  Being compliant is not enough…rather it is just the beginning.  Too many merchants believe that compliance equals data security.  In reality, compliance is a step toward true data security.  In the end, it is safer for companies to completely remove this data from their system.

When personal and financial information can be threatened, merchants need to take greater measures to protect this vital data and to ensure the confidence of their customers.

Meanwhile, I have since turned off the gaming consoles and encouraged my kids to pick up a book instead.

By Beth McGarrity

Last year, The PCI Security Standards Council updated its three standards: the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements, and the Payment Application Data Security Standards (PA DSS). And the Council believes that organizations around the world have begun to adopt these new standards, making financial transactions safer for everyone and moving us closer to a global standard.

Amidst the encouraging signs of progress, Eduardo Perez, chairman of the PCI Security Standards Council, reminds us in the April issue of SC Magazine that:

  • Technology can only go so far to protect you
  • People and processes are key to a strong security strategy
  • If you don’t need the data – don’t store it

Innovations in security technology will surely help organizations meet the latest PCI standards, but in order to realize effective results, merchants must be proactive about preventing breaches. Otherwise, game changing technologies like tokenization and point-to-point encryption will not be effectively utilized.

Likewise, consumers should be cautious about where they do business and demand that merchants be accountable for their actions regarding credit card security.

As we all know, being PCI compliant will only go so far. Merchants must think “beyond compliance.”