Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ PCI ’

Merchant Link is proud to announce the signing of a multi-year contract with Phoenix Managed Networks.

The deal will see Merchant Link offer its customers Phoenix’s award-winning Payment Card Industry Data Security Standard (PCI DSS) firewall service coupled with breach insurance. This latest product addition complements Merchant Link’s current portfolio and is designed to secure a merchant’s IT network and customer cardholder data while protecting businesses from the high costs of an attack.

The new firewall service is a cloud-based management service with an on-site security appliance that locks down the point-of-sale (POS) system and segregates payment traffic from all other corporate IT data.

Trevor Fall, Executive Vice President for North American Sales for Phoenix Managed Networks, commented “We are delighted to have signed with Merchant Link. They have an excellent market standing and a client base of tens of thousands of retail, hotel and restaurant businesses across the USA that will benefit from the added layers of security at the point-of-sale.”

The solution requires no technical expertise on behalf of the user to install or manage, making it an ideal service for small-to-medium sized businesses or franchisees. The router further simplifies compliance with PCI standards. Key benefits include:

  • Addresses the PCI DSS requirement to install and maintain a firewall configuration.
  • Simplifies the process by pre–populating the PCI DSS Self Assessment Questionnaire (SAQ) document.
  • Includes $100,000 of breach insurance in the event of a security breach.
  • Detects and blocks network intrusions or rogue devices being plugged into the network.
  • Guards the POS network from internal and external threats 24x7x365.
  • Assists network administrators by issuing real-time status alerts for potential network or security issues and monitoring staff productivity with available reports on Internet usage.
  • Ensures minimum business interruption with the option to connect to a 3G network in the event the existing wire connection fails.
  • Supported by a fully managed, PCI compliant, cloud-based system that configures and monitors each connection.

Fall added: “The Ponemon Institute recently reported that cyber-attacks have more than doubled over the past three years, while the financial impact increased by nearly 40 percent. It’s now essential businesses deploy the right mix of security solutions to detect and protect against evolving threats.”

Geoff Krieg, Vice President of Product Management for Merchant Link, said “We see this offering as particularly attractive for businesses that want an easy-to-implement firewall solution that meets PCI requirements and allows merchants to segment their network so that POS terminals are isolated from other PCs. We continually look to partner with innovative companies such as Phoenix Managed Networks to help us expand the breadth and depth of our services to merchants and look forward to embarking on a successful relationship.”


…………………………………………………………………………………………………………………………………
Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web. Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
……………………………………………………………………………………………..………………………………….

Ten Ways To Secure Web Data Under PCI <Tweet this article>
by Robert Lemos
Whether they’re brick-and-mortar or online, merchants find the Payment Card Industry’s requirements for protecting credit card data challenging and confusing.
But all retailers must understand how to protect the credit card and other customer data that comes from online transactions, because their businesses are in cybercriminals’ crosshairs…….
Click here to read more

Gartner VP interview: Mobile and social top challenges for CIOs <Tweet this article>
by Roberta Prescott
Mobile and social technologies represent a departure from the information technologies that CIOs are used to, such as ERP and CRM.  This change is one of the three fundamental questions IT leaders and CIOs are facing, according to Mark McDonald, Gartner group vice president and head of research in Gartner Executive Programs…………. Click here to read more

EMV Migration Gets Answer People <Tweet this article>
by John Adams
Other groups, such as the Smart Card Alliance, are also expanding EMV migration information sharing. The alliance, whose members include card manufacturers, payment processors and financial institutions, operates the EMV Migration Forum, an independent, cross-industry body to discuss issues that require cooperation and coordination across constituents in the payments space…………. Click here to read more

…………………………………………………………………………………………………………………………………
What other interesting content have you come across? Leave a comment below and join the discussion
……………………………………………………………………………………………..………………………………….

Merchant Link is pleased to announce the addition of Ben Jared as Director of Business Development for its retail vertical. Previously Ben served as Area Sales Director for ACI Worldwide, Inc. and ISD Corporation where he was instrumental in doubling their retail customer base within five years. 

Jared joins Merchant Link with more than 26 years of sales, marketing, and product management experience within the financial, retail, and high tech industries. He brings deep expertise in domestic and international payment processing, payment security techniques, and PCI and PA-DSS compliance.

“Ben’s in-depth understanding of all sides of a retailer’s business – from technology to operations – allows him to take a consultative approach that busy CIOs appreciate as they navigate the complex world of payments today,” said Laura Kirby-Meck, Executive Vice President of Sales and Marketing for Merchant Link. “I’m confident Ben will be a huge asset as we continue expanding our presence in the retail market.”

“Merchant Link’s solutions have clear benefits for retailers looking for greater flexibility and peace of mind when it comes to payments and compliance,” said Jared. “I’m excited for the opportunity to draw upon my experience to drive growth in this channel.”

There is little question these days that tokenization is an effective way to secure sensitive data and potentially lower PCI compliance costs. What people are still debating is HOW you go about implementing a tokenization solution and what considerations must be made in doing so. What is the best token generation method? Should you build an in-house solution or work with a third party vendor? Is the tokenization process and storage facility secure? Do tokens expire? Is it possible for collisions to occur between tokens, or between tokens and real PAN information?

As is frequently the case, the answer to all these questions is… it depends. Safe to say that there is no “one size fits all” solution. In order to find a solution that works best, companies must review their environment, the size and type of their business, and match specific capabilities against their existing business processes.

Today we hope to “demystify” some common tokenization components and uncover the myths surrounding various implementation approaches. Let’s start by defining what is “tokenization”?

Simply put, tokenization is the process by which we replace a valuable piece of information with a meaningless number or token. While all types of sensitive data can be tokenized, for the purpose of this discussion, the data in question is the PAN or Primary Account Number.

MYTH #1
Randomly generated tokens are more secure than tokens generated using a sequential method.

According to the PCI Security Standards Council’s Tokenization Guidelines, the most important requirement in generating a token is that you cannot reverse engineer the token to derive the original PAN. Let’s look at an example.

Original Card Number
3872 3789 1620 3675

Token
3898 2783 2990 3675

In this example, another 16 digit number was created where the first 2 and last 4 digits of the PAN were retained and the card type is identified within the newly generated token. (In payment applications it is often advantageous to retain the 16 digit format of the original card number because other systems that use the card numbers need not be altered to accommodate the tokens. This is called “format-preserving” tokenization.) The resulting token cannot be used as a financial instrument and has no value other than as a reference to the original transaction or real account. The 10 digits in the middle can be generated using a random number generator or as a part of a sequential counter. Either way though, what is important is that there is no direct mathematical relationship between the credit card data and the token. As for those who claim the random method is more secure, the probability of someone “cracking the code” when it comes to the sequential method is akin to getting struck by lightning while inside the president’s secret underground bunker. I could go into more detail and explanation, but I’d need more space than this forum allows (and fear I’d lose some readers along the way).

MYTH #2
“Vaultless” tokenization is faster and more scalable than a “vaulted” solution.

There have been some articles suggesting that as the token vault grows, performance is affected and token “collisions” may occur. A token collision refers to a scenario where the same token could be generated for two different PANs. Another concern is tokens that are generated that turn out to be the actual PAN of another cardholder.

From the perspective of a traditional database model, it’s not unreasonable to assume that as a token database grows, token generation or retrieval requests could lead to latency issues. However, vendors with vast experience and expertise in “vaulted” tokenization methodology have designed systems to account for growth over time. Their network architecture is well thought out, thoroughly tested, and secure. Their transactions flow in ways that allow for multiple processes to occur in tandem so transactions can be routed immediately for processor approval or funding.

The devil is really in the details, and rather than lead you down another rabbit hole discussion, suffice to say that you shouldn’t believe every blanket claim you read. Ask prospective tokenization providers about their specific methodology and how they prevent latency and collisions.

Another important question to ask, particularly in a “vaultless” tokenization scenario, is how will you retrieve a PAN if you need it? Problems and issues sometimes occur and it’s important that vendors are able to quickly and securely access information and offer support in resolving any problems. The system requesting the PAN should be a validated system authorized to perform the request. The use of multi-factored or certificate-based authentication can address this need. In addition, there should also be a system of monitoring and alerts to ensure the request is from a valid source and brings awareness to any abnormal activity.

MYTH #3
Home grown or premise-based tokenization is better than using cloud-based or third-party vendor hosted tokenization.

As stated earlier, there is no “one size fits all” solution that works best in all circumstances. There are many factors to consider when selecting a tokenization solution that fits your business needs, security and PCI goals. Home grown and premise-based solutions offer you total control over tokenization implementation but require a great deal of expertise not typically found in the average IT department. “Vaultless” tokenization is effective for large data to token conversions and higher volume merchants but additional questions should be considered for the handling of re-occurring payments, credits, refunds and other business practices that require the recall of a specific transaction or card number. Token requests and retrieval of the original payment data can put those segments of the merchant network infrastructure involved back into the card data environment (CDE).

For merchants looking to reduce their PCI scope as much as possible, cloud-based or hosted tokenization is an attractive option. With a cloud-based solution, stored PAN data is completely removed from the local IT environment. The card data is stored in a secure off-site “vault”, safe from hackers attempting to gain access to sensitive information. Hosted tokenization allows the merchant to run their business without the worry of possible data theft as well as the added benefit of reducing PCI scope and costs.

Yes, there is much to consider when selecting a tokenization strategy but the process shouldn’t require the average merchant to spend their valuable time researching every component. By partnering with a reputable and well established solution provider, understanding the basic concepts of tokenization and asking good questions, you can find a tokenization solution that fits both your security goals and your budget. We invite you to share your experiences, questions and comments below.

By Sue Zloth

Drum roll please…in case you missed it, the new PCI Data Security Standard 2.0 (PCI DSS) and the Payment Application Data Security Standard 2.0 (PA-DSS) were released by the PCI Security Standards Council late last week.

The Council released the latest version to provide “greater clarity and flexibility to facilitate improved understanding of the requirements and eased implementation for merchants” according to the announcement.  Version 2.0 will become effective for merchants on January 1, 2011.

So, with the new standards in place, now what?

  • Should merchants continue their current efforts in becoming PCI DSS compliant under v1.2?
  • Do merchants need to stop their efforts to focus on becoming compliant under PCI DSS v 2.0 in preparation for the New Year?
  • Will the “validation” documents on encryption and tokenization require additional changes?

Luckily for merchants, version 2.0 doesn’t introduce any new major requirements and most of the changes are geared towards clarification of the existing requirements.  Moreover, for merchants who are well down the path of complying with v.1.2 they are not required to restart their efforts and comply immediately with the new standard since the old 1.2 standard is valid until December 31, 2011.  However, if a merchant hasn’t started yet, they should look to achieve compliance against the 2.0 spec (it is valid now for merchants).

Regarding point-to-point encryption and tokenization, the Council is simply offering guidance.  Last month they released guidance on P2PE and before the end of the year, guidance on tokenization will be released from the Special Interest Group (SIG) that I sit on.  We don’t expect that merchants will have to comply with any additional requirements, although once all of the documents are released, merchants will need to make sure that their providers comply with the P2PE and tokenization requirements.

The Council understands that merchants need more clarity regarding the standards and small merchants, in particular, are struggling to ensure compliance with limited resources and knowledge. In fact, just this past week Troy Leach, the Council’s CTO, was sitting on a panel next to our CTO, Dan Lane, at an industry conference.  He highlighted the changes and discussed how the Council will be taking proactive steps to ensure merchants have the tools needed to understand exactly what is going to be required of them.

By Sue Zloth

The Merchant Link team is back in the office today after a great few days at the PCI Community Meeting in Orlando.  It was fantastic to catch-up with our customers, prospects, and partners on the show floor and my mind is busy mulling over what I learned in the sessions about the upcoming changes to the PCI standard.

What struck me most about this year’s show was how attendance has grown for the meeting; this year, there were more than 1000 participants.  From this level of participation it is clear that organizations are taking their PCI obligations very seriously.  The increased participation also changes the nature of the meeting from a niche event to one where there are a lot of networking opportunities and avenues for discussion.  I believe it demonstrates a maturity in the industry.

However, I also think the overwhelming attendance hints at how eager people are for clarification of the standard and for any additional information.  While there was still a lot of ‘wait and see’ at the meeting itself, the PCI  SSC has demonstrated a clear commitment to providing additional guidance with the announcement of guidance documents on End-to-End Encryption and Tokenization and a revamped, easier-to-use website.

The guidelines will be released on October 5th and will provide clarification on how a properly implemented End-to-End (E2EE) solution will simplify the PCI compliance process by reducing scope.

But now that this meeting is over, the hard work of making sure that good security practices guides every decision continues.  For me, I’m looking forward to getting back into working with our customers as they implement Merchant Link’s TransactionVault® and End-to-End Encryption solutions and continuing my work on the PCI Scoping SIG for Tokenization.

by Scott Franklin

Often, the thought of improving your company’s data security posture seems overwhelming. Not only are there questions of what to secure, but larger questions often arise about the desired end-state and how best to overcome the numeorius obstacles that arise when implementing any security or compliance program. For example, should compliance be the desired end-state, or is a broader notion of security a more appropriate goal? Equally, should data security be treated solely as a technology problem, or is it better to treat it as a business problem and push for board-level visibility?

Before too many possibilities start swimming in your head, here are 8 steps to help simplify your thinking:

1. Know where and how any PCI-related data, or other sensitive information, is stored, processed, or transmitted throughout your organization. This can be done by identifying all systems, processes, and interaction points that involve the acceptance, storage, processing, and transmission of credit card data. Consider how you manage and secure paper and electronic documents that contain sensitive data as well as what happens to any recorded Voice over IP calls. As part of that process develop an understanding of who has access to this sensitive data and consider limiting access based on user roles.

2. Know what is on your network and how your network is accessed. Inventory management is an important first step in improving your company’s data security posture. While taking stock of legitimate computers and WiFi access points, your IT team should also be on the lookout for rogue computers, insecure remote access points, and open wireless networks. One often overlooked source of access in hotels is a co-mingled guest/hotel business network. For the protection of all parties, the guest network and the hotel business network should both be protected by firewalls and maintain fully independent infrastructure.

3. Make security and compliance everyone’s responsibility. Remember that compliance is not just an IT security problem, it’s a business issue, and to be effective, it requires all employees to support and enforce the effort. Awareness campaigns are just the beginning of a more rigorous educational effort to promote awareness of organizational policies and procedures from the C-suite to the front desk.

4. While it’s tempting to store every last piece of data, a prudent company will retain data only as long as its required for business purposes and not a day longer. While this applies broadly to all data, it is particularly important to keep customer data no longer than absolutely needed. The bottom line here is that cyber thieves can’t steal what you don’t have; if you don’t have customer data hanging around, there’s nothing to steal!

5. Develop an Information Security (or Data Security) Plan/Program that addresses both internal and external threats. Make sure the plan covers all aspects of data security and protection and addresses all key constituents, including vendors, contractors, and partners. And then educate, educate, educate!

6. Make sure you’re using the right tool for the job. Tokenization and end-to-end encryption solutions can help provide protection of sensitive data throughout the entire operational life cycle. Using solutions such as these will reduce your PCI burden, result in bottom-line savings, and generally enhance the overall security posture of your company. Consider also using PCI compliant PMS systems (PA-DSS) and use TRSMs when possible.

7. While some aspects of your new data security plan do require spend, there are many steps that can be taken inexpensively (but have excellent return on investment), and some that are entirely free. For example, the use of strong passwords that are changed regularly (and always changed when new systems are installed) is completely free and an incredibly effective technique to increase your security posture. Another freebie is to update systems regularly; implement a patch management program to make sure all OS and application patches are installed in a timely fashion and make sure that unnecessary accounts are removed from systems. Other low-cost solutions include using endpoint protection software, such as anti-virus software, deploying firewalls, and conducting regular web application security scans.

8. And finally, don’t be afraid to ask for help. Your vendors should be able to assist you with rudimentary PCI compliance questions. At Merchant Link, key members of our team participate in PCI Council working groups and related industry forums so we are up to date on the latest information and can share our knowledge with our customers. For more daunting questions, consider engaging a QSA or another bona fide security expert for advice and guidance. While this may require upfront expenditure, the fee is going to be much less expensive than a breach. Then, just as you have an evacuation plan for a physical security emergency, consider developing a breach response plan so you know who to contact if a breach occurs – key contacts include the merchant bank as well as federal and state law enforcement agencies.

Remember, you’re not alone. Given that every organization that touches a credit card transaction is affected by PCI compliance issues there are thousands of IT security professionals facing the same complexities and similar issues to you. Listed below are some of my go-to security resources:

https://www.pcisecuritystandards.org/index.shtml
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
http://www2.visaeurope.com/documents/ais/hotelbreach_europe_2.pdf
http://www.crowell.com/pdf/SecurityBreachTable.pdf

by Beth McGarrity

Imagine what it’s like trying to secure a multi-billion dollar online and brick and mortar business.  That’s the task that Carlton Jones, Security Analyst at Staples, Inc. takes on every day.

We interviewed Carlton at RSA 2010 between sessions to find out what it takes to assure customers that each time they buy office supplies their credit card transaction is secure and their data is protected.

Watch the video below to learn about what guides Staples Inc.’s security philosophy from best of class investments to using business cases to making on-going process improvements.

Originally featured on Tnooz

Day Two: Easy things you can do that cost little or no money

credit card2

Merchants are easily overwhelmed when it comes to achieving PCI compliance and securing credit card information.

Most already know that they must do more when it comes to protecting their customers’ data, but most feel they don’t have the time or money to do it properly.

Still, without security and trust, customers will start to disappear. But let’s be honest – hotel owners and operators are not security experts.

In today’s economy, most operators are more concerned with keeping their doors open.

So as the PCI Council continues to add more steps and requirements to the standards, most of these operators clearly aren’t able to spend the time, resources nor do they have the expertise to ensure that they are compliant.

So let’s start with some easy steps that can help you adhere to the standards without costing you too much time or money. These are the basics:

  • Block the unwanted: Install a firewall to block unauthorized access to your computer systems.  Consumer-grade firewalls require minimal configuration and cost very little.
  • Patch your systems: When a POS application or system vulnerability is identified, a patch is typically released by the vendor to protect your systems from being exploited.  Most patches can be downloaded and installed automatically and are free.
  • Use strong passwords: Change passwords on a regular basis and ensure you are using a combination of letters, numbers, and special characters.  Passwords should be easy to remember but hard for others to guess.  This is an easy, cost-free security measure.
  • Know where the data is: Determine where credit card data is stored on the network. Is there an inventory? When is it essential to have it stored? Most organizations can probably eliminate 50% of credit card data they store. If credit card data is not stored on your systems, the scope of your PCI compliance audit can be significantly reduced.

Using a multi-layered approach to secure critical assets needs to be a priority. If the hotel’s systems are secure, compliance will fall into place.

by Beth McGarrity

It’s always interesting to find out what security practitioners, those out in the field, think about the security and compliance challenges they face day in and day out as they secure their networks and customer data.

A few months ago, when we were at the RSA show, we interviewed Jason Stead of Choice Hotels International to find out his thoughts about the security and compliance conundrum.  Does being compliant mean that a company is secure?  Or should compliance be a byproduct of best practice security activity?

Watch the video below to hear Jason’s thoughts.