Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ Point-to-Point Encryption ’

There was plenty of talk this week about data security strategies and technologies at the 2012 MICROS and OPERA Hospitality Users Conference.

 As a long time partner of MICROS, we were the first to integrate to the MICROS Simphony point-of-sale solution and we are excited to share the news with Simphony 2 users that they will soon have the ability to integrate our TransactionVault tokenization solution to enhance security of their stored credit card data.

Below, MICROS product manager Nick Low reveals some of the latest features just announced as part of version 2.5 of the platform.

When it comes to evaluating payment data security technologies….are you following the 5 “S’s”?
scope, study, support, seek, secure

If you’re not, how can you really know your data is protected and secure? Too often merchants go with the solution that is directly in front of them. They are focusing on their business, selling their products and services to their customers, and security and PCI simply get in the way. But one breach and suddenly, all of their hard work is gone.

A breach of merchant data not only hurts the consumer, but it harms the merchant as well. PCI will fine merchants in the case of a negligent breach and once the word gets out, consumers become weary of doing business with you – so the merchant’s brand reputation is impacted.

The process of evaluating all the different payment security technologies out there doesn’t have to be complicated or time-consuming. Follow these 5 simple steps…

  1. SCOPE – Examine your data flow and look at where data is stored
  2. STUDY – Educate yourself on security methods, technologies, and PCI compliance
  3. SUPPORT – Inventory current systems – your hardware, software, and processors – and understand how will integrate to the technology
  4. SEEK – Evaluate vendors and seek answers to key questions
  5. SECURE – Implement the right mix of methods and technologies to secure  cardholder data

If you don’t know whether or not your data is protected and secure, give us a call.

This week, our team is at the PCI North American Community Meeting, where several new programs have been announced including the PCI Professional Program, the Council’s first individual accreditation program designed to build a greater level of PCI expertise across the industry for improved payment security globally. Check out this wrap up report to learn about the other major announcements, news and highlights.


…………………………………………………………………………………………………………………………………
Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web.  Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
……………………………………………………………………………………………..………………………………….
Brain Hacking: Scientists Extract Personal Secrets With Commercial Hardware <Tweet this article>
by Gregory Ferenstein
Chalk this up to super-creepy: scientists have discovered a way to mind-read personal secrets, such as bank PIN numbers and personal associations, using a cheap headset. Utilizing commercial brain-wave reading devices, often used for hands-free gaming, the researchers discovered that they could identify when subjects recognized familiar objects, faces, or locations, which helped them better guess sensitive information..…….Click here to read more

PCI SSC’s Bob Russo on point-to-point encryption, PCI compliance <Tweet this video>
by SeachSecurity
In this video interview, Bob Russo, general manager of the Payment Card Industry Security Standards Council (PCI SSC), discusses tokenization, point-to-point encryption, PCI compliance issues, and the state of guidance documentation for emerging technologies. According to Russo, the PCI SSC is currently assessing hardware-based point-to-point encryption products and plans to produce a list of approved PIN transaction security (PTS) devices by the end of 2012..……. Click here to watch video

Mind the Gap: PIN versus Signature Authentication <Tweet this article>         
by Douglas A. King
The just-released PULSE Debit Issuer Study reveals that in 2011 the gap in loss rates between signature and PIN debit transactions has widened further. Issuers lost an average of three cents per signature debit transaction compared to less than one-half of one cent on PIN transactions..……. 
Click here to read more

…………………………………………………………………………………………………………………………………
What other interesting content have you come across? Leave a comment below and join the discussion
……………………………………………………………………………………………..………………………………….

Last week while watching Michael Phelps win his 20th Olympic medal, I was also reading a very interesting post on PCI Guru’s blog that discusses a topic covered in the latest Assessors newsletter. What do these two diverse topics have in common? Read on and see.

The blog post I mentioned refers to pre-authorization data and scope; a topic which has oft been the subject of discussion. Is pre-authorization data in scope with regard to PCI or not? While my personal belief is that it should always be considered in scope, the source of this debate comes from the fact that the standard does not really call it out. Indeed, many of the requirements are specific to post-authorization (such as restrictions on any storage of sensitive authentication data). In the newsletter, the PCI Council definitively states “PCI DSS applies wherever cardholder data (CHD) and/or sensitive authentication data (SAD) is stored, processed or transmitted, irrespective of whether it is pre-authorization or post-authorization.”

 OK, so card data is in scope regardless of its authorization state wherever it is stored, processed or transmitted. But what does that mean to the merchant, other than putting a final period on the debate? The Council’s statement here is really one of common sense. Card data is not any less valuable before authorization than after it.

Generally, the length of time that data remains pre-authorization is short. That can vary however, especially when one considers new fees such as the Visa Zero Floor Limit Fee which adds a fee to any transaction that is settled without authorization. Merchants are incented to store the data to ensure they can receive an authorization prior to submitting for settlement. 

The PCI Council leaves the requirements regarding storage of pre-authorization sensitive authorization data up to the individual payment brands. They did state however, that any storage of SAD prior to authorization would be held to a higher standard of security and controls. Regardless of what PCI states, from a risk perspective it’s just good practice for merchants to secure all credit card data, and to remove as much of it from the merchant environment as possible. Point-to-point encryption and tokenization can play a role in effectively removing and securing card data.

For merchants, it’s tempting to let the realities of day-to-day operations take priority over complex topics like PCI, kicking the can down the road so to speak. This brings us back to the Olympics. Michael Phelps mentioned in an interview all the various obstructions that his coach created during his training. One that stood out was his coach stepping on his goggles to crack them, so they would fill with water during Michael’s next swim. This was to prepare Phelps for any situation that could occur in competition. Sure enough, during one of his races, his goggles did fill with water and he had to rely on counting strokes to know where he was. Without that preparation, he might not have been prepared for that hurdle.

Similarly, merchants need to prepare themselves for the day when they may be the target of an attack. Whenever I hear the argument that pre-authorization data can be considered out of scope because the PCI DSS doesn’t specifically say, I know I’m talking to someone who is not taking a long term ongoing approach to PCI. Just like Michael Phelps trains for all eventualities, merchants today must prepare to face the threats of tomorrow. Look closely at your environment. Have you effectively secured data pre-authorization? Do you know every place that card data exists within your environment? In a recent blog post, one of my colleagues wrote about the security training that every Merchant Link associate participates in. Security is more than a moment in time, or a specific job role. It’s something that everyone needs to be aware of.

Oh, and just to remind you, the Council has spoken. It IS in scope.

Watching the Olympics, it’s always fascinating (and heartbreaking) to see how split seconds and minor missteps are what ultimately separate the winners from the losers. In fact, that’s why the technology that’s used at the games is incredibly important…with high-speed cameras, lasers and sensors that measure in the hundredths to thousandths of seconds.

Yesterday in the 200 men’s butterfly, Michael Phelps led almost the entire race and was on his way to winning his 18th medal when in the very last stretch South Africa’s Chad le Clos reached farther and touched the wall just .05 of a second before Phelps. It was so close that Michael’s mother and even his coach thought he’d won. (Check out the video here.)

The Olympics aren’t the only place where the smallest mistake or split-second lull in your resolve can bring heavy consequences. Protecting your customers’ payment data requires the same level of precision and persistence.

Examine how payment data is flowing through your network. When a credit card is swiped or entered into the system, how and when is that data being secured? Encryption should occur at, or as close as possible to, the point of interaction (POI). If it’s left “in the clear” even for a millisecond, that provides a window of opportunity for a hacker to place a piece of malware there and steal the data. Point-to-point encryption (P2PE) is one way merchants are preventing theft of data in-transit. To protect stored data, tokenization is an effective method. Both technologies can be employed in tandem to protect payment data end to end.

And don’t discount the human, or psychological factor. By the time athletes arrive at the Olympics, they’ve put in countless hours of training and are ready physically but if they’re off mentally at the moment it counts it can hurt their performance. Similarly, merchants can implement the most advanced security technology available but if they don’t prepare their staff to guard against threats such as social engineering, their own people could be manipulated into divulging confidential information. Security is like a chain: It’s only as strong as its weakest link.

Fresh off the road from a busy Spring schedule of conferences and events such as the recent RIS Retail Technology Conference and MICROS Retail Conference, I reflected on some of the latest trends in retail I picked up on in various sessions, conversations and reports.

Customers are King; Mobile Use and Commerce Increasing
Mobile has placed even more power into the hands of today’s consumer, with the ability to check competitors’ prices while in store (a phenomenon known as “showrooming”) and so retailers are being forced to adopt new pricing and promotional tactics. Marketing investments are focused on mining more data and using it to provide more customized promotions to increase engagement and loyalty. To keep up with today’s tech-savvy consumers, retailers are also increasingly adopting mobile point-of-sale solutions. We’re seeing some POS providers leveraging the tablet form factor, integrating barcode scanners and mag stripe readers into handheld devices that double as a tool to offer on-demand product information to shoppers wherever they are in the store.
 
Profits Are Up; Retailers Reinvesting Again
According to the NRF Foundation’s recently released Retail Horizons: Benchmarks for 2011, Forecasts for 2012, retailers have returned to profitability after the economic downturn. The survey revealed that marketing and advertising spend is up, as well as investment in IT upgrades, e-commerce and leadership development.
 
P2PE Emerging as Key Data Security Strategy
Point-to-point encryption (P2PE) is gaining greater momentum as one of the most effective ways for retailers to secure on- and offline and mobile payments, with the added benefit of reducing PCI scope. Unfortunately, hackers continue to target retailers, with their favorite method being to target data “in transit,” as it moves through and from the merchant environment. Attackers in 2011 were more successful at harvesting data in transit than any other method, according to the Trustwave’s 2012 Global Security Report. Meanwhile, the PCI Council just released updated point-to-point encryption requirements as well as a fact sheet outlining how merchants can securely accept payments using mobile devices with actionable recommendations on partnering with a P2PE solution provider to securely accept payments and meet PCI DSS compliance obligations.

So those are a few of the key trends I’ve observed.

What are you seeing and experiencing? Share your comments and thoughts below.

SILVER SPRING, MD (April 23, 2012) – Merchant Link, a leading provider of payment gateway and data security solutions, today announced it has been designated by AmericInn International, LLC as the preferred provider of payment and data security services for its franchisees. AmericInn® is one of the fastest growing limited service lodging chains with over 260 locations in 27 states. Locations utilizing an integrated property management system for payments are now required to install the Merchant Link solution.

“As credit card data breaches continue to make headlines, and as we continue to grow our business, we knew we had to do everything possible to secure the personal data of our guests,” shared Mark Nicpon, CIO, of AmericInn International, LLC. “Merchant Link’s hosted solution secures cardholder data from the moment of capture and ensures data is not stored anywhere on premise. The solution also helps ease PCI compliance effort and cost for our franchisees.”

The comprehensive solution incorporates the Merchant Link Payment Gateway, TransactionVault tokenization and TransactionShield point-to-point encryption technology. The Merchant Link Payment Gateway provides connectivity to all major processors and sends payments quickly, while detecting and correcting errors along the way. TransactionVault removes guest credit card data from hoteliers’ systems and stores it in a secure, hosted “vault” – away from the business and safe from hackers. TransactionShield encrypts data at the point of interaction and protects it as it travels through the hotel’s IT environment. Decryption occurs within Merchant Link’s cloud-based payment gateway, reducing the risk of comprise.

“AmericInn understands the importance of processing payment transactions securely as well as the value of the support services we provide their franchisees to access information and immediately remediate problems,” said Dan Lane, Merchant Link’s President and CEO. “We are proud that AmericInn has selected Merchant Link as the brand standard for its franchisees and we look forward to working with them.”

Installations are already underway and adoption across the entire chain is expected to be complete over the next 12 months.

About AmericInn
AmericInn® is a leading mid-scale lodging chain with over 260 locations currently open or under development in 27 states. The brand is dedicated to providing an exceptional lodging value for its guests by offering great rates and amenities such as free, hot, home-style AmericInn Perk breakfast, free hotel-wide wireless high-speed Internet, inviting swimming pools and Easy Rewards. AmericInn is part of Northcott Hospitality, owner and developer of successful franchised hospitality brands for more than 50 years. For more information on AmericInn development opportunities visit www.AmericInnDREAM.com or call 1-866-220-7140. For AmericInn reservations visit www.AmericInn.com or call 1-800-634-3444.

Motion Computing, a leading global provider of tablet PCs and supporting mobility solutions, recently announced the availability of the Motion® CL900 SlateMate™ – the first tablet PC with an integrated magnetic stripe reader and barcode scanner. The tablet integrates Merchant Link’s TransactionShield solution to ensure cardholder data is never vulnerable while it’s being processed.
 
Following is an exclusive podcast with Mike Stinson, VP of Marketing at Motion Computing, who discusses trends in mobile point-of-sale solutions and the tablet form factor in retail environments.

The Verizon RISK team has published the highly anticipated 2012 Data Breach Investigations Report.  After seeing steady declines for the past two years, the report finds that breaches skyrocketed in 2011, boasting the second-highest data loss total since the Verizon team started keeping track in 2004. While mainline cybercriminals continue to target monetarily valuable data, 2011 saw a re-invigoration of online activism. “Hactivism” is targeted towards larger organizations worldwide with the intent to damage the brand and embarrass the organization. In addition to the significant increase in number of attacks, the report shows organizations required to be PCI DSS compliant continue to struggle. According to the report 96% of breach victims were not compliant as of their last assessment (up 7% from last year).

Most Afflicted Industry
The report found that once again, the most afflicted industry was Accommodation/Food Service (Restaurants 95%, Hotel 5%). The report found that nearly three-quarters of automated opportunistic attacks hit the Retail/Trade or Accommodation/Food Service industries. Even though the amount of data per business is small, these “industrialized” attacks are carried out against large numbers in a surprisingly short timeframe encountering almost no resistance.  Many of these are small to midsize level 4 merchants who are failing in assessing and achieving PCI DSS compliance.

Most Used Techniques
External agents continue to be responsible for the largest proportion of breaches in 2011 (98%). The report shows the most common external breach techniques utilize some combination of hacking and malware (61%). Linked to almost all compromised records is circumventing authentication using stolen or guessed credentials (84% of records).

While internal employee breaches fell again this year to only 4% of total incidents, there is an interesting correlation to the food service industry. Most affected by internal employee breaches were smaller businesses and independent local franchisees of larger brands. The highest percentage of internal incidents belonged to money handlers such as the Cashier/Teller/Waiter category (65%) and the Manager/Supervisor category (15%).

Most Compromised Devices
With the Accommodation/Food Service industry continues to be the most targeted, it is not surprising that the highest percentage of user device compromises consist of POS Terminals (35%), Desktops (18%) and ATMS (8%). The report recommends training staff to detect signs of device tampering and to look for anti-tampering technology in POS and PIN devices.

Conclusions
Mitigating data breach threats can range from simple solutions to costly and complex systems. The report shows overwhelmingly that implementing a few basic safeguards has a big impact for small and mid-size companies that make up a large portion of the Accommodation/Food Service sector. These companies should look to:

  • Implement a firewall on remote access services
  • Change default credentials of POS systems and other Internet-facing devices
  • Make sure your POS is a PCI DSS compliant application
  • Eliminate unnecessary data on site

To assist in eliminating data on site, consider combining tokenization and point-to-point encryption to protect both stored data and data in-flight. Tokenization eliminates storage of actual cardholder data, while point-to-point encryption protects data in-flight from the point of interaction and as it travels through the merchant’s IT environment. If you get rid of the data, you get rid of the risk.