Merchant Link SecurityCents

Fresh off the road from a busy Spring schedule of conferences and events such as the recent RIS Retail Technology Conference and MICROS Retail Conference, I reflected on some of the latest trends in retail I picked up on in various sessions, conversations and reports.

Customers are King; Mobile Use and Commerce Increasing
Mobile has placed even more power into the hands of today’s consumer, with the ability to check competitors’ prices while in store (a phenomenon known as “showrooming”) and so retailers are being forced to adopt new pricing and promotional tactics. Marketing investments are focused on mining more data and using it to provide more customized promotions to increase engagement and loyalty. To keep up with today’s tech-savvy consumers, retailers are also increasingly adopting mobile point-of-sale solutions. We’re seeing some POS providers leveraging the tablet form factor, integrating barcode scanners and mag stripe readers into handheld devices that double as a tool to offer on-demand product information to shoppers wherever they are in the store.
 
Profits Are Up; Retailers Reinvesting Again
According to the NRF Foundation’s recently released Retail Horizons: Benchmarks for 2011, Forecasts for 2012, retailers have returned to profitability after the economic downturn. The survey revealed that marketing and advertising spend is up, as well as investment in IT upgrades, e-commerce and leadership development.
 
P2PE Emerging as Key Data Security Strategy
Point-to-point encryption (P2PE) is gaining greater momentum as one of the most effective ways for retailers to secure on- and offline and mobile payments, with the added benefit of reducing PCI scope. Unfortunately, hackers continue to target retailers, with their favorite method being to target data “in transit,” as it moves through and from the merchant environment. Attackers in 2011 were more successful at harvesting data in transit than any other method, according to the Trustwave’s 2012 Global Security Report. Meanwhile, the PCI Council just released updated point-to-point encryption requirements as well as a fact sheet outlining how merchants can securely accept payments using mobile devices with actionable recommendations on partnering with a P2PE solution provider to securely accept payments and meet PCI DSS compliance obligations.

So those are a few of the key trends I’ve observed.

What are you seeing and experiencing? Share your comments and thoughts below.

SILVER SPRING, MD (April 23, 2012) – Merchant Link, a leading provider of payment gateway and data security solutions, today announced it has been designated by AmericInn International, LLC as the preferred provider of payment and data security services for its franchisees. AmericInn® is one of the fastest growing limited service lodging chains with over 260 locations in 27 states. Locations utilizing an integrated property management system for payments are now required to install the Merchant Link solution.

“As credit card data breaches continue to make headlines, and as we continue to grow our business, we knew we had to do everything possible to secure the personal data of our guests,” shared Mark Nicpon, CIO, of AmericInn International, LLC. “Merchant Link’s hosted solution secures cardholder data from the moment of capture and ensures data is not stored anywhere on premise. The solution also helps ease PCI compliance effort and cost for our franchisees.”

The comprehensive solution incorporates the Merchant Link Payment Gateway, TransactionVault tokenization and TransactionShield point-to-point encryption technology. The Merchant Link Payment Gateway provides connectivity to all major processors and sends payments quickly, while detecting and correcting errors along the way. TransactionVault removes guest credit card data from hoteliers’ systems and stores it in a secure, hosted “vault” – away from the business and safe from hackers. TransactionShield encrypts data at the point of interaction and protects it as it travels through the hotel’s IT environment. Decryption occurs within Merchant Link’s cloud-based payment gateway, reducing the risk of comprise.

“AmericInn understands the importance of processing payment transactions securely as well as the value of the support services we provide their franchisees to access information and immediately remediate problems,” said Dan Lane, Merchant Link’s President and CEO. “We are proud that AmericInn has selected Merchant Link as the brand standard for its franchisees and we look forward to working with them.”

Installations are already underway and adoption across the entire chain is expected to be complete over the next 12 months.

About AmericInn
AmericInn® is a leading mid-scale lodging chain with over 260 locations currently open or under development in 27 states. The brand is dedicated to providing an exceptional lodging value for its guests by offering great rates and amenities such as free, hot, home-style AmericInn Perk breakfast, free hotel-wide wireless high-speed Internet, inviting swimming pools and Easy Rewards. AmericInn is part of Northcott Hospitality, owner and developer of successful franchised hospitality brands for more than 50 years. For more information on AmericInn development opportunities visit www.AmericInnDREAM.com or call 1-866-220-7140. For AmericInn reservations visit www.AmericInn.com or call 1-800-634-3444.

Motion Computing, a leading global provider of tablet PCs and supporting mobility solutions, recently announced the availability of the Motion® CL900 SlateMate™ – the first tablet PC with an integrated magnetic stripe reader and barcode scanner. The tablet integrates Merchant Link’s TransactionShield solution to ensure cardholder data is never vulnerable while it’s being processed.
 
Following is an exclusive podcast with Mike Stinson, VP of Marketing at Motion Computing, who discusses trends in mobile point-of-sale solutions and the tablet form factor in retail environments.

The Verizon RISK team has published the highly anticipated 2012 Data Breach Investigations Report.  After seeing steady declines for the past two years, the report finds that breaches skyrocketed in 2011, boasting the second-highest data loss total since the Verizon team started keeping track in 2004. While mainline cybercriminals continue to target monetarily valuable data, 2011 saw a re-invigoration of online activism. “Hactivism” is targeted towards larger organizations worldwide with the intent to damage the brand and embarrass the organization. In addition to the significant increase in number of attacks, the report shows organizations required to be PCI DSS compliant continue to struggle. According to the report 96% of breach victims were not compliant as of their last assessment (up 7% from last year).

Most Afflicted Industry
The report found that once again, the most afflicted industry was Accommodation/Food Service (Restaurants 95%, Hotel 5%). The report found that nearly three-quarters of automated opportunistic attacks hit the Retail/Trade or Accommodation/Food Service industries. Even though the amount of data per business is small, these “industrialized” attacks are carried out against large numbers in a surprisingly short timeframe encountering almost no resistance.  Many of these are small to midsize level 4 merchants who are failing in assessing and achieving PCI DSS compliance.

Most Used Techniques
External agents continue to be responsible for the largest proportion of breaches in 2011 (98%). The report shows the most common external breach techniques utilize some combination of hacking and malware (61%). Linked to almost all compromised records is circumventing authentication using stolen or guessed credentials (84% of records).

While internal employee breaches fell again this year to only 4% of total incidents, there is an interesting correlation to the food service industry. Most affected by internal employee breaches were smaller businesses and independent local franchisees of larger brands. The highest percentage of internal incidents belonged to money handlers such as the Cashier/Teller/Waiter category (65%) and the Manager/Supervisor category (15%).

Most Compromised Devices
With the Accommodation/Food Service industry continues to be the most targeted, it is not surprising that the highest percentage of user device compromises consist of POS Terminals (35%), Desktops (18%) and ATMS (8%). The report recommends training staff to detect signs of device tampering and to look for anti-tampering technology in POS and PIN devices.

Conclusions
Mitigating data breach threats can range from simple solutions to costly and complex systems. The report shows overwhelmingly that implementing a few basic safeguards has a big impact for small and mid-size companies that make up a large portion of the Accommodation/Food Service sector. These companies should look to:

• Implement a firewall on remote access services
• Change default credentials of POS systems and other Internet-facing devices
• Make sure your POS is a PCI DSS compliant application
• Eliminate unnecessary data on site

To assist in eliminating data on site, consider combining tokenization and point-to-point encryption to protect both stored data and data in-flight. Tokenization eliminates storage of actual cardholder data, while point-to-point encryption protects data in-flight from the point of interaction and as it travels through the merchant’s IT environment. If you get rid of the data, you get rid of the risk.

The 2012 MURTEC conference is a wrap, and conference organizers are reporting 40% attendee growth over last year. From our perspective, and many others I spoke with, this year was one the best MURTECs yet. When you bring together the right people, and are able to have the right conversations, it’s amazing the business that gets done.

(And for all the booth veterans out there… ever notice how the quality of your conversations is directly proportionate to the number of chotchkies acquired? The higher the quality, the less you give away… funny but true.)

The show included an opening keynote address by Mike Inman of TableForce on the art of negotiation that was insightful for buyers and vendors alike. Inman talked about isolating items of high value to you and low value to the other party (and vice-versa) in order to arrive at an agreement.

Jack Clare, VP – Information Technology & CIO for Yum Restaurants International, shared the innovative approach they’re taking to kitchen automation and making their back office more efficient by connecting technology and operations. Clare is featured on Hospitality Technology’s MURTEC video playlist, as is Baron Concors, CIO of Pizza Hut who talks about applying business intelligence and big data to all business functions – not just marketing.

XPIENT Solutions was exhibiting and we announced a partnership yesterday that will allow their customers to increase the security of their payment transactions and cardholder data as well as benefit from the flexibility and support of our payment gateway service.

During the roundtable session, I sat at a table where the topic was PCI – a subject that continues to hit a nerve with operators, many of whom see it as a source of aggravation. One participant admitted it even caused him to consider quitting his job at one point. Still, the good news is that operators, auditors and vendors seem to be more educated these days when it comes to PCI and less confused about the standards and what is considered out of scope versus in scope. As we reported last week, businesses are taking greater ownership when it comes to compliance. And, operators are more interested than ever in solutions such as point-to-point encryption that can help them get rid of the sensitive cardholder data on their networks, effectively removing their systems from PCI scope.

Check out our video highlights, including observations from Alan Hayman of the Hayman Consulting Group and Joe Finizio, President & CEO of the Retail Solutions Providers Association.

Combined gateway, tokenization and point-to-point encryption solution to be integrated into another major point-of-sale system

SILVER SPRING, MD (March 26, 2012) – Merchant Link, a leading provider of payment gateway and data security solutions, and XPIENT Solutions, a leading provider of point-of-sale, back office, and enterprise management technologies for restaurants, today announced a partnership that allows restaurant operators to increase the security of their payment transactions and cardholder data and benefit from the flexibility and support of a payment gateway service.
 
“We know restaurateurs are looking for ways to address the ongoing threat of theft and fraud, and we were impressed with Merchant Link’s solution that secures both data in-flight and at rest,” said Christopher Sebes, XPIENT’s President and CEO. “Our customers will also value the flexibility of Merchant Link’s processor-neutral gateway as well as the ability to bolster loyalty programs using Merchant Link’s card-based tokens.”
 
The integration pairs XPIENT’s innovative point-of-sale (POS) system with Merchant Link’s Payment Gateway, TransactionVault tokenization and TransactionShield point-to-point encryption solutions. Certification is complete and the first beta site is expected to be live within a few weeks.
 
“XPIENT is a recognized leader in the industry, working with some of the biggest brands and specializing in the quick service restaurant (QSR) segment where we are expanding,” said Dan Lane, Merchant Link’s President and CEO. “This partnership makes sense for both companies to be able to offer more options in the increasingly complex and varied world of payments today.”

The 2012 Multi-Unit Restaurant Technology Conference (MURTEC) show starts today, otherwise known as the “The Gold Standard Restaurant Technology Event,” bringing together more than 225 restaurant technology, finance and operations professionals for three days of peer-to-peer exchange of ideas and best practices. Merchant Link will be there and reporting back on all the tech talk and trends.

One of the many things people will be buzzing about is Hospitality Technology’s 2012 Restaurant Technology Study. Among this year’s results, in the area of PCI compliance/security, restaurant operators are moving away from the belief that:

• PCI compliance is the responsibility of the vendor (48% agreed in 2011, 38% agreed in 2012).
• PCI compliance guarantees there will be no breach (22.8% agreed in 2011, 13.8% agreed in 2012).

These trends indicate that the message about PCI as best practice, not a guarantee – is finally getting through, and that businesses are taking greater ownership when it comes to compliance.

In our own business, we see evidence of these trends, as more and more merchants are asking us to help them get rid of sensitive cardholder data on their networks altogether. Restaurant chains like Silver Diner, are taking a layered approach to prevent a data breach. Using tokenization and point-to-point encryption, Silver Diner not only enhanced their security, they were able to achieve significant reductions in PCI scope and costs. Check out the case study we just posted to learn more.

And let us know your thoughts on compliance by leaving a comment below.

New Partnership Allows Ski Resorts to Manage All Payment Transactions from Any Point-of-Sale Across the Resort

SILVER SPRING, MD (February 28, 2012) — Merchant Link, a leading provider of payment gateway and data security solutions, and Transaction Resources, Inc. (TRI), a provider of innovative payment processing solutions, have announced a partnership that allows ski resorts and other hospitality providers to obtain enhanced security and support for their payment transactions – from lift ticket sales, to food and beverage transactions, to hotel bookings, spa services and more.

Eight ski resorts throughout the U.S. have already implemented this integrated solution, which includes the Merchant Link Payment Gateway™ and TransactionVault™, Merchant Link’s tokenization solution that replaces each card number with tokens. TRI and their clients will have the ability to add TransactionShield™, Merchant Link’s point-to-point encryption solution. Four additional implementations are expected to be complete by Q2.

“We are very pleased with how smoothly all of the accounts are being boarded and with all the positive feedback we are receiving about the Merchant Link service,” said David Frick, President TRI. “Thanks to this partnership, we can offer a solution that streamlines and secures payments across multiple channels, easing the administrative burden for our hospitality customers. We looked at other solutions and partners, and did not find the same level of flexibility and personalized support offered by Merchant Link.”

Merchant Link’s Payment Gateway provides significant advantages over premised-based or direct connect systems. These benefits include better reliability, flexibility and control, as well as real-time reporting and easy implementation. From a security perspective, the cloud-based gateway solution and added tokenization technology removes all cardholder data from the merchant’s IT environment – dramatically reducing the risk of a data breach while reducing PCI scope.

“TRI is an ideal partner for Merchant Link,” said Dan Lane, CEO of Merchant Link. “We both have a   passion for customer service and innovation. Together, we hope to help ski resorts and other untapped markets realize the benefits a robust payment gateway and security solution can provide in the ever-evolving, complex world of payments today.”

About Transaction Resources, Inc.

Transaction Resources, Inc. (TRI) offers innovative payment processing solutions by combining the latest technologies and a passion for customer service. Since 1993, the company’s key markets have grown to include retail, restaurant, lodging and resort industries. Its employees bring years of experience from hardware & software providers, network processors, banks and merchants. CardDog, a dynamic gift and loyalty system, is the latest product in the company’s committed growth as a leading payments provider. For more information on TRI and CardDog, visit www.transactionresources.com and www.carddog.com.

Enhanced security is now available for MICROS OPERA and MICROS RES Customers with P2PE and Tokenization

COLUMBIA, Md., Feb. 27, 2012 /PRNewswire/ — MICROS Systems, Inc. (NASDAQ: MCRS), a leading provider of information technology solutions for the hospitality and retail industries, is pleased to announce that it now offers Point-To-Point Encryption (P2PE) and Tokenization for its MICROS OPERA Enterprise Solution and MICROS Restaurant Enterprise Solution (RES) customers. Utilizing Merchant Link TransactionShield and TransactionVault, customers using MICROS OPERA version 5.0.03.01+ or MICROS RES version 4.10+ and our new encrypting and tamper-resistant card readers can obtain a greater level of security when processing payment card transactions, and reduce their Payment Card Industry Data Security Standard (PCI-DSS) scope.

This newest generation of hardware-based encryption and Tokenization ensures that unencrypted payment card data is not processed, stored or transmitted on the MICROS OPERA or MICROS RES systems, as it is encrypted at the initial point of swipe using the new encrypting card reader. The encrypted credit card data is then securely transmitted to Merchant Link for decryption and processing. A token is generated by Merchant Link and returned to the MICROS OPERA or MICROS RES system where it is stored after authorization. This solution provides secure and cost effective protection against the increasingly common interception of cardholder data in-transit.

MICROS’s new P2PE and Tokenization solution has been implemented at many locations, including The Georgia Center, a hotel, conference, and continuing education learning facility for University of Georgia students, visitors, and the community. “Adding P2PE and Tokenization to our MICROS OPERA solution was the easiest and most cost effective way for us to satisfy and exceed our PCI compliance regulations,” stated Corey Doster, IT Director, The Georgia Center. “P2PE and Tokenization reduce our PCI-DSS scope and therefore eliminate some of the time consuming and costly steps that we needed to take to become and stay PCI compliant. It was very important for us to enhance our transaction security and protect our customers’ credit card data from potential threats. MICROS’s security offerings allow us to be proactive about potential threats, by preventing sensitive data from ever passing through our OPERA system.”

“Many credit card security compromises today involve the interception of unencrypted cardholder data in-transit,” stated Jim Walsh, Chief Information Security Officer, MICROS Systems, Inc. “MICROS’s new P2PE and Tokenization solution provide a robust and cost effective tool against this common method of theft. With strong, hardware-based encryption at the initial point of swipe, the likelihood of a merchant cardholder data compromise is reduced. We are very pleased to offer our customers this powerful and cost effective solution, which provides significant security benefits, as well as reduces PCI-DSS scoping and compliance costs.”

About The Georgia Center

The University of Georgia’s Conference Center and Hotel is located on the beautiful, historic campus of UGA in Athens, Georgia. The Center includes a 200-room hotel, four onsite dining options, banquet areas, conference rooms, auditoriums, a fitness center, and a computer lab — all under one roof. The Georgia Center received the “2010 Prime Site Award” from Facilities & Destinations Magazine. And Meetings and Conventions Magazine highlighted The Center as among the best university-based conference centers in the country. For more information, please visit www.georgiacenter.uga.edu.

About MICROS Systems, Inc.

MICROS Systems, Inc. provides enterprise applications for the hospitality and retail industries worldwide. Over 330,000 MICROS systems are currently installed in table and quick service restaurants, hotels, motels, casinos, leisure and entertainment, and retail operations in more than 180 countries, and on all seven continents. In addition, MICROS provides property management systems, central reservation and customer information solutions under the brand MICROS-Fidelio for more than 26,000 hotels worldwide, as well as point-of-sale, loss prevention, and cross-channel functionality through its MICROS-Retail division for more than 100,000 retail stores worldwide. MICROS stock is traded through NASDAQ under the symbol MCRS.

For more information on MICROS and its advanced information technology solutions for the hospitality industry, please contact Louise Casamento, Vice President of Marketing at (443) 285-8144 or (866) 287-4736. You can also visit the MICROS website at www.micros.com or send an email to info@micros.com.

The MICROS logo is a registered trademark of MICROS Systems, Inc.

All other product and brand names are the property of their respective owners.

As they often say in technology, you’re not wrong, just too early… and this may be the case with the mobile wallet.  Yes, the technology has been around for awhile.  But now that consumers have embraced their mobile devices and broadened their perspectives on payments, is it still not quite ready for primetime?

While 2012 was supposed to be the year of the mobile wallet, players like Google are still struggling to find merchants who are willing to support and embrace the new technology.  Recent attempts to hack into the Google Wallet application are not helping these players make their case.

Google Wallet requires a personal identification number (PIN) code and a phone lock screen, which the company claims provides a higher level of security than most credit cards have today.  However, this past month two incidents proved that the PIN code could be cracked.  These breaches also forced Google to discontinue the acceptance of prepaid cards.

While we know that there will continue to be a lot of hype around mobile commerce, we also clearly understand that adoption by merchants and processors will really depend on payment security.

To deny the possibility of an attack over a mobile payment network would be irresponsible.  Most merchants are awaiting further development in this area before they take that leap and adopt a mobile wallet solution.  Once the industry embraces an aggressive security strategy for mobile payments, we believe adoption by merchants will follow suit.

What do you think? Let us know by leaving a comment below.