Merchant Link SecurityCents

Originally published by SC Magazine, reported by Angela Moscaritolo

The use of a tokenization solution does not eliminate a merchant’s need to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS), the industry group responsible for managing payment security guidelines said in a new document released Friday.

“The misconception is that I can buy one of these [tokenization solutions] and be PCI compliant,” Bob Russo, general manager of the PCI Security Standards Council, told SCMagazineUS.com. “That’s not the case.”

A mature and properly deployed tokenization solution can, however, simplify the requirements of PCI DSS by taking systems that no longer contain sensitive credit card numbers out of the scope of the standard, according to the 23-page supplement released by the PCI Council.

Meanwhile, Sue Zloth, product group manager at payment data security provider Merchant Link, a member of the PCI Council’s tokenization task force, told SCMagazineUS.com on Friday that she believes the document is a good first step, though it may lead to some confusion and deter adoption.

Zloth took issue with a section that discusses the need to evaluate whether a token itself could be used – in lieu of cardholder data – to perform a transaction.

The document states that so-called “high-value tokens,” which can be used as a form of payment, could be monetized by an attacker or used to generate fraudulent transactions.

The council introduced a valid concern –  that certain tokens could be valuable to attackers — but “fell down” by failing to describe how a tokenization system could adequately protect tokens from being fraudulently used, Zloth said.

“A properly implemented system will know who is sending transactions and will not allow anyone to send transactions with a token,” she added.

To read this full story go to http://www.scmagazineus.com/pci-council-releases-tokenization-guidance/article/209505/

By Sue Zloth

Last month a couple of us talked with John Kindervag at Forrester Research.  We spent a portion of the discussion on PCI standards, talking about the pressures that merchants feel to comply and providing updates on what we’ve been doing with the Council in their working groups.

So I, particularly, was interested when I saw John’s blog on PCI.  He points out that merchants should have knowledge of the industry in which they serve, but also recognize the connections with other verticals that may or may not be apparently linked directly to their line of business. So whether you sell ice cream or designer jeans, you fall into the category of payment security because you process financial transactions.

Here is what John said in his blog:

Companies often demand to know what their peers in a particular vertical market are doing within the realm of information security before making new decisions. “We’re in retail” or “healthcare” or “financial services” they will say, “and we want to do what everyone else in our industry is doing.” Why? The TCP/IP revolution has changed everything, including how vertical markets should be viewed. In the old analog world, you could define yourself by your product or service, but no longer. Today it doesn’t matter if your company sells plastic flowers or insurance — what defines you is your data and how you handle it.

When advising Forrester clients on InfoSec, the first question I ask is, “what compliance mandates are you under?” Like it or not, compliance determines how data is handled and that defines your vertical in our data-driven society. For example, I often say that, “PCI is the world’s largest vertical market.” It is a single global standard that affects more companies than not. You may think you are a hotel and your vertical is hospitality, but if you handle credit cards your real vertical — from a data perspective — is PCI.

Data defines markets. Look at your data, your transactions, and your process, and map them to your compliance initiatives. That will determine your digital — not analog — vertical. Using this measure, you can determine your security baseline and compare yourself to companies who must handle data in the same manner as you to help guide your security decisions.

By Sue Zloth

Call it what you will – Tokenization in the Cloud or Tokenization as a Service.  No matter what you call it, the bottom line is removing sensitive cardholder data completely from the merchant’s IT environment and reducing the scope of PCI DSS.

It is an approach that we have been behind for nearly a decade, through the many variations of terminology.  Ultimately, we believe strongly that keeping card numbers within an enterprise is a security liability.

But don’t just take it from us.  Others in the industry are beginning to understand that need to take tokenization into the cloud and are beginning to offer solutions in this area and the analyst community is also nodding their heads in agreement.  It is expected that tokenization in the cloud will become a common strategy for enterprises.

We live and breathe tokenization and encryption so it is always a bright spot when we see the industry embracing this technology and the cloud approach to tokenization.

As part of the Special Interest Group (SIG) for the PCI Council, we expect to provide merchants with formal guidance on the technology shortly.  We hope that the documents will offer a better understanding for the types of tokenization and ways to implement the technology.  In the meantime, if you have questions about different approaches, feel free to drop me a comment below.

By Sue Zloth

Last fall the PCI Council announced guidance on point-to-point encryption (P2PE) to help merchants protect their customers’ payment card information. Since then, merchants have had P2PE implementation on their minds.

Recently I’ve been a part of a working group that is evaluating technologies and determining the best ones to secure payment transactions and help reduce scope for PCI. One thing that’s becoming clear is that tokenization cannot be left out of the mix.

As a part of the PCI Special Interest Group (SIG) on tokenization, I’ve been evaluating this technology and offering recommendations for guidance. Although the guidance won’t be out until late spring, I wanted to share some educational information about tokenization that could benefit our readers.

Each week, I’ll post an article about what tokenization is, the types of tokenization, its benefits for merchants and some simple considerations before implementing a tokenization solution.

So what is tokenization?

In its simplest form, tokenization is data substitution.

What does that mean? Well, let’s say that you have the following credit card number:

4467 9388 2077 1234

(Don’t worry, I made this number up).

Hypothetically, if this card number were stolen, it would have a significant value to the thief. The bad guy could sell your number to other bad guys or could simply use your credit card to buy things on your dime.

However, if that same credit card number were tokenized, the real numbers would be replaced by other numbers that have no value at all. The tokens are worthless, replacing the original number with ones that don’t have any value:

1234 5678 9012 1234

This way, if the card is stolen, it can’t be used to make purchases and would be of no use to the bad guys.

It is impossible for a thief to crack the code and derive the real credit card number from the token. The real credit card information is sent to a centralized and highly secure server to be stored.

Next up in this series: Token Types

The week between Christmas and New Year’s Eve is always a time of reflection and anticipation. We often like to look back at major events that shaped our worlds, while at the same time, keeping our eyes on the year ahead.

The editorial staff at SecurityCents has opted to look back and highlight our most popular posts this year. In 2010 hackers made tremendous strides in obtaining customer credit card data, so there was no shortage of news and developments impacting our sector.

Fortunately, SecurityCents launched in 2010 with the mission of being the online destination for merchants to gain insights for winning the war against hackers. The following is a summary of our top posts that resonated with our readers. Enjoy!

Hotels Remain #1 Target for Hackers
2010 was the year that hackers made hotels their #1 target for stealing customer credit card data from hotels.  In what was one of the most significant hotel breaches this year, Destination Hotels and Resort had suffered from a credit card fraud scheme that impacted 21 of its hotels across the United States.  It was reported that data from more than 700 guests across the country was involved.  Check out our full post from Sue Zloth on this topic here.

A Look Back at 2010: What Has Impacted Retail?
Our very own Mike Ryan penned a post about all the major happenings in the retail sector in 2011.   From the sentencing of Albert Gonzalez to the evolution of PCI standards and The PCI Council providing guidance on emerging technologies that mitigate breaches, we have it all in this comprehensive post.

Before You Head Out On Vacation, Know the Difference between Tokenization and Encryption
Merchant Link’s Tim Kinsella wrote about the differences between tokenization and encryption right at the peak of summer vacation season.  Why the summer vacation angle?  As most CSOs of major retail and hospitality chains were heading to the beach for some much-needed rest, payment security was surely still top of mind.  Check out the full post here.

PCI Council Releases Guidance on Encryption for PCI DSS and Scope Reduction
In October, The PCI Council released the first in a series of documents that delved into the issue of encryption as it impacts PCI DSS and scope reduction. Merchant Link’s Sue Zloth provided key insights into this guidance and how it provided merchants with an understanding of what they should be evaluating to determine if a point-to-point encryption solution will simplify PCI DSS compliance for their environment.  Read the full post here.

Using Panasonic SMP? You Are No Longer PCI Compliant
When Panasonic decided to concentrate on their workstation business last year, they discontinued support for their software products, including the System Manager Pro (SMP) point-of-sale software — leaving nearly 3,500 merchants and quick service restaurants (QSR) at a loss. Merchant Link partner Don Bunt provided an insightful post about how Bunt Software and Merchant Link created a PCI compliant solution for Panasonic SMP users called SMPLink™.  Check out the full post here.

Most Notorious Hacker Sentenced; DOJ’s Perspective
In early 2010, Albert Gonzales, one of the most notorious hackers to-date, was sentenced to 20 years in prison for leading the attack on TJX and other retailers.  More than 90 million credit and debit card numbers were stolen at a cost of hundreds of millions to the affected retailers.  Here’s a podcast that we ran (courtesy of the ITAC blog) with Kim Peretti, Former Senior Counselor, DOJ, who discusses her role in bringing down Albert Gonzalez.

“Security is a Moving Target:” Staples Security Analyst at RSA 2010
The editorial team of SecurityCents was armed with a video camera at RSA 2010 and was able to secure an on-the-spot interview with Carlton Jones, Security Analyst at Staples Inc., who discussed what guides Staples’ security philosophy from best-of-class investments to using business cases to making on-going process improvements.  Check out the full video here.

We could have made this post longer – there were simply too many good posts to choose from! As we continue to make SecurityCents the ideal destination for all news and commentary related to secure payments in 2011, we welcome all comments and feedback on how to make this blog even more effective in the coming year.