Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ tokenization ’

Partnership adds more devices to Merchant Link’s growing portfolio of P2PE integrations

Merchant Link is proud to announce that it has completed integration with ID TECH’s encrypting point-of-interaction (POI) devices, to increase P2PE hardware options for its customers. 

“By combining ID TECH’s secure encrypting payment devices with Merchant Link’s layered solutions, our customers can obtain the highest level of security and support for their payments,” said George Jiang, Vice President of Engineering for ID TECH.

The integration adds support for ID TECH’s innovative encrypting card readers to Merchant Link’s TransactionShield® point-to-point encryption solution. Data is encrypted the moment a credit card is swiped or entered on a keypad. The data is then passed through the merchant environment and sent to Merchant Link’s cloud-based gateway for decryption and authorization. Cardholder data is replaced with tokens that are sent back to the POS to reference the transaction. The entire process removes all unencrypted data from the merchant environment.

Properly deployed, implementation of these solutions can remove merchant POS systems from the scope of PCI DSS, easing compliance efforts and cost. The use of industry-standard encryption and key management practices saves on the cost of proprietary encryption licensing fees. In addition, Merchant Link’s processor-neutral gateway offers the flexibility to switch amongst processors quickly and efficiently, keeping merchants in control of their payment partners and rates.

“The addition of ID TECH to Merchant Link’s portfolio was a strategic business decision based on customer demand,” said Geoff Krieg, Vice President of Product Management for Merchant Link. “We are pleased to support merchants using these products.”

Certification is complete and the first beta site is live. Integration is available for customers using ID TECH’s SecureMagTM, SecurePINTM 130 SL, SecureKeyTM, SecureKeyTM M100 and M130, Sign&PayTM, and Secure Line Mobile devices.

There was plenty of talk this week about data security strategies and technologies at the 2012 MICROS and OPERA Hospitality Users Conference.

 As a long time partner of MICROS, we were the first to integrate to the MICROS Simphony point-of-sale solution and we are excited to share the news with Simphony 2 users that they will soon have the ability to integrate our TransactionVault tokenization solution to enhance security of their stored credit card data.

Below, MICROS product manager Nick Low reveals some of the latest features just announced as part of version 2.5 of the platform.

When it comes to evaluating payment data security technologies….are you following the 5 “S’s”?
scope, study, support, seek, secure

If you’re not, how can you really know your data is protected and secure? Too often merchants go with the solution that is directly in front of them. They are focusing on their business, selling their products and services to their customers, and security and PCI simply get in the way. But one breach and suddenly, all of their hard work is gone.

A breach of merchant data not only hurts the consumer, but it harms the merchant as well. PCI will fine merchants in the case of a negligent breach and once the word gets out, consumers become weary of doing business with you – so the merchant’s brand reputation is impacted.

The process of evaluating all the different payment security technologies out there doesn’t have to be complicated or time-consuming. Follow these 5 simple steps…

  1. SCOPE – Examine your data flow and look at where data is stored
  2. STUDY – Educate yourself on security methods, technologies, and PCI compliance
  3. SUPPORT – Inventory current systems – your hardware, software, and processors – and understand how will integrate to the technology
  4. SEEK – Evaluate vendors and seek answers to key questions
  5. SECURE – Implement the right mix of methods and technologies to secure  cardholder data

If you don’t know whether or not your data is protected and secure, give us a call.

Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web.  Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
Brain Hacking: Scientists Extract Personal Secrets With Commercial Hardware <Tweet this article>
by Gregory Ferenstein
Chalk this up to super-creepy: scientists have discovered a way to mind-read personal secrets, such as bank PIN numbers and personal associations, using a cheap headset. Utilizing commercial brain-wave reading devices, often used for hands-free gaming, the researchers discovered that they could identify when subjects recognized familiar objects, faces, or locations, which helped them better guess sensitive information..…….Click here to read more

PCI SSC’s Bob Russo on point-to-point encryption, PCI compliance <Tweet this video>
by SeachSecurity
In this video interview, Bob Russo, general manager of the Payment Card Industry Security Standards Council (PCI SSC), discusses tokenization, point-to-point encryption, PCI compliance issues, and the state of guidance documentation for emerging technologies. According to Russo, the PCI SSC is currently assessing hardware-based point-to-point encryption products and plans to produce a list of approved PIN transaction security (PTS) devices by the end of 2012..……. Click here to watch video

Mind the Gap: PIN versus Signature Authentication <Tweet this article>         
by Douglas A. King
The just-released PULSE Debit Issuer Study reveals that in 2011 the gap in loss rates between signature and PIN debit transactions has widened further. Issuers lost an average of three cents per signature debit transaction compared to less than one-half of one cent on PIN transactions..……. 
Click here to read more

What other interesting content have you come across? Leave a comment below and join the discussion

About 18 years ago, I facilitated a test for a pay at the table application for VeriFone. The system was extremely clunky but way ahead of its time, and only did one thing – process the payment tableside. The handheld devices were heavy and really confused the guests. During a site visit about two weeks later, I noticed most of them were gathering dust on a shelf under the POS system. The servers all agreed that while they definitely received higher tips using the handhelds, it just wasn’t worth the trouble.

Wow, have we come a long way! Now the application that the server can take to the table includes the menu, transmitting orders, payment processing and so much more. The quantum shift in our industry is a movement towards these tablet POS systems. At RSPA’s RetailNOW 2012 show, nearly all of the POS vendors were showcasing – or at least discussing – their tablet applications. Some applications resided solely on the tablet, while others used the device as an order entry point for the main POS server. They take up less space and give a cutting edge look to the POS system. The look is so sleek that while having lunch during the conference I glanced at an older POS sitting on the counter and remarked that it almost looked “old fashioned” now after seeing all of the tablets.

The one question I have of these systems is “Does it employ encryption at the swipe?” Most of the time the answer is “yes” which points to another shift in our industry. For a POS system to not include encryption at the swipe seems to me like a dangerous oversight. Combine encryption with tokenization, and you’re not only enhancing data security, you’re also effectively taking the POS system out of PCI scope. Why wouldn’t a developer go ahead and include both? Unfortunately, some make no mention of it at all.

Mobility is probably the biggest advantage of the tablet-based POS. A server can comfortably walk around the restaurant, transmit orders to the bar, kitchen or service station without ever leaving the floor. An expediter can deliver food without a trip to the workstation. I heard one example of a server ordering appetizers for a table and the dish arriving before completing the rest of table’s dinner order! QSR locations could use the tablet for guest ordering or “line busting.” All of this translates into faster table turnover and guest satisfaction. A secure credit card transaction can also be run tableside without the guest’s credit card ever “disappearing into the kitchen.”  Each application has its own approach, but I have noticed some drawbacks on some of them:

  1. One system seemed to require the guest to include the tip in the original authorization amount, which is very awkward.
  2. Some required the server to carry a printer which seemed clunky. I trust it is only a matter of time when a truly ergonomic mobile printer is developed.
  3. Some allow the guest to sign the tablet. This facilitates signature capture but requires the server carry two tablets, so their lifeline to the restaurant isn’t cut while the guest closes out their own ticket.

Cost is where a merchant should really examine what they are getting and the long term impact. There are some really inexpensive, entry level systems but long-term operating costs should be calculated. System developers need to make revenue somewhere. There are tablet applications for less than $50 plus the cost of the tablet and card reader. This would lead me to believe that the revenue will come from a fee built into the payment processing transaction costs. Bundling the fee is a convenient and beneficial model for some, but those with higher traffic could pay much more in the long run. For security purposes, any tablet application that does not include at a minimum, encryption at the point of swipe should be avoided. The security features may cost extra, but it is just not worth risking a breach.

One more note…two of the POS companies at the RetailNOW Show described open-architecture, cloud-based POS systems. The restaurateur would purchase a low-cost base application and then buy “add on” features from an app store. Innovative developers would then be encouraged to put their applications in the app store to participate in the revenue stream. A novel approach and it will be interesting to see if it catches on.

What are your thoughts on tablets at tables? Let us know by leaving a comment below.

Last week while watching Michael Phelps win his 20th Olympic medal, I was also reading a very interesting post on PCI Guru’s blog that discusses a topic covered in the latest Assessors newsletter. What do these two diverse topics have in common? Read on and see.

The blog post I mentioned refers to pre-authorization data and scope; a topic which has oft been the subject of discussion. Is pre-authorization data in scope with regard to PCI or not? While my personal belief is that it should always be considered in scope, the source of this debate comes from the fact that the standard does not really call it out. Indeed, many of the requirements are specific to post-authorization (such as restrictions on any storage of sensitive authentication data). In the newsletter, the PCI Council definitively states “PCI DSS applies wherever cardholder data (CHD) and/or sensitive authentication data (SAD) is stored, processed or transmitted, irrespective of whether it is pre-authorization or post-authorization.”

 OK, so card data is in scope regardless of its authorization state wherever it is stored, processed or transmitted. But what does that mean to the merchant, other than putting a final period on the debate? The Council’s statement here is really one of common sense. Card data is not any less valuable before authorization than after it.

Generally, the length of time that data remains pre-authorization is short. That can vary however, especially when one considers new fees such as the Visa Zero Floor Limit Fee which adds a fee to any transaction that is settled without authorization. Merchants are incented to store the data to ensure they can receive an authorization prior to submitting for settlement. 

The PCI Council leaves the requirements regarding storage of pre-authorization sensitive authorization data up to the individual payment brands. They did state however, that any storage of SAD prior to authorization would be held to a higher standard of security and controls. Regardless of what PCI states, from a risk perspective it’s just good practice for merchants to secure all credit card data, and to remove as much of it from the merchant environment as possible. Point-to-point encryption and tokenization can play a role in effectively removing and securing card data.

For merchants, it’s tempting to let the realities of day-to-day operations take priority over complex topics like PCI, kicking the can down the road so to speak. This brings us back to the Olympics. Michael Phelps mentioned in an interview all the various obstructions that his coach created during his training. One that stood out was his coach stepping on his goggles to crack them, so they would fill with water during Michael’s next swim. This was to prepare Phelps for any situation that could occur in competition. Sure enough, during one of his races, his goggles did fill with water and he had to rely on counting strokes to know where he was. Without that preparation, he might not have been prepared for that hurdle.

Similarly, merchants need to prepare themselves for the day when they may be the target of an attack. Whenever I hear the argument that pre-authorization data can be considered out of scope because the PCI DSS doesn’t specifically say, I know I’m talking to someone who is not taking a long term ongoing approach to PCI. Just like Michael Phelps trains for all eventualities, merchants today must prepare to face the threats of tomorrow. Look closely at your environment. Have you effectively secured data pre-authorization? Do you know every place that card data exists within your environment? In a recent blog post, one of my colleagues wrote about the security training that every Merchant Link associate participates in. Security is more than a moment in time, or a specific job role. It’s something that everyone needs to be aware of.

Oh, and just to remind you, the Council has spoken. It IS in scope.

Watching the Olympics, it’s always fascinating (and heartbreaking) to see how split seconds and minor missteps are what ultimately separate the winners from the losers. In fact, that’s why the technology that’s used at the games is incredibly important…with high-speed cameras, lasers and sensors that measure in the hundredths to thousandths of seconds.

Yesterday in the 200 men’s butterfly, Michael Phelps led almost the entire race and was on his way to winning his 18th medal when in the very last stretch South Africa’s Chad le Clos reached farther and touched the wall just .05 of a second before Phelps. It was so close that Michael’s mother and even his coach thought he’d won. (Check out the video here.)

The Olympics aren’t the only place where the smallest mistake or split-second lull in your resolve can bring heavy consequences. Protecting your customers’ payment data requires the same level of precision and persistence.

Examine how payment data is flowing through your network. When a credit card is swiped or entered into the system, how and when is that data being secured? Encryption should occur at, or as close as possible to, the point of interaction (POI). If it’s left “in the clear” even for a millisecond, that provides a window of opportunity for a hacker to place a piece of malware there and steal the data. Point-to-point encryption (P2PE) is one way merchants are preventing theft of data in-transit. To protect stored data, tokenization is an effective method. Both technologies can be employed in tandem to protect payment data end to end.

And don’t discount the human, or psychological factor. By the time athletes arrive at the Olympics, they’ve put in countless hours of training and are ready physically but if they’re off mentally at the moment it counts it can hurt their performance. Similarly, merchants can implement the most advanced security technology available but if they don’t prepare their staff to guard against threats such as social engineering, their own people could be manipulated into divulging confidential information. Security is like a chain: It’s only as strong as its weakest link.

As a frequent business traveler, I appreciate the little amenities a hotel can offer me to save me time. One such amenity that’s starting to emerge is the use of smartphones to check-in, order services and check-out.

Imagine this:  On the date you’re set to arrive, you get a welcome text message from the hotel with a web address you can visit to check in. Once the check-in is confirmed, your room number and key is sent to your phone as well as a separate notification telling you when your room is ready. When you arrive at the hotel, you can bypass the front desk all together and go straight to your room where the door may be unlocked using your phone.

Recently, Merchant Link was invited by a hotelier to explore how we might extend the use of tokens so that we’re not only using them to safely store guest cardholder data for payment, but also using them as the primary way to authenticate and track a particular guest in the system and enable advanced applications such as this smartphone app.

With most security solutions, the encrypted card number stored in the database is different every time the guest uses that card. With card-based tokens, the same token is returned for a particular card each time the guest uses it. This functionality provides a way for hoteliers to accurately track guests and provide extended services to them.

I recently came across another partner that is using our card-based tokens to “match and merge” guest profiles to consolidate records and prevent duplicates. This is much more reliable than say, using name or address, which may have been entered incorrectly or incompletely when inputted. This used to be done using card numbers but with encryption this just wasn’t possible without decrypting the card data first and opening a security gap.

The list doesn’t stop there though. Card-based tokens work well for a host of other uses:

  • Velocity checking and fraud prevention
  • Rewards profiles
  • Cross channel tracking
  • Business analytics

What other uses do you have for card-based tokens? Let us know by leaving a comment below.

There is little question these days that tokenization is an effective way to secure sensitive data and potentially lower PCI compliance costs. What people are still debating is HOW you go about implementing a tokenization solution and what considerations must be made in doing so. What is the best token generation method? Should you build an in-house solution or work with a third party vendor? Is the tokenization process and storage facility secure? Do tokens expire? Is it possible for collisions to occur between tokens, or between tokens and real PAN information?

As is frequently the case, the answer to all these questions is… it depends. Safe to say that there is no “one size fits all” solution. In order to find a solution that works best, companies must review their environment, the size and type of their business, and match specific capabilities against their existing business processes.

Today we hope to “demystify” some common tokenization components and uncover the myths surrounding various implementation approaches. Let’s start by defining what is “tokenization”?

Simply put, tokenization is the process by which we replace a valuable piece of information with a meaningless number or token. While all types of sensitive data can be tokenized, for the purpose of this discussion, the data in question is the PAN or Primary Account Number.

Randomly generated tokens are more secure than tokens generated using a sequential method.

According to the PCI Security Standards Council’s Tokenization Guidelines, the most important requirement in generating a token is that you cannot reverse engineer the token to derive the original PAN. Let’s look at an example.

Original Card Number
3872 3789 1620 3675

3898 2783 2990 3675

In this example, another 16 digit number was created where the first 2 and last 4 digits of the PAN were retained and the card type is identified within the newly generated token. (In payment applications it is often advantageous to retain the 16 digit format of the original card number because other systems that use the card numbers need not be altered to accommodate the tokens. This is called “format-preserving” tokenization.) The resulting token cannot be used as a financial instrument and has no value other than as a reference to the original transaction or real account. The 10 digits in the middle can be generated using a random number generator or as a part of a sequential counter. Either way though, what is important is that there is no direct mathematical relationship between the credit card data and the token. As for those who claim the random method is more secure, the probability of someone “cracking the code” when it comes to the sequential method is akin to getting struck by lightning while inside the president’s secret underground bunker. I could go into more detail and explanation, but I’d need more space than this forum allows (and fear I’d lose some readers along the way).

“Vaultless” tokenization is faster and more scalable than a “vaulted” solution.

There have been some articles suggesting that as the token vault grows, performance is affected and token “collisions” may occur. A token collision refers to a scenario where the same token could be generated for two different PANs. Another concern is tokens that are generated that turn out to be the actual PAN of another cardholder.

From the perspective of a traditional database model, it’s not unreasonable to assume that as a token database grows, token generation or retrieval requests could lead to latency issues. However, vendors with vast experience and expertise in “vaulted” tokenization methodology have designed systems to account for growth over time. Their network architecture is well thought out, thoroughly tested, and secure. Their transactions flow in ways that allow for multiple processes to occur in tandem so transactions can be routed immediately for processor approval or funding.

The devil is really in the details, and rather than lead you down another rabbit hole discussion, suffice to say that you shouldn’t believe every blanket claim you read. Ask prospective tokenization providers about their specific methodology and how they prevent latency and collisions.

Another important question to ask, particularly in a “vaultless” tokenization scenario, is how will you retrieve a PAN if you need it? Problems and issues sometimes occur and it’s important that vendors are able to quickly and securely access information and offer support in resolving any problems. The system requesting the PAN should be a validated system authorized to perform the request. The use of multi-factored or certificate-based authentication can address this need. In addition, there should also be a system of monitoring and alerts to ensure the request is from a valid source and brings awareness to any abnormal activity.

Home grown or premise-based tokenization is better than using cloud-based or third-party vendor hosted tokenization.

As stated earlier, there is no “one size fits all” solution that works best in all circumstances. There are many factors to consider when selecting a tokenization solution that fits your business needs, security and PCI goals. Home grown and premise-based solutions offer you total control over tokenization implementation but require a great deal of expertise not typically found in the average IT department. “Vaultless” tokenization is effective for large data to token conversions and higher volume merchants but additional questions should be considered for the handling of re-occurring payments, credits, refunds and other business practices that require the recall of a specific transaction or card number. Token requests and retrieval of the original payment data can put those segments of the merchant network infrastructure involved back into the card data environment (CDE).

For merchants looking to reduce their PCI scope as much as possible, cloud-based or hosted tokenization is an attractive option. With a cloud-based solution, stored PAN data is completely removed from the local IT environment. The card data is stored in a secure off-site “vault”, safe from hackers attempting to gain access to sensitive information. Hosted tokenization allows the merchant to run their business without the worry of possible data theft as well as the added benefit of reducing PCI scope and costs.

Yes, there is much to consider when selecting a tokenization strategy but the process shouldn’t require the average merchant to spend their valuable time researching every component. By partnering with a reputable and well established solution provider, understanding the basic concepts of tokenization and asking good questions, you can find a tokenization solution that fits both your security goals and your budget. We invite you to share your experiences, questions and comments below.

SILVER SPRING, MD (April 23, 2012) – Merchant Link, a leading provider of payment gateway and data security solutions, today announced it has been designated by AmericInn International, LLC as the preferred provider of payment and data security services for its franchisees. AmericInn® is one of the fastest growing limited service lodging chains with over 260 locations in 27 states. Locations utilizing an integrated property management system for payments are now required to install the Merchant Link solution.

“As credit card data breaches continue to make headlines, and as we continue to grow our business, we knew we had to do everything possible to secure the personal data of our guests,” shared Mark Nicpon, CIO, of AmericInn International, LLC. “Merchant Link’s hosted solution secures cardholder data from the moment of capture and ensures data is not stored anywhere on premise. The solution also helps ease PCI compliance effort and cost for our franchisees.”

The comprehensive solution incorporates the Merchant Link Payment Gateway, TransactionVault tokenization and TransactionShield point-to-point encryption technology. The Merchant Link Payment Gateway provides connectivity to all major processors and sends payments quickly, while detecting and correcting errors along the way. TransactionVault removes guest credit card data from hoteliers’ systems and stores it in a secure, hosted “vault” – away from the business and safe from hackers. TransactionShield encrypts data at the point of interaction and protects it as it travels through the hotel’s IT environment. Decryption occurs within Merchant Link’s cloud-based payment gateway, reducing the risk of comprise.

“AmericInn understands the importance of processing payment transactions securely as well as the value of the support services we provide their franchisees to access information and immediately remediate problems,” said Dan Lane, Merchant Link’s President and CEO. “We are proud that AmericInn has selected Merchant Link as the brand standard for its franchisees and we look forward to working with them.”

Installations are already underway and adoption across the entire chain is expected to be complete over the next 12 months.

About AmericInn
AmericInn® is a leading mid-scale lodging chain with over 260 locations currently open or under development in 27 states. The brand is dedicated to providing an exceptional lodging value for its guests by offering great rates and amenities such as free, hot, home-style AmericInn Perk breakfast, free hotel-wide wireless high-speed Internet, inviting swimming pools and Easy Rewards. AmericInn is part of Northcott Hospitality, owner and developer of successful franchised hospitality brands for more than 50 years. For more information on AmericInn development opportunities visit or call 1-866-220-7140. For AmericInn reservations visit or call 1-800-634-3444.