Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ TransactionShield ’

By Beth McGarrity

As the year comes to a close, and TV personalities from Oprah to Ellen to Barbara Walters highlight their favorite things and most fascinating stories in 2011,  I thought I’d take a moment to reflect on my favorite SecurityCents posts and industry news and share them with you.

PCI Announces Guidance for Merchants.

Merchants were provided with an abundance of guidance this year on emerging technologies that assist with compliance and securing sensitive data.  The first documents were released in late 2010 and focused on point-to-point encryption followed by tokenization and virtualization.  In the New Year, the Council will focus on three new areas including cloud, risk assessment and e-commerce security.

Validation from Coalfire Systems.

It’s easy for vendors to say that their product or solution is going to help merchants reduce the scope of PCI compliance.  In some cases, it’s really just unsubstantiated marketing hype.  At Merchant Link, we invest significantly in R&D to ensure that our solutions really do reduce PCI scope and we wanted to offer our customers a third-party validation of this fact.  Coalfire evaluated our TransactionVault™ and TransactionShield™ solutions for tokenization and encryption and confirmed our findings.

Avivah Litan Talks Tokenization.

We had the honor of featuring Avivah Litan on a podcast recently to discuss payment security.  As a renowned expert in this area, Avivah regularly publishes industry research and opinions on her own blog that we avidly follow here at Merchant Link.  For this podcast, Avivah focused on key trends in payment security, specifically as it relates to point-to-point encryption and tokenization.

Google Wallet Meets MasterCard and NFC.

Its here!  Finally…well…sort of.  The technology for mobile wallets has been around for awhile, but the concept hasn’t caught on very well. Then Google entered the market with the mobile wallet, using Near Field Communications (NFC) to allow for data exchange with point-of-sale (POS) technologies. From the payment side, the company partnered with MasterCard and Citi to allow users to pair credit cards to their phones.  It’s been an interesting progression to watch and something we will certainly keep an eye out for as the issues surrounding secure payment transactions will be top of mind for merchants.

What else is on your list of favorite things from 2011?  Share them with us by posting a comment below.

By Sue Zloth

Today, the PCI Council officially released the Tokenization Guidelines document.  As a member of the task force, I can tell you that we’ve been working on this guidance for the better part of two years, so we are happy to see that it has finally been released publicly.  The guidance provides much-needed direction on how to implement a tokenization solution and how it may reduce the scope of the cardholder data environment (CDE).

Already, there have been a lot of questions and conversation around this.  In fact, a lot of buzz has been circulating early this morning.  The first question is “Does Merchant Link meet these guidelines?”  We do.  The second question is, “Are tokens in- or out-of-scope?”

Specifically, the guidelines state that to be considered out-of-scope for PCI DSS, the tokens would need to have no value to an attacker attempting to retrieve personal account numbers (PANs).  In addition, the guidelines state that tokens that can be used for a transaction can be in scope for PCI DSS, even if the tokens can’t directly be used to retrieve PAN or other cardholder data.  For solutions which support these types of tokens, the guidelines state that there must be additional controls in place to detect and prevent fraudulent transactions.  This is where I feel the Council’s document fell short…when they introduced this concept that tokens may potentially be back in scope without providing guidance as to how to keep them out of scope.

Here at Merchant Link, we developed our TransactionVaultTM tokenization solution to minimize the risk of cardholder data theft for our merchants.  We use multiple layers of authentication to confirm that the originator of a tokenization, de-tokenization or payment request is an authorized user.  For example, we won’t simply accept a transaction request from anyone. They need to authenticate themselves to us before we will perform their transaction request.

Additionally, our tokens can only be used to perform a transaction at the merchant that was the original recipient of the token.  If we receive a request to perform a transaction using that token from any other merchant, it won’t work.

But ultimately, what we urge for all of our merchants is a layered approach utilizing point-to-point encryption and tokenization together, providing the needed level of security to protect cardholder data and reduce the risk. The Council agrees and is pushing merchants to combine both technologies.

By Michael Ryan

Recently, Gartner Group, surveyed U.S. retailers looking at the spending levels for PCI compliance.  The findings reflect much of what we’ve seen in the market as we have discussions with major retailers.  Most big brands have already taken steps to achieve PCI compliance and so 89 percent of Level 1 merchants surveys were compliant while 57 percent of merchants that  that fall between Level 2-4 were compliant.  But interestingly, the survey found that Level 2-4 merchants are spending more on compliance.

So what gives?

Of course, the spending increase for lower level merchants could just be basic math.  There are far more retailers at the lower levels than at Level 1, half of which still need to take steps to become PCI compliant.

One of the motivations that Gartner analyst, Avivah Litan, points to is that the merchant-acquiring banks that enforce PCI compliance on behalf of the card brands like Visa, MasterCard etc., have been contacting Level 1 merchants, reinforcing the message that they must be in compliance with PCI standards.  Fines and threats are usually effective motivators.

The costs increases for Level 2 merchants are just the associations’ long term plans playing out. They started with e-commerce merchants, moved to the largest retailers and are now increasing pressure on the next level of retailers who are currently not meeting compliance standards.

The pressure is good and we do hope that retailers realize that becoming PCI compliant is necessary, but only a baseline.  It’s necessary but it is only the baseline.  In fact, Gartner predicts that by the end of 2012, 75 percent of the retailers that are breached will be PCI compliant.

So what is a retailer to do?

Use PCI standards as a baseline for protection but understand that newer technologies are available to remove the sensitive data from their systems altogether and ensure that they have a layered approach to securing their networks.  From encryption to tokenization, retailers must realize the benefits of implementing these technologies including reductions in the scope of PCI audits as well as minimizing card data exposure, making retailers a less attractive target for attacks.

Independent Assessment by Industry Leading PCI QSA, Finds That Merchant Link’s Encryption and Tokenization Solutions Enhance Transaction Security for Merchants.

Merchant Link’s TransactionShield™ and TransactionVault™ solutions can significantly reduce merchants’ PCI DSS scope, according to an independent security assessment released today by Coalfire Systems, Inc, a Payment Card Industry (PCI) Qualified Security Assessor (QSA) and Payment Application Qualified Security Assessor (PA-QSA) company.

Merchant Link’s TransactionShield is a point-to-point encryption (P2PE) solution that ensures that customer data is secure from the moment their credit card is swiped.  Merchant Link’s TransactionVault tokenization solution removes customer credit card data where it would be at risk from hackers. The data is instead stored in Merchant Link’s hosted vault.  The combination of TransactionShield and TransactionVault secure both data in-flight and data at rest, and reduce the cost and effort of attaining and maintaining PCI compliance.

“Merchants continue to be plagued by data breaches caused by inadequate security controls or applications which allow access to sensitive payment card data,” said Kennet Westby, president and COO of Coalfire.  ”Merchant Link’s comprehensive offering including both tokenization and encryption can provide significant risk mitigation of data compromise and is one of the most effective data security controls available to merchants today.”

“Merchants are currently burdened with having to keep all customer data secure while also meeting challenging PCI requirements,” said Dan Lane, President and CEO of Merchant Link.  ”Coalfire’s assessment of our P2PE and tokenization solutions further validates that Merchant Link can provide transaction security solutions that go beyond current PCI requirements, ultimately allowing merchants to focus on their core businesses.”

Coalfire’s assessment, which included technical testing, architectural assessment, industry analysis, compliance validation and peer review, found that:

  • TransactionShield will leverage multiple encrypting point of interaction (POI) devices deployed in the merchant network and a Merchant Link-hosted decryption system which eliminates the transmittal of cleartext cardholder data through the entire merchant network.
  • TransactionVault can eliminate post authorization storage of cardholder data from a merchant’s network by storing it in Merchant Link’s PCI DSS compliant data centers.
  • TransactionShield is aligned with Visa Best Practices for Data Field Encryption published by VISA in October 2009, as well as guidance provided in the Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance published by PCI SSC in October 2010.
  • TransactionVault is aligned with Visa Best Practices for Tokenization guidance published by VISA in July 2010.
  • Properly deployed, implementation of the TransactionShield and TransactionVault solutions together can effectively remove merchant retail POS systems from the scope of PCI DSS by:
    • Capturing card data only via a TransactionShield integrated POS application and encrypting Point of Interaction (POI) device;
    • Strongly encrypting card data at the TransactionShield point of capture in a secure, restricted access, encrypting POI device, where the merchant has no ability to decrypt the card data;
    • Storing only card data tokens post authorization as returned by TransactionVault.

To learn more about Merchant Link’s TransactionShield and TransactionVault, and obtain the report, click here.

About Coalfire

Coalfire is a leading, independent IT Audit and Compliance firm that provides information technology (IT) audit, security assessment and IT compliance management solutions.  The company has grown rapidly since being founded in 2001 and now completes more than 1,000 projects annually in retail, financial services, healthcare, government and utilities.  Coalfire has developed a new generation of technology-enabled IT Compliance Management Tools under the Navis brand.  These tools enable Coalfire to efficiently deliver governance, risk and compliance (GRC) services and keep pace with rapidly changing regulations and best practices.  Coalfire’s solutions are adapted to requirements under emerging data privacy legislation, including the PCI Data Security Standard, Gramm-Leach-Bliley Act, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA. For more information, please visit www.coalfiresystems.com

About Merchant Link

Merchant Link is a leading provider of cloud-based payment gateway and data security solutions, removing the risk and hassle from credit card acceptance for more than 150,000 hotel, restaurant and retailers. Founded in 1993 and headquartered in Silver Spring, Md., Merchant Link currently enables more than 3 billion transactions annually for some of the world’s best-known merchants, providing connectivity to the major U.S. payment card processors. TransactionVault™, our tokenization solution, and TransactionShield™, our point-to-point encryption solution, mitigate the risk of a data compromise while lowering the cost and effort of PCI compliance. Further information is available at www.merchantlink.com.

The Georgia Center, a conference center and hotel with 200 rooms and suites on the campus of the University of Georgia (UGA), will be providing a more restful night’s stay for their guests moving forward. That’s because the Georgia Center is working with Merchant Link to install the company’s TransactionShield™ point-to-point encryption solution to ensure that customer data is secure from the moment their credit card is swiped.

“We have always sought to be aggressive when it comes to our approach to data security,” said Corey Doster, the IT Director at the Georgia Center.  ”Merchant Link solutions help us meet and exceed our PCI compliance requirements while removing the customer data completely from our premises.  The addition of TransactionShield provides another layer of security to protect our faculty, staff, students and campus visitors against theft and misuse.”

The Georgia Center, which serves over 42,000 guests every year, has been a longtime customer of the Merchant Link Payment Gateway™ since August 2006. The conference center and hotel also deployed Merchant Link’s TransactionVault™ tokenization solution last year with significant success. By combining the two solutions, the Georgia Center removed sensitive data completely from their systems.

The recent addition of the TransactionShield point-to-point encryption solution will extend the protection of customer data from the moment the credit card is swiped and as data travels through UGA’s IT environment to the Merchant Link network. New credit card readers immediately encrypt credit card data and decryption does not occur until it reaches Merchant Link’s cloud-based payment gateway. Once authorization is received, data is sent back to UGA’s Micros OPERA Property Management System in the form of a token.

The implementation of TransactionShield at the Georgia Center is Merchant Link’s first point-to-point encryption installation. Following the successful implementation at the Georgia Center, Merchant Link expects to rapidly deploy the solution to other hotel, restaurant and retail merchants around the country.

About the Georgia Center

The Georgia Center, the University of Georgia’s Conference Center and Hotel, is located on the beautiful, historic campus of UGA in Athens, Georgia. The Center includes a 200-room hotel, four onsite dining options, banquet areas, conference rooms, auditoriums, a fitness center, and a computer lab — all under one roof.

For additional information, go to http://www.georgiacenter.uga.edu.

About Merchant Link

Merchant Link is a leading provider of cloud-based payment gateway and data security solutions, removing the risk and hassle from credit card acceptance for more than 150,000 hotel, restaurant and retailers. Founded in 1993 and headquartered in Silver Spring, Md., Merchant Link currently enables more than 3 billion transactions annually for some of the world’s best-known merchants, providing connectivity to the major U.S. payment card processors. TransactionVault™, our tokenization solution, and TransactionShield™, our point-to-point encryption solution, mitigate the risk of a data compromise while lowering the cost and effort of PCI compliance. Further information is available at www.merchantlink.com. For our expert opinion on encryption, tokenization and PCI compliance, visit the Merchant Link blog at www.merchantlinksecuritycents.com.