themerchantserviceinsider.com

Two technologies–end-to-end encryption and tokenization–may go a long way toward protecting credit-card data.
By Andrew Conry-Murray

InformationWeek
May 22, 2010 12:00 AM (From the May 24, 2010 issue)

Security pros have a love-hate relationship with PCI. On one hand, the standard compels management to invest in security and mandates operational best practices. Failure to toe the line can result in fines and penalties, including increased costs for credit card transactions. Visa, MasterCard, and other card brands could go so far as to revoke a company’s right to process cards, effectively killing the business.

Such consequences get noticed by executives. “We have a security operation because of PCI,” says Bob Kemp, manager of IT security for Sheetz, a chain of gas stations and convenience stores. Sheetz is a Level 1 merchant, which means it processes at least 6 million credit card transactions every year. As such, Sheetz is required by PCI to be assessed by a third-party entity called a Qualified Security Assessor, or QSA, to ensure it complies with the standard.

But on the other hand, security pros also have beefs with the standard. At the top of the list is the notion of safe harbor–or the lack of it. While PCI is mostly sticks, one carrot for merchants is that the card brands can’t fine them if they’re breached, provided the merchants were compliant at the time of the breach. This safe harbor is offered as an incentive to promote compliance. Visa’s Web site includes this statement: “Visa may waive fines in the event of a data compromise if there is no evidence of noncompliance with PCI DSS and Visa rules. To prevent fines a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach.”

The key phrase is “full compliance at all times.” On the surface, that’s reasonable, until you understand that an company is technically compliant only at the time of the assessment. Once the QSA leaves, the company’s status falls into a zone of uncertainty.

How to overcome manual, fragmented ERP budget management

7 Ways To Rein In Spending On SAP

Two technologies–end-to-end encryption and tokenization–may go a long way toward protecting card data and ending this uncertainty. As we’ll discuss in detail in our full report, available free for a limited time at information week.com/analytics/pciupdate, several large card processors offer, or will soon offer, devices that can encrypt card data at the point of sale.

For instance, Merchant Warehouse offers encrypted card readers, which the company says are being used in about 1,000 locations. The system can also return tokens rather than card data to merchants and retailers, which can be used for common transaction requirements such as voiding or refunding a purchase. In 2009, payment processor First Data announced Secure Transaction Management, a service that encrypts card data at the PoS application and sends it to First Data to be decrypted. And Heartland Payment Systems will soon launch E3, a program for point-to-point encryption and tokenization. The processor is offering PoS terminals that have a hardware-based encryption module from Thales.

Shifting liability is a key selling point of end-to-end encryption and tokenization. If these technologies can reduce the scope of PCI and lower the risk of card data being stolen at the retailer’s site, widespread adoption is virtually assured. And that’s good for all of us.

5 AREAS TO VET CRYPTO, TOKEN VENDORS

1. Depth of knowledge:Ensure the vendor can demonstrateits products adhere to PCI guidelines.

2. Level of commitment:You could end up locked in to the payment processor that provides your encryption or tokenization service. Can you live with that?

3. Hard trumps soft:Systems that encrypt card data at the point of swipe using a hardware module are superior to point-of-sale terminals that perform encryption using only software.

4. Ask for assurance:Therearemany potential points of failure.Shoddy key management,places in the processing chain whereencrypted data is decrypted and re-encrypted,caches of clear-text card data outside your boundaries.Get audit results.

5. Don’t get complacent: Adopting end-to-end encryption and tokenization won’t magically make you PCI compliant. Any business process that demands card data in the clear should raise a red flag.

Chicago, May 6, 2010 — Trustwave, a leading provider of information security and compliance solutions, has launched a first-of-its-kind Data Privacy Program comprised of security services that help businesses protect their customers’ personally identifiable information (PII) and other sensitive data.

Organizations in specific industries have long been subject to compliance mandates, such as the Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA), requiring them to protect sensitive data. New data privacy legislation broadens that scope to all businesses that receive, store or have access to PII, which is sometimes defined simply as a person’s name and driver’s license number. Data privacy laws already exist in 46 states and legislation designed to protect PII is currently pending on the federal level. Securing sensitive consumer data has become a required ongoing process, including businesses that do not handle credit card information or other sensitive financial data.

The cost of protecting PII is significant, with businesses that experience a breach often incurring the direct expenses of public notification, additional customer service burdens and credit monitoring for affected consumers. Indirect costs such as brand damage can result in loss of business and deterioration of market value. However, recent industry analyst reports have shown that the implementation of a data protection program can cost less than two percent of the expense of containing a data breach once it has occurred. Trustwave’s Data Privacy Program is the first such data protection offering specifically designed to help organizations protect PII.

“Our compliance engagements and forensic investigations reveal that many organizations do not know where sensitive data is stored within their environment,” says Robert J. McCullen, chairman and CEO of Trustwave. “Trustwave’s program is a comprehensive approach that will help implement key security initiatives to facilitate data management and protect sensitive data to help ensure the business is meeting data privacy regulations.”

The Trustwave Data Privacy Program helps businesses and organizations establish and maintain a compliance program that meets data privacy requirements. To help protect organizations from breach-related expenses, the program offers the following for large and small businesses:

• Assistance in developing applicable security policies for the protection of personal information
• Discovery and classification of personal information stored in the corporate environment
• Encryption of personal information at rest and in transit
• Identification of asset vulnerabilities
• Employee education regarding computer system and personal information security

The Trustwave Data Privacy Program is structured to protect the information handled by all types of businesses and organizations, regardless of the manner in which personal data is stored or transmitted. Key components of Trustwave’s program focus on Physical Data Privacy (PDP) and Electronic Data Privacy (EDP) and include the following options:

• PDP – protects entities that maintain PII physically, but do not store or transmit such information electronically
• EDP Core – protects entities that store PII electronically
• EDP Mobile – protects PII stored electronically on mobile devices
• EDP Transport – protects PII electronically transported over public networks

“I’m proud of our role as pioneers in the evolution of data protection – there’s not another program like this in the marketplace,” says McCullen. “This is really just another demonstration of Trustwave’s commitment to delivering security and compliance solutions that solve real world problems for our customers.”

About Trustwave
Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today’s challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper® compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations—ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers—manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, Asia and Australia. For more information, visit https://www.trustwave.com .

Source: Company press release.

ATLANTA, May 03, 2010 (BUSINESS WIRE) — First Data Corporation today announced that its STAR(R) Network has signed a multi-year agreement with top-ten debit card issuer SunTrust Banks Inc. to provide PIN-secured debit point-of-sale (POS) and ATM access to its cardholders.

Atlanta-based SunTrust is one of the largest banks in the United States, with approximately 1,700 retail branches and 2,800 ATMs across the Southeast and Mid-Atlantic. STAR is one of the nation’s leading electronic funds transfer networks with more than two million retail and ATM locations.

“Our choice of PIN debit network was based on a client-centric approach to decision-making and required an exhaustive evaluation of the leading providers in the market,” said Steve Karp, senior vice president, Enterprise Payments Strategy, for SunTrust. “Throughout that process, STAR demonstrated to SunTrust its unwavering focus on creating value for their members, bringing best-in-class innovation to the market, and leveraging their talented and committed senior leadership team. We believe we’ve selected the best network and long-term partner.”

“This is a huge win for us,” said Kevin Barry, general manager for the STAR Network. “Our new relationship with SunTrust is a validation of our commitment to lead the industry with superior customer service and the most innovative products. SunTrust’s progressive view of payments will be a great match for STAR and our members.”

First Data provides signature debit and credit card processing and production to SunTrust, as well as merchant processing services to the bank’s business and commercial customers. Through the merchant processing alliance, SunTrust can offer a full suite of electronic payment products and services including credit, debit, check, and gift card programs to its business customers throughout the Southeastern United States.

Terms of the agreement remain confidential.

About SunTrust Banks, Inc.

SunTrust Banks, Inc., headquartered in Atlanta, is one of the nation’s largest banking organizations, serving a broad range of consumer, commercial, corporate and institutional clients. As of March 31, 2010, SunTrust had total assets of $171.8 billion and total deposits of $118.7 billion. The Company operates an extensive branch and ATM network throughout the high-growth Southeast and Mid-Atlantic states and a full array of technology-based, 24-hour delivery channels. The Company also serves clients in selected markets nationally. Its primary businesses include deposit, credit, trust and investment services. Through various subsidiaries the Company provides mortgage banking, insurance, brokerage, investment management, equipment leasing and capital markets services. SunTrust’s Internet address is SunTrust.com.

About First Data

First Data powers the global economy by making it easy, fast and secure for people and businesses to buy goods and services using virtually any form of electronic payment. Whether the choice of payment is a gift card, a credit or debit card or a check, First Data securely processes the transaction and harnesses the power of the aggregate data to deliver intelligence and insight for millions of merchant locations and thousands of card issuers in 36 countries. For more information, visit www.firstdata.com.

SOURCE: First Data