CardConnect is pleased to share that we were featured as one of SmartCEO’s Future 50 award winners for 2015! The Future 50 Awards recognize 50 fast-growing, mid-size companies in the region.

From SmartCEO:

Growth Credited to Transparency

As a leading provider of secure payment processing and technology services, CardConnect has seen rapid growth. President and CEO Jeff Shanahan credits this growth to a combination of strategic acquisitions and technological innovation. CardConnect expanded quickly by acquiring nine companies to increase scale, cash flow and geographic reach. Through its acquisition of Princeton Payment Solutions in 2012, and with it, the firm’s gateway and Fortune 500 clientele, CardConnect transitioned from reselling into providing its own payment technologies.

  

Quick Tip: “Even with a great education, there is still everything to learn.”

CardConnect was founded with a desire to repair the lack of transparency and trust prevalent throughout the payment processing industry. Merchants entrust their processor with sensitive customer payment information, and breaches undermine a processing company’s reputation. CardConnect takes that responsibility seriously. Recently, CardConnect has been awarded two patents for securing confidential information through tokenization. It was also awarded a contract for the Social Security Administration’s payment acceptance needs. In the next five years, as paying with a plastic card becomes antiquated, CardConnect will have a fuller product suite that allows any type of business, small or large, to use the most contemporary payment acceptance technology.

Learn more about SmartCEO’s Future 50 Awards.

By Samantha Drake

Photography by Mitro Hood

During the height of the December 2013 holiday shopping season, Target Corp. admitted a massive data breach had occurred, exposing the personal information of 40 million customers who had used their credit and debit cards at the retail chain.

Ultimately, Target found that the personal data of approximately 110 million customers had been compromised, which led to a nosedive in sales, scores of lawsuits against the retail giant, and state and federal investigations. A few months ago, Target’s CEO resigned.

The data breach didn’t surprise Jeff Shanahan at all. “We knew that was coming,” says Shanahan, 36, who took over as CEO of payment processor CardConnect in February 2014. “We knew there were many, many merchants out there that were taking peoples’ cards and not securing them from the minute they got them.”

Wake-up call

Huge data breaches tend to catch Shanahan’s attention because King of Prussia, PA-based CardConnect is in the business of making sure its clients’ in-person and online credit and debit card payment transactions are secure. Target’s was hardly the first big data breach, but it made CardConnect’s customers nervous enough to check in and make sure they were adequately protected, notes Shanahan.

“The Target thing was a wake-up call for our industry as a whole,” he says. In 2014 alone, Neiman Marcus Group Ltd., P.F. Chang’s China Bistro and Michaels craft store chains have all announced significant data breaches that compromised the information of millions of credit and debit card holders.

CardConnect’s goal is to ensure its customers don’t become a statistic in this disturbing trend. Its proprietary payment gateway and security products address the needs of merchants who accept credit and debit cards, as well as gift cards and loyalty cards. With more than 50,000 retail customers nationwide, ranging from the pizza place down the street to Fortune 500 companies, CardConnect processed $13.1 billion in card transactions in 2013, not including debit cards. The growing company brought in more than $349 million last year and has 125 employees, up from just 25 in 2010.

And along the way, Shanahan has made key strategic decisions that enabled the company to scale quickly by buying smaller, similar companies, and then focusing on obtaining technology CardConnect didn’t already have. At the same time, Shanahan drove CardConnect’s relocation from Ohio, led the company’s rebranding, and positioned the company to meet the latest security challenges.

Work and family

In 2006, a group of entrepreneurs, including Brian P. Shanahan, Jeff Shanahan’s oldest brother, formed the payment processing firm Financial Transaction Services LLC in Cleveland, OH. The founders picked Cleveland primarily because that’s where the company’s first president lived.

A few months later, at Brian Shanahan’s urging, Jeff Shanahan joined the new company as chief operating officer and relocated his family from Pennsylvania to Cleveland.

“I’d always thought about working with Brian before, but I didn’t think it would work too well being in the same office,” Shanahan admits, adding with a laugh. “We both have large personalities.” Fortunately, Brian Shanahan, who was CEO at the time and lives in Pittsburgh, left the day-to-day operations to his brother. “It actually worked out wonderfully,” Shanahan adds.

“It was time to pass the baton,” says Brian Shanahan, 43, a serial entrepreneur in the credit card processing space and now CardConnect’s non-executive chairman of the board. He notes that he and his brother think similarly and see high-profile breaches like Target’s as both vindication of CardConnect’s approach and an assessment opportunity. It’s a toss-up as to who calls the other first to talk about the latest data breach news, Brian Shanahan adds.

The two aren’t the only family members involved in the company. Their youngest brother, Patrick, joined CardConnect in 2008 and is now chief operating officer. In addition, their father, Jim, and another brother, Michael, are among the company’s more than 1,000 independent sales agents that resell CardConnect’s services. A fifth brother is a cardiologist in Pittsburgh. Naturally, at Shanahan family gatherings, the talk inevitably centers on work. “Fortunately or unfortunately, it always turns to business,” says Brian Shanahan.

On the move

The company remained in Cleveland for more than six years before relocating to the Philadelphia area. Shanahan says moving the company’s headquarters has been his biggest decision so far. “With all due respect to Cleveland, it was very hard to find new talent there,” he says. “I never felt like we could get to the next level there.”

Shanahan presented the move to the 30 employees in the Cleveland and Chicago offices as an opportunity to grow with the company. “We knew we had big things ahead,” he explains. He was pleasantly surprised when the Cleveland employees jumped at the chance, although the Chicago workforce was a harder sell. The company, renamed CardConnect, offered generous relocation packages to those who wanted to move, and separation packages to those who didn’t, says Shanahan.

The relocation cost CardConnect about $3 million, which was a big hit for the company in the short term but will pay off in the long run, Brian Shanahan points out.

King of Prussia’s suburban location outside of Philadelphia was a logical, affordable choice on the East Coast for the new headquarters, Shanahan says. CardConnect still has an office in Cleveland as well as offices in Boca Raton, FL, Kansas City, KS and Denver, CO. Shanahan and his wife, Tara, and their son and three daughters, ranging in age from one to nine years old, now live in Devon, PA.

Best buys

CardConnect’s strategy since its inception has been to grow quickly by buying other companies. Between 2006 and 2012, CardConnect bought nine companies around the country.

The acquisitions — one in 2006; two in 2007; one in 2009; one in 2011; and four in 2012 — brought scale to CardConnect and reversed its negative cash flow. “We were a small merchant service provider to a few thousand merchants back in 2006. Our first few acquisitions were done more out of necessity; we needed to get bigger quickly,” explains Shanahan. “Until you get to scale, you’re kind of always behind.”

Each new purchase brought a new salesforce and customers on board, enabling CardConnect to increase the number of transactions conducted, a key measurement in the industry, he points out. As CardConnect grew, its strategy became more selective as it began focusing more on technology and buying similar, small providers of merchant services, Shanahan says.

The purchase of Princeton Payment Solutions (PPS) in 2012 represented this focus and, because PPS is located in the Princeton, NJ, area, it also reinforced the decision to move the company headquarters to the East Coast, Shanahan explains. The deal boosted CardConnect’s customer list with customers including General Electric Co., and Adobe Systems Inc.

PPS brought CardConnect a tokenization process it had developed and patented for its Fortune 500 customers. Tokenization involves replacing sensitive payment data with a unique identifier known as a token, which renders cardholder data unreadable and therefore useless to hackers. According to CardConnect, combining tokenization with point-to-point encryption (P2PE) — where plain-text card data is converted into cipher text at the time of collection — offers the best protection against data theft.

Building a brand

“When I look back, most of our great decisions were made fairly quickly and based on our instincts,” notes Shanahan. “When you’re growing fast, nobody sits down with a playbook and scripts what you’re going to do with the company.”

Rebranding the business, for example, was a swift and intuitive process. In April 2013, Financial Transaction Services changed its name to reflect the company’s shift from working primarily with independent distributors to developing and selling its own products and services. Shanahan says he also wanted the new name to be the company’s URL.

Brainstorming sessions and consultations with a local public relations firm focused on what the new name should convey about the company and its business. “It boiled down to ‘we connect card transactions,’” says Shanahan. So the company settled on the name CardConnect, tested it out, and then ran with it.

Too much analysis and planning can undermine the decision-making process, says Shanahan, pointing out that, “the more you analyze things and the more you think about things, the more complex they get. Oftentimes the answer is sitting right in front of you.” He advises others to simply “go with your gut and don’t overcomplicate things.” Mistakes will be made along the way, of course, but your decision-making track record will improve over time, he adds.

Shanahan admits it was easier to make quick, instinctive moves when the organization was small because at that point, the decisions were made “out of survival.” In the early days, management knew the company had to get bigger fast, so they researched the best acquisition opportunities and then went out and bought those companies. CardConnect could afford to take risks because it had less to lose, he notes.

Shanahan is known for his ability to make quick, confident decisions, confirms Patrick Shanahan, 29, who became chief operating officer in 2011 after joining CardConnect to help manage a new acquisition. Buying another company is already a long process without spending months hashing out details, he says, noting that Jeff Shanahan knows what’s important and what’s not in closing a deal.

A rapidly growing business needs a leader who is “nimble and can change directions quickly,” Patrick Shanahan says. “Not everyone is cut out for it.”

Test, evaluate and pivot

As CardConnect grew, Jeff Shanahan says, he started taking a more analytic approach to decision making. “You don’t do things as fast as you did early on because you’re trying to do the ‘perfect’ acquisition or the ‘perfect’ deal,” he explains.

The company pivoted its business strategy in 2012 with the purchase of PPS. Until then, CardConnect primarily resold other companies’ processing services and payment gateways, which capture the credit card information and send it to the processor. In order to keep up with competitors, CardConnect began providing its own payment solutions through PPS. The new strategy gave CardConnect a foothold in payment gateways, which continue to be a dynamic, developing part of the payment processing industry.

Of course, not all decisions work out as planned. Shanahan acknowledges CardConnect overextended itself in 2012 when it bought four companies. As the company struggled to absorb its new assets while continuing day-to-day operations, it took a needed break from acquisitions in 2013.

“You have to pace yourself a bit. I think at certain times we tried to grow too fast,” says Shanahan. “As a result of doing too many acquisitions at once, we ended up with some problems.” There’s only so much time and so many people to manage the issues that come up, he notes.

Shanahan says the organization is now ready to jump back in and is scouting potential firms. “We are looking to buy,” he says.

A bright future

As CardConnect continues to create new security solutions for its customers, its biggest upcoming challenge is helping customers comply with certain security mandates by their 2015 deadlines.

U.S. merchants adhere to standards for protecting payment card data set by the Payment Card Industry (PCI). PCI is mandating the replacement of credit and debit cards that have a magnetic stripe on the back with cards embedded with EMV chips that encrypt the card’s information. “EMV” stands for Europay, MasterCard and Visa, the card issuers that first championed chip-based payment cards.

Europe and Canada got on board with the initiative right away, but the U.S. held off and is now playing catch-up with the rest of the world, says Shanahan. Merchants must now have EMV-compliant terminals to accept payment cards with EMV chips by October 2015 or face a shift in liability from the card issuer to the merchant.

Shanahan considers the move to be too little, too late. “The EMV thing is great, but implementing it after the fact doesn’t help much,” he says. Furthermore, “the cost of converting to EMV is a lot higher than it would have been 10 years ago.”

In advance of the deadline, CardConnect is partnering with payment solution provider Ingenico to offer customers EMV-compliant payment acceptance devices integrated with CardConnect’s encryption technology, says Shanahan. While CardConnect had no control over the timing of the migration to EMV cards, the company hopes to capitalize on the mandate by enticing customers to use point-to-point encryption as well.

A second 2015 deadline also looms. PCI is rolling out its latest Data Security Standard (DSS), known as PCI DSS 3.0, which governs the controls on sensitive data stored on credit, debit and other types of cards to reduce data breaches and fraud. Among other things, PCI DSS 3.0 will require merchants to be more vigilant about monitoring for security breaches. PCI DSS 3.0 is being phased in over time, but will officially take effect on July 1, 2015.

Once again, the stricter PCI DSS 3.0 standard is a reaction to breaches that have already happened, Shanahan points out. Still, CardConnect has its work cut out helping get customers on board with the new, costly requirements, particularly smaller merchants. “It’s hard to get a small pizza shop to get concerned about fraud or security,” he says.

Predictably, as a proactive decision maker in a reactive industry, Shanahan isn’t waiting for customers to ask for help with the new requirements. CardConnect is pushing EMV compliance while developing EMV-compliant terminals and other solutions as quickly as possible. If customers still need convincing, Shanahan can point to the Target data breach as a recent example of what can happen if a business isn’t prepared. CEO

Samantha Drake is a freelance writer based in Lansdowne, PA. Contact us at editorial@smartceo.com.

View the original post here or download a PDF of the magazine version.

Your holiday shopping experience will be different next year — at least in how you pay. By October 2015, most retailers in the U.S. will have switched to accepting EMV (EMV stands for Europay, MasterCard and Visa, and is already a standard worldwide).

But EMV, which relies on a chip in a credit card instead of a magnetic strip, is not going to be the magic cure for stopping credit card fraud, experts say. It will tamp down some efforts by hackers, but fraud will still continue — just elsewhere.

Past Point-of-Sale Woes

Despite a common narrative that the adoption of EMV is a response to major retailer hacks like those at Home Depot, Target and Neiman Marcus, the EMV switch has been in the works for years.

In 2012, Visa, MasterCard, American Express and Discover set the Oct. 1, 2015, date as to when liability for fraud would shift from the credit card issuers to retailers if those retailers had not adopted EMV payment terminals (the only exception is pay-at-the-pump gas station terminals–that liability shifts in October 2017).

EMV cards most likely wouldn’t have prevented the recent spate of big hacks, but those hacks did have banks asking about EMV sooner than they might have otherwise.

“Although the Target breach had very little to do with counterfeit fraud, it was the catalyst for many of our clients to pick up the phone and say we want EMV now,” says Bob Legters, senior vice president for product at FIS, a banking and payment technology company.

“If you don’t do it, you will be one of the only guys who is not,” Legters says. “The fear would be if I’m the only guy on the street without bars on my windows, I’m going to be the guy who gets robbed.”

He says his clients are ramping up for next year and will wrap up issuing chip-enabled cards by September. Most will be sending out replacement cards with chips first, then reissuing to other customers even if their cards are not expired.

The only exceptions are clients that currently serve a globally minded customer base, like a pilot’s credit union FIS works for. The credit union has already gone to EMV because customers wanted chip-enabled cards that they would be able to use in Europe.

“It does create a global standard, and that is a good thing,” Legters says.

What Fraud EMV Stops — and Doesn’t

EMV goes miles to halt a very specific kind of fraud: counterfeit fraud. That’s when someone clones your card, and then uses a duplicate of your card to make purchases in your stead.

Right now, it’s easy to steal information from a credit card using a skimmer that reads data from the magnetic strip, which fraudsters use to creates a card with that information. It will be exceedingly difficult to do the same with a chip card.

EMV may also offer protections on what kind of data can be scooped up from a point-of-sale hack. “If EMV had been installed and everyone was using an EMV card, then that data that was stolen could not have been used as easily,” says Rush Taggart, chief security officer of CardConnect, a payment technology company.

But the technology will not stop fraud from card-not-present transactions (CNP), which leaves the entire ecommerce market wide open to fraud.

CNP fraud spiked in Europe and Australia after EMV was widely adopted. In the U.K. alone, CNP fraud was 157 percent more prevalent in 2012 than it was in 2001, making up 63 percent of credit card fraud losses that year versus 23 percent in 2001.

“It’s definitely an improvement, but it’s not the silver bullet for all credit card security because it doesn’t do anything for the ecommerce side,” says Taggart. “It doesn’t help because in a chip card, you still have your 16 digits printed on the front.” If hackers steal data about your card from a database, then they can use it online, whether they have a physical card or not.

Customers Up for Grabs

While some retailers have already installed EMV-ready terminals, the big push will come in 2015. If the transition to EMV does not go smoothly, consumers could look for payment alternatives, whether that’s with another card or with a different way to pay, like a mobile wallet.

“EMV is going to be disruptive to the market,” Legters says, because it’s a “change to the consumer experience, and any time you change the consumer experience, you put [customers] at play.”

Legters says that FIS has been stressing to its clients that they can’t just issue new chip-enabled cards; they need to inform their customers about what the new cards are and how they work. Otherwise, they could lose their customers to other credit card issuers.

The EMV switch could give a boost to payment mechanisms that don’t require you to have your card with you, like Google Wallet or Apple Pay.

“The wallet is going to be very dynamic for the next year,” Legters says.

View the original article

The Merchant Customer Exchange (MCX) is willing to use Near Field Communications technology like its rivals, its CEO said. MCX is a consortium of some of the country’s largest retailers that is setting up a mobile payments program that will stand as a rival to Apple (NASDAQ: AAPL) Pay, Softcard and other mobile payment offerings.

“We’re agnostic about technology,” MCX CEO Dekkers Davidson said during a press conference, according to TechCrunch. “We started with QR code-based technology that allows us to go to market broadly. If we need, we can pivot to NFC.”

MCX, which is launching a payment platform called CurrentC next year, held the press conference to address the uproar caused by drug store chains (and MCX members) CVS and Rite Aid, which stopped supporting Apple Pay as well as other payment methods that use NFC technology. Neither company had officially joined Apple Pay, but customers were able to use the service before it was disabled at the two chains last weekend.

Apple CEO Tim Cook called the developments a “skirmish.” He said this week that more than 1 million credit cards were activated on the Apple’s new Apple Pay service within 72 hours of its launch last week.

“I think there’s been a mistake made here, and that is focusing on the technology instead of what business or consumer problem you’re trying to solve,” Davidson told the New York Times.

He also noted that many in the industry had largely written off NFC for mobile payments until Apple finally decided to support it. “It’s ironic in a way that we’re talking about a really old technology being employed here,” he said. “Way before Apple Pay, merchants hadn’t enabled it or planned on using it.”

MCX plans to launch its mobile wallet, loyalty and offers platform under the CurrentC brand in 2015 at around 110,000 retail locations, including Walmart, Best Buy and Target. The app will use QR-code technology for transactions, essentially creating a scannable bar code. As Re/code notes, merchants are rallying behind CurrentC because it’s a payment method that won’t incur the credit card fees that retailers have to pay on each credit card transaction.

“CurrentC is built for retailers, to help them cut out interchange fees,” Nick Aceto, senior director at payment technology firm CardConnect, told Reuters. “It’s not a solution that will appeal to customers because it does not make their lives any easier.”

According to MCX, the app will make purchasing more seamless by applying qualifying offers and coupons, participating merchant rewards, loyalty programs and membership accounts, and then offering payment options through the consumer’s selected financial account, all with a single scan. Further, users’ payment information will be secured in the cloud rather than on the device, and the app will use a token placeholder to make transactions instead of constantly passing the data between the user, merchant and financial institution.

The New York Times had reported that CurrentC retailers would need to pay fines if they decide to use other mobile payment methods like Apple Pay. However, Davidson said “it’s simply not true, there are no fines.” MCX would not say though what happens if a partner breaches their contract. MCX merchants that choose to use MCX technology do so exclusively–meaning they can’t offer Apple Pay, Softcard or other services alongside CurrentC.

Meijer, a grocer that’s listed as a member on MCX’s site, said it won’t ban Apple Pay. When asked about whether that would disqualify Meijer from using CurrentC, MCX COO Scott Rankin did not definitively say so. “I think if they want to go forward and continue to accept Apple Pay, down the road at some point if they want to be a customer of MCX and roll out CurrentC and offer it to customers that’s great,” he told Re/code.

Yet Davidson said it was possible that in the future MCX could be used side by side with other payment systems. “In the future, that could be entirely possible…there will need to be two to three strong players in the ecosystem. One won’t simply build the market.”

Davidson also acknowledged that MCX’s email provider was hacked, though he wouldn’t disclose the name of the provider. He said the hack exposed fake zip codes and “some tester email addresses.” He added: “The CurrentC app itself was not affected. We own this and are taking it seriously.”

 

View the original article on FierceWireless.

How Tokenization Can be Used for Securing Payment Card Transactions and Data

Over the summer, representatives of the merchant community called upon all stakeholders in the payments industry to work together on establishing open and efficient standards to protect consumers and businesses in the United States against security threats.

The Food Marketing Institute, the Merchant Advisory Group, the National Grocers Association, the National Restaurant Association, the National Retail Federation, the National Association of Convenience Stores, and the Retail Industry Leaders Association believe that payment card and other sensitive personal information can be protected across commerce channels by adopting a universal tokenization standard. The organizations believe that this is a step that needs to be taken in order to mitigate identity theft and payment card fraud.

“Regardless of whether a consumer is paying at a brick and mortar checkout, at the pump, on the Internet, or even via a mobile phone, there is a need to ensure the payment data is protected. One way this can be done is through a technology called tokenization,” the organizations wrote in a joint statement issued July 28.

The U.S. Federal Reserve’s Mobile Payments Industry Workgroup (MPIW) has also discussed the advantages and the challenges of payment tokenization. A report released to the public in late September shows that the MPIW is concerned about the challenges posed by the development of common standards for tokenization, and the lack of consistent terminology. A new tokenization sub-group has been tasked with investigating the challenges.

American Express has also embraced tokenization. The company just launched a suite of solutions designed to protect online and mobile payments by replacing sensitive card information with tokens.

Tokenization is the process in which sensitive information is replaced with a randomly generated unique token or symbol. These tokens would ensure that data is not transmitted or stored in an unsecure format. However, for the use of tokenization to be efficient in the payments industry, a universal standard must be created to ensure that merchants can support the technology across multiple providers, and without negatively impacting customer experience.

Furthermore, the groups noted that tokenization can be the answer to securing not just payments, but other aspects of commerce as well, including the transmission and storage of electronic health records and age verification identity checks.

“This call stems from the fact the merchants are required to connect to services provided by the payment industry, and they cannot by themselves perform changes in the way these systems operate,” said Irene Abezgauz, VP of product management at Quotium. “The magnetic stripe technology is an old technology, over four decades old. A lot about the way we perform payments has changed, but this technology is still with us, and it’s weighing us back. The merchants need to comply and work with the interfaces they are given.”

Experts contacted by SecurityWeek agree that tokenization can be an efficient solution for security of credit and debit card data.

“Tokenization is a very useful solution that can protect cardholder data at many points in the transaction lifecycle, especially post-authorization and for recurring transactions once a card has been presented,” noted Rob Sadowski, director of Technology Solutions for RSA.

“Tokenization is a great solution that has been utilized for many years to mitigate the risks associated with payment processing for retailers of all types. One downfall to tokenization thus far has been the lack of a standard that everyone followed so this is a great step forward for consumer financial security,” said Mark Stanislav, security evangelist for Duo Security.

“Tokenization is the best currently available solution to significantly increase the security around payment card data without having to change anything on the cardholder end,” Gregory Nowak, principal research analyst with the Information Security Forum, toldSecurityWeek.

While tokenization can be an efficient solution, many have pointed out that it’s not enough to protect payment card data.

“[There] are no solver bullet solutions and protecting payment card data requires a comprehensive, layered approach. End-to-end encryption during the acceptance and authorization process as well as enhanced card and cardholder authentication technology in addition to tokenization also play an important role in card data protection,” Sadowski explained.

“It is best to view the security of payment card data as a series of layers that address different kinds of security threats.  Payment cards can be attacked on several fronts and no solution comprehensively addresses all of them,” said David Tushie, standards and technical representative at the International Card Manufacturers Association (ICMA).

The merchant groups that support the use of tokenization noted that criminals can steal payment card data where the card is swiped or a card number is entered, where card information is stored, and where card information is transmitted.

However, of these three vulnerability points, tokenization fully addresses only the second point, storage, and partially addresses the third point, transmission, explained Raymond Côté, president of Auric Systems International, a company that provides payment processing solutions.

“The press release is also unclear as to what is meant by ‘supported by all networks, brands and payment types.’ Does this imply a tokenized card could be submitted to multiple payment processors? If so, that would turn the token itself into a valuable commodity — an unfavorable outcome. The value of tokenization is that the token itself is valueless,” Côté told SecurityWeek. “One concern in regards to an industry standard for tokenization is that it could result in a monoculture with a single interface into tokenization services. Security exploits propagate quickly within monoculture environments.”

Advantages of tokenization

The obvious advantage of tokenization is that it preserves the value of cardholder data for merchants and service providers, while making it useless to criminals if it is compromised or stolen, Sadowski said.

“Tokenization dramatically lowers the likelihood of a credit card breach impacting them when a retailer is compromised. By representing their credit card details with a token instead, a breach of one retailer won’t require a replacement card to be issued,” Stanislav explained.

Rush Taggart, chief security officer at payment processing firm CardConnect, believes that tokenization offers better protection even than high quality encryption because the latter can be broken if the attacker obtains the encryption keys or if they have access to enough computing power.

On the other hand, tokenization doesn’t rely on encryption keys so organizations don’t have to worry about managing such sensitive data. Tokenization offers a higher level of security as long as the tokenization system is logically isolated and segmented from data processing systems and applications that process or store the sensitive data replaced by tokens.

“Another advantage of tokenization is that it can be applied to all types of sensitive data, not just credit and debit card numbers. Its capabilities include Social Security numbers, drivers’ license numbers, electronic health records, prescriptions, and even addresses – all personal information that should be properly protected,” Taggart told SecurityWeek.

Another advantage, pointed out by Nowak, is that tokenization can reduce the scope of systems for which PCI DSS compliance needs to be demonstrated. “Correctly implemented, it can both improve security and lessen the compliance burden,” he explained.

Taggart has noted that many large and small merchants in the U.S. have already implemented tokenization to radically reduce their PCI scope.

“Maintaining PCI DSS compliance across thousands of machines or more is extremely costly. Maintaining PCI DSS compliance for a small number of systems running the tokenization service is quite manageable. Utilizing a Visa-approved tokenization service provider can reduce PCI DSS compliance to just a few questions,” Taggart explained.

Disadvantages of Tokenization

As with all technologies, tokenization has some disadvantages. One of them, as pointed out by Sadowski, is that the most secure implementations require that the original card number be presented for tokenization. This means that the tokenization solution must have a way to protect the original cardholder data before it is tokenized. Furthermore, the centralized token vault in which the original payment card data is stored becomes an attractive target for criminals.

Another issue, according to Tushie, is related to infrastructure.

“Tokens must be created for each merchant and card account.  When a transaction flows through the Merchant and Acquirer processing systems, these account tokens must be de-tokenized so that the Issuer can approve the transaction for a known card account. Transaction settlement messages must be tokenized for Merchant and Acquirer systems,” said Tushie. “This requires new infrastructure of trusted third parties in the transaction flow to tokenize and de-tokenize card accounts in these transactions.  While this is not seen as a huge technological hurdle to overcome, it likely will add cost to the transaction fees for these third party services.”

Côté believes one of the disadvantages is that using payment processor specific tokenization, for instance, locks organizations into a particular payment processor. That’s why the tokenization service should support multiple payment processors or it should be payment processor agnostic. Other issues highlighted by the expert are the potentially negative impact on the speed of transactions, and the fact that data analysis can’t be performed on tokenized data since “good” tokens do not allow the initial data to be reconstituted just from the token itself.

“The only disadvantage I currently see is the recent watering down of what qualifies as a token. When we first developed our tokenization solution, about eight years ago, only random number strings with no value could be considered tokens,” said Taggart. “Now, there are things known as ‘cryptographically reversible’ tokens, which just seem to be created with a high-level of encryption – there is the risk the code could be cracked. The question remains how a business can receive an honest answer as to what type of tokenization a payment provider uses.”

“One of the concerns is replaying – we need to be sure that our token cannot be replayed or reused, because if it can – attackers will just use this token instead of the actual data and achieve the same criminal goals,” said Abezgauz.

Addressing the challenges

One of the challenges that must be addressed in implementing tokenization is that existing applications and infrastructure might have to be retrofitted or built from the ground up to accommodate the change, said Stanislav.

Tushie noted that secure financial payment cards, by their nature, must be interoperable in international interchange.  For example, a card issued in the United States must work at point-of-sale terminals in Singapore or Paris, and vice versa. This means that international standards addressing the card technology as well as the processing systems in which they work must be developed and agreed upon. However, the expert has pointed out that technology frameworks for tokenization have already been proposed by international standards organizations and EMVco, which manages, maintains and enhances the EMV integrated circuit card specifications for chip-based payment cards and acceptance devices.

“With strong industry backing, clear guidelines, and well devised reference implementations, tokenization will have the best chance to succeed in a timely manner. With consideration for keeping backwards compatibility with the primary account number (PAN), organizations would be more likely to adopt tokenization more quickly if there were fewer technical hurdles in their way,” said Stanislav

On the other hand, Côté highlights that in many cases the barrier to implementation is not technical, but institutional.

“Corporate reluctance to mandate proper security and privacy (whether PCI, HIPAA, or regional security standards) handling of their data is the largest challenge,” he noted.

According to Abezgauz, the balance is between the tokens not being replayable, and usability/scalability.

“Do we provide a new token to the user every time? How do we manage these tokens? We need to make sure we can easily connect the real payment information to the token. For smaller organizations this can be doable, but it’s not trivial when looking at massive scale,” she noted.

“One solution is providing means to do a challenge/response mechanism that will ensure that the user information never leaves the user possession. One example is the end-to-end encryption solution suggested by Visa. They released recommendations for doing end-to-end encryption to protect user data,” Abezgauz added. “When we talk about user payments though, how do we extend this from POS to online purchases where users want to be able to perform purchases using their payment card from different devices – mobile devices, laptops and more. Currently users are not supplied with card readers. It can be one option for a solution though.”

Conclusions

Some experts estimate that it would take several years to adopt tokenization on a wide scale. Abezgauz argues that tokenization on a wide scale is not trivial. “I do not see it happening in the near future. I am also not sure that eventually tokenization will prevail over end-to-end encryption solutions,” she said.

Taggart is more optimistic and points out that the recent data breaches have led to a surge in interest in these technologies.

“There are so many variables here that it is hard to say. If there was a dedicated effort to implement tokenization into all payment channels and tokenize all legacy cardholder information in software systems, I would say a lot could be done within the next six months to one year,” he said.

“Tokenization is the pinnacle of data protection technologies. The physical and logical separation of payment and privacy information significantly reduces a company’s exposure to information theft. Well-tested, reliable, and flexible tokenization services are available today; there is no technical reason to delay implementation,” said Côté.

Rick Ricker, VP of enterprise payment solutions at 3Delta Systems, a provider of payment and data tokenization services that specializes in card-not-present tokenization, says his company is pleased that the merchant community is recognizing tokenization as a valid technique for protecting customer data.

“Tokenization has gotten a fair bit of attention lately with efforts by the Clearing House and EMV (the card brands) touting solutions for transactional tokens.  The proposal to have ANSI x.9 create the standard to make it open is an interesting twist, of course the merchants have an interest in an open system that will have low cost,” Ricker said. “Overlooked in these recent announcements about new standard proposals is that currently there are several hundred thousand merchants that have already adopted tokenization offered by 3Delta and other gateways, as well as the processor community.  These solutions have tokenized and protected millions of credit cards.  Any merchant desiring a tokenization solution today can choose and implement today without waiting for a new standard.”

Nowak says tokenization is not a magic bullet, and organizations should only implement it after they’ve properly assessed the risks and benefits.

“Its primary benefit is to reduce the number of merchant systems on which cardholder data resides, thus reducing the PCI DSS compliance burden, and hopefully reducing risk of data loss as well.  Any organization considering implementing tokenization should do so only if their risk assessments have determined that, of all the major security initiatives they could undertake, this was the one that would have the most significant positive impact,” he explained.

Stanislav believes that the efforts to standardize tokenization are a great step forward and one that, much like EMV adoption in the United States, is well past due.

“The fight now will be to get a single standard created to reduce fragmentation of usage and also retrofit, as needed, fronted and backend systems to utilize the adopted standard when it’s ready,” said Stanislav.

View the original article on SecurityWeek

Oct 29 (Reuters) – Suddenly it’s Apple versus Wal-Mart in the fight for shoppers’ digital wallets.

With the development of a new mobile payment system, a group of retailers led by Wal-Mart Stores is aiming to upend the $4.5 trillion credit card market and control the precious transaction data generated at the checkout line.

The difficulty of the task became clear this week when drugstore chains CVS Health Corp and Rite Aid, in a move apparently aimed at shoring up the retailers’ pay system, stopped accepting payments on Apple Inc’s iPhones. That prompted consumers to complain that they were being denied a user-friendly payment option.

The “skirmish,” as Apple CEO Tim Cook put it this week, is the latest dispute to emerge from the Byzantine world of payment systems, which is dominated by banks and credit card firms.

Many payment experts said they are skeptical that the retailer-backed system, known as CurrentC, can gain traction, let alone thwart Apple Pay, a payment system launched by the iPhone maker last week. CurrentC is set to go live in 2015.

The retailers’ main objective appears to be to push credit card companies out of the payment equation, or at least get them to lower their costs.

“CurrentC is built for retailers, to help them cut out interchange fees,” said Nick Aceto, senior director at payment technology firm CardConnect, referring to the fees paid by retailers to credit card companies when a shopper makes a purchase. “It’s not a solution that will appeal to customers because it does not make their lives any easier.”

That’s not stopping the retailers from trying, and their consortium, the Merchant Customer Exchange (MCX), has clout, with $1 trillion in annual sales. In addition to Wal-Mart, its members include Best Buy Co and Target Corp.

MCX officials said CurrentC will work on any phone, integrating loyalty programs and payments into one transaction. While the group’s focus is helping consumers, they said, it hopes to shake up the payment system.

“MCX and the merchants that founded MCX are challenging … an entrenched, very large status quo, a $500 billion ecosystem on the payments side,” Chief Executive Dekkers Davidson said on a conference call Wednesday.

Davidson said MCX has made arrangements with two credit card companies and wants to partner with large issuers. But he did not say whether MCX would be willing to work with the likes of Visa Inc and Mastercard Inc and pay them conventional rates on interchange fees. Eventually, he said, “We expect that all cards will be welcome at CurrentC.”

Wal-Mart, which has made little secret of its disdain for paying processing charges, is suing Visa for $5 billion for what it says are excessive card swipe fees.

Credit card firms typically charge 2 percent to 3 percent of the value of each transaction. Retailers paid $66 billion in credit-card-related fees in 2013, out of $4.5 trillion in spending tied to major U.S. cards, according to the Nilson Report.

In contrast to Apple Pay, which encrypts payment data and keeps it out of the hands of retailers, CurrentC connects directly to a customer’s bank account. It will allow retailers to glean valuable data on spending patterns, which they can use to better target advertising and drive loyalty programs.

There would be no pooling of data across retailers, Davidson said, and shoppers can opt to remain anonymous. “Consumers will determine how they are marketed to or not marketed to,” he said.

MCX says CurrentC will be secure, an assertion that was tested on Wednesday when the group confirmed that hackers had obtained the e-mail addresses of some participants in a pilot program.

While Wal-Mart has said it has no plans to support Apple Pay, its rival Target is taking a more nuanced approach. Target has said it plans to use MCX for in-store checkout but is allowing Apple Pay for online purchases through its mobile app. Target is featured on the Apple Pay website.

MCX members have made up-front payments of $200,000 to $500,000 to join the group and signed multiyear agreements, according to people familiar with contract terms.

MCX said on Wednesday that when retailers join the consortium they do so on an exclusive basis, but there are no fines if they leave the group.

Walgreen Co, a rival to CVS and Rite Aid, said it decided to offer Apple Pay to give its customers more options.

“It is ultimately about providing the choice to customers because no one really knows how this space will evolve,” said Deepika Pandey, head of digital marketing at the pharmacy.

View the original article here.

 

At this point the “data breach” headline is borderline yawn-inducing, but it doesn’t mean consumers aren’t noticing. It may not result in an all-out boycott, but most people are feeling wary of breached stores. But what is actually causing this surge? Are retailers fighting back? Are there really more breaches, or are we just being told about them more often? The truth is, the surge is real. Data has become more valuable on the black market than ever before, making cyber criminals more aggressive. Additionally, companies are now more capable of catching these breaches whereas before they may have gone undetected. Finally, it is started to become commonplace to be honest when a breach happens–it can be much more damaging to try and hide it.

Our CEO, Jeff Shanahan, recently spoke to FierceRetail about what it takes to truly secure data, and why some companies are hesitating to get on board.

“When the Target breach occurred 10 months ago, it should have spurred retailers to immediate action, as an alteration of the current payment architecture most retailers have in place was in need of obvious fixing,” said Jeff Shanahan, president and CEO at CardConnect, a payments technology company. “Obviously, we’re still witnessing signs that the proper changes are not yet in place. It would seem that a lack of awareness and questions surrounding integration are what is causing the delay. We’re talking about new technologies that retailers may not be familiar with.”

 

Once retailers are familiar with the proper technologies, the question becomes integrating the most-secure hardware into existing ecosystems without disrupting service, according to Shanahan. A retailer can’t afford to incur interruptions in inventory or loyalty programs. “For large-scale retailers like Kmart, fully revamping the payment hardware used in each store can seem daunting, but it’s a necessary change in order to avoid a breach, which is a much scarier and costly situation,” he added.

 

—

 

Retailers need a short- and long-term approach, said Shanahan. Immediately, retailers need to make access to their outbound network as tight as possible. “For areas that contain sensitive data, this means an entire lock-down,” he said.

 

In the long run, retailers should solidify a project that would remove the company from any raw credit card data. “The key is for a business to remove all real touch points with actual card numbers, thus safeguarding its customers in the event of an attack.”

Check out the full story on FierceRetail.

It’s not official yet, but it’s not looking good. All signs point to exposed credit card data in the recent Kmart breach, and the Secret Service is still investigating. CardConnect CEO, Jeff Shanahan, and other industry experts weighed in with SC Magazine.

---

 

A September breach at Sears Holdings has likely resulted in customer payment card information being exposed or stolen at the company’s Kmart stores, Sears has revealed in a filing to the SEC.

The retailer was made aware of the breach on October 9 by its IT team and has hired a security firm to investigate the September incident. The filing noted that the security pros said “Kmart store data systems were infected with a form of malware that was undetectable by current anti-virus systems.”

The company went on to say that Kmart, which has 1,200 stores in the U.S., removed the malware but still “believes certain debit and credit card numbers have been compromised.” But it offered assurances that PINs, Social Security numbers, email addresses and other personal information had not been exposed.

The breach is also under investigation by the U.S. Secret Service. Kmart will offer a year’s free credit monitoring service to those potentially affected by the breach—customers who shopped at Kmart between Sept. 1 and Oct. 9.

The Kmart breach comes on the heels of last week’s confirmation of a breach at Dairy Queen, which resulted in systems at 395 of its more than 4,500 U.S. stores and one Orange Julius location being infected with the same Backoff malware that has plagued other retailers nationwide and the payment information of customers exposed.

“The reality is that, as long as organizations continue to look at IT security with an individual security solution silo view, data breaches like Kmart and Dairy Queen will continue to occur,” Eric Ouellet, Vice President of Strategy, Bay Dynamics, said in commentary sent by email to SCMagazine.com. “In fact, when you look at large organizations like Kmart, Dairy Queen, Home Depot and Target, the breaches did not occur due to a lack of security tools investment, or certification or lack of a disciplined security program approach.”

Instead, Ouellet explained, “the cookie crumbs left behind” point to three factors—security solutions generate large volumes of data that overwhelm security teams; the solutions operate independently with “no stitching of information between systems” and any stitching that does go on “between haystacks of data is typically a manual process” supported by SIEM or case management tools. As a result, security teams find themselves on the search for important needles in multiple haystacks using tools ill-suited for melding the information.

Jeff Shanahan, CEO of CardConnect, contended that businesses can’t get a grip on raw credit card data and are essentially safeguarding “sensitive information with what hackers see as an unlocked fence.” But, he said in comments emailed to SCMagazine.com, that it’s time for them to “upgrade to malware-resistant point-of-sales terminals that encrypt and tokenize all credit card data” starting from when customers first swipe their cards. “The key is for a business to remove all real touch points with actual card numbers,” which he said will protect customers “in the event of an attack.”

View the original article in SC Magazine here.

It seems like more security breaches are popping up every day, and the media is taking notice. Many of these breaches have been the result of compromised point-of-sale systems. Our chief security officer, Rush Taggart, recently spoke to SecurityWeek about what businesses can do to better protect themselves.

---

 

In recent years, point-of-sale (PoS) systems have become a point of emphasis for attackers looking to steal credit and debit card information.

From the Kmart breach to the recent attack on Dairy Queen, cybercriminals have sought to compromise PoS systems with malware. These breaches are not just headline grabbers however; they can also serve as reminders for organizations about securing their network.

“While the malware used in these attacks is sophisticated, they are by no means groundbreaking,” said Mark Nunnikhoven, principal engineer of cloud and emerging technologies at Trend Micro. “Attacks such as these highlight the weakness in the security approach taken for these computers.”

Most businesses, he explained, think of a PoS system as a device and not a full-fledged computer. Unlike a desktop computer, PoS systems tend to be replaced every 10 years or more as opposed to every three to five year like other computers, he said.

“These systems run older operating systems like older versions of Windows Embedded, Windows XP, or even DOS,” he said. “To make matters worse, the network they are deployed to is usually treated as isolated so there are minimal security controls deployed.”

“These factors make it relatively simple for a criminal to exploit any number of vulnerabilities if they can get malware onto one or more PoS systems,” he said, adding that criminals gain access to the systems from either social engineering or attacking PoS systems from somewhere else in the network once they have gained a beachhead.

Part of locking that beachhead down requires controlling remote access.

“If your PoS systems use remote access software for tech support purposes, two-factor authentication should be implemented as part of the login process,” said Karl Sigler, threat intelligence manager at Trustwave. “Two-factor authentication adds an extra layer of security in case the contractor chooses an easily-guessable password.”

Paul Ducklin, senior security advisor at Sophos, said high standards need to be set for remote access.

“Whether you outsource your PoS or run it in-house, insist that remote access be managed securely,” he explained. “We hear of breaches where all the PoS terminals were on the company’s one-size-fits-all network, making it easier for crooks to find weak spots and traverse all the PoS systems. We hear of breaches where one remote access password served hundreds of separate branches, even separate customers, and where no two-factor authentication was used. It’s sloppy to share passwords between Gmail and iCloud at home. To share remote access passwords for networks you expect your own customers to accept as secure by faith is worse than sloppy. It’s unacceptable.”

Businesses that hire third-party contractors to install and maintain their PoS systems, should make sure the contractor provides specific information about the security measures taken to protect data processed by the system, Sigler added.

As for the devices themselves, they should be up-to-date and patched, but also monitored for signs of malicious activity, security researchers said.

“Any unusual connectivity to or from any component of a point-of-sale infrastructure should be investigated,” said Curt Wilson, ASERT senior research analyst at Arbor Networks. “Legitimate traffic should be profiled ahead of time and be well understood. Deviations from legitimate traffic should become a high-priority investigative item.”

“For example,” he said, “if point-of-sale machines are centrally managed, and the central management server initiates outbound file transfer via FTP in a manner that deviates from normal operations, this should be flagged immediately. Since attackers leverage lateral network movement in more advanced compromise schemes, defenders must be aware of, and actively monitor any network connectivity that would allow for the exfiltration of sensitive card data.”

Along similar lines, businesses should make sure any data being processed, stored or transmitted across their PoS systems is segmented from the rest of their networks, applications and databases.

“The most useful short term network hardening that can be done is to lock down outbound network access as tight as possible,” said Rush Taggart, chief security officer at CardConnect. “For areas that contain sensitive data, this means an entire lock down. If hackers have already gotten in, this will foil their attack by preventing them from getting any data out.  These failed attempts then provide network administrators with indicators that can be used to track down compromised machines and remediate. For legitimate business needs for outbound access from sensitive areas, outbound access must be proxies.”

Perhaps the most important piece of advice is to pay attention to the warning signs.

“For example, in Target’s breach, calls from the company’s own security advisors in India were apparently ignored,” Ducklin said. “This could have shortened the malware outbreak enormously. At Neiman Marcus, systems were apparently reimaged regularly, but the crooks kept breaking back in. Properly comparing the system before and after reimaging would probably have highlighted the differences and uncovered the malware, instead of papering over the cracks as it did. You probably collect gigabytes of logs. Use them.”

View the original article on SecurityWeek.

Another retail data breach has swept the country, leaving consumers confused and worried. Industry experts, however, seem frankly unsurprised. With hackers not only becoming more advanced but many retailers not putting the right protection in place, the consensus seems to be that he only solution is change.

Retail magazine, Chain Store Age, recently sat down with a few of these industry experts to get their take on the Kmart breach. One of the experts interviewed was CardConnect CEO, Jeff Shanahan:

“Businesses simply cannot handle raw credit card data. Unfortunately, the majority of them are protecting sensitive information with what hackers see as an unlocked fence. It’s time to put the locks in place, which means an upgrade to malware-resistant point-of-sale terminals that encrypt and tokenize all credit card data from the moment customers swipe their cards. The key is for a business to remove all real touch points with actual card numbers, thus safeguarding its customers in the event of an attack.”
Jeff Shanahan, CEO of CardConnect

Check out what other industry experts had to say and read the full article here.