The Green Sheet Online Edition
June 09, 2008 • Issue 08:06:01
PCI compliance and beyond
At the 2008 National Restaurant Association tradeshow held in Chicago, May 17 through 20, Boston-based Merchant Warehouse conducted an eye-opening experiment on the tradeshow floor.
Representatives from the decade old ISO, which has 45,000 merchants in its portfolio, took credit cards from show participants and demonstrated how to hack card numbers with a keylogger attached to a Payment Card Industry (PCI) Data Security Standard (DSS) compliant card reader and then clone the cards in a matter of seconds.
The demonstration set out to prove three things:
- It is easy to steal cardholder data.
- PCI compliant systems are not airtight secure.
- A new service from Merchant Warehouse can stop data from being stolen.
The service is called MerchantWARE. It combines:
- A mag stripe reader that encrypts cardholder data at the point of swipe
- The Merchant Warehouse servers where that data is decrypted and then sent over secure networks to financial institutions for processing
- The MerchantWARE Payment Gateway where merchants can retrieve troublesome transactions if certain payments need to be voided or chargeback issues occur
According to Merchant Warehouse, by encrypting data directly at the card reader, five of the 12 PCI DSS requirements are instantly met, thereby relieving small and mid-sized merchants of a major portion of their compliance headaches.
Henry Helgeson, President and co-Chief Executive Officer at Merchant Warehouse, believes that securing merchants' internal networks borders on the impossible.
"What they're trying to do with things like virus projection and firewalls and strong passwords is lock down the private network," he said. "It's really tough to do that. ... Certainly, you're going to have more success and deter it, but if somebody really wants to get in there, they'll find a way in."
That is why, Helgeson claims, Triple DES (Data Encryption Standard) at the POS is the easiest and most effective solution for merchants. Merchant Warehouse uses MagTek Inc. subsidiary Magensa's MagneSafe Secure Card Readers to do that.
"The MagTek reader on its own is a great product, but the problem is you need a back-end to manage it," Helgeson said. Merchant Warehouse supplies that back-end through MerchantWARE.
Through merchants' POS terminals or online, merchants can access the MerchantWARE gateway to call up individual transactions and "pull down the reports into their system in real time, anytime they want, so there's nothing stored on their database," Helgeson said.
Even PCI compliant businesses are getting hacked, Helgeson noted. "We believe that if [MerchantWARE] had been in place at the Hannaford Bros. stores and Okemo Mountain [Okemo Mountain Resorts in Ludlow, Vt.] and even Dave & Buster's, this would have prevented those breaches," he said.
But Merchant Warehouse is also looking to the future. It has already set up its system to support what it thinks will be the vanguard of card data security - the Magtek's MagnaPrint technology that "scans" the payment card's mag-stripe for its unique signature.
The characteristics of each mag-stripe are as unique as a fingerprint - no two mag-stripes are identical.
"Of course, there is no way to validate the [MagnaPrint] data yet," Helgeson said. "But when it does become available, merchants don't have to go back and redo anything in their software." Merchant Warehouse will just turn on the MagnaPrint feature on its end, giving merchants greater peace of mind when it comes to data security.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.