Townsend Security Data Privacy Blog

3 Reasons Retail ISVs Should Use OEM Encryption Key Management

Posted by Luke Probasco on Jun 11, 2013 8:39:00 AM

Today there are hundreds of independent software vendors (ISVs) selling niche retail management software and payment applications designed specifically for various types of businesses. All of these retail ISVs must certify all payment applications that process credit card data with the payment card industry (PCI) payment application data security standard (PA-DSS). This certification verifies that the software handling customer credit and debit card information encrypts the software and protects the encryption keys.

ISV payment application security

Although all retail ISVs must certify their payment application software under the PA-DSS standard, many vendors skate by with poor encryption and encryption key management that has been thrown together to meet the bare minimum requirements. Good encryption and key management is the cornerstone of good security. When retail ISVs don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data, they leave  their customers vulnerable to data breaches.

In order to protect customers, retail management software vendors can upgrade their encryption and key management solutions. Townsend Security offers industry standard AES encryption and certified key management that ease the burden of data security with these three features:

1. Reduced Cost and Complexity

Getting a new encryption key management project off the ground is difficult when you have to justify doing the project over again. Encryption key Management has a reputation for being both costly and difficult, which is partly the reason why many encryption key management projects are rushed through certifications using the bare minimum requirements. That reputation was accurate ten years ago, but today certified encryption key management using best practices can be achieved quickly, easily, and at an affordable price. We help businesses achieve this by offering encryption key management that is easy and fast to deploy, has an easy and cost effective licensing model, and has OEM or “white label” options because we don’t believe issues around branding should get in the way of good data security.

2. Certifications

We supply NIST and FIPS 140-2 certified encryption and key management, or we’ll help you achieve FIPS certifications for your solution. Retailers, especially at the enterprise level, are becoming more and more savvy about the need for certified solutions, and their demand is increasing. NIST and FIPS certifications ensure that their encryption key management has been tested against government standards and will stand up to scrutiny in the event of a breach.

3. Protect Your Customers from Data Breaches

As we see time and time again in the news, retailers still experience data breaches through their payment application software, despite the fact that these applications have a PA-DSS certification. This tells us that certifications don’t always equal good security. In order to protect your customers from a data breach, you must not only meet these certifications, but also build a security solution that will truly protect data at rest and in transit using industry best practices. If your customer experiences a data breach, and you have implemented adequate security that renders the data that was compromised unreadable, you will be not only your customer’s hero, but your own company’s hero as well.

Retail ISVs and payment application software companies also need to know that although they  have certified their solutions with PA-DSS, these standards, like all PCI standards, are not set in stone. Data security is constantly evolving to meet the challenges of new threats that are always surfacing. Retail ISVs need to be aware that just because their solution has been certified, their encryption and key management practices might not suffice during their next certification.

Townsend Security has redefined what it means to partner with a security company. With our NIST and FIPS certified encryption and key management solutions, retail ISVs can offer easy and affordable industry standard data security. Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model. We’ll help you turn encryption and key management into a revenue generating option to help build your business and protect your valued customers.

Download Podcast

Topics: Retail ISV, Point of Sale (POS)

The Right Data Security Partner Can Make a Difference!

Posted by Michelle Larson on Jun 10, 2013 11:03:00 AM

ISV Executives Can Improve their Payment Applications with the Right Encryption and Key Management Partner

Your company competes against many other ISVs selling niche retail management software and payment applications. You need a strong partner to guarantee you are providing the best encryption and key management to your customers.
Data Security and Key Management Because when payment applications don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data, they leave your customers extremely vulnerable to data breaches.

At Townsend Security, we offer industry standard AES encryption and certified key management and we believe that good encryption and key management is the cornerstone of good security.  Here are three ways we believe a good partner should help ease the burden of data security:

1. Reduced Cost and Complexity          

I know... you are thinking “Key management is both costly and difficult” - while that reputation was accurate ten years ago, today certified encryption key management using best practices can be achieved quickly, easily, and at an affordable price. We help you by offering encryption key management that is quick and easy to deploy, has a cost effective licensing model, and we will even OEM or “white label” for you because we don’t believe issues around branding should get in the way of good data security.

Podcast on how retail ISV's can improve data security2. Provide Certified Solutions

We believe that data security should be constantly evolving to meet the challenges of new security threats. Retail ISVs and payment application software companies need to know that although their solution may have earned a PA-DSS certification, these standards, like all PCI standards, are not set in stone. Just because a solution has been certified once, outdated encryption and key management practices might not suffice during the next certification process. Since encryption and key management are necessary components of payment application systems, providing customers with third party OEM NIST-certified AES encryption and FIPS 140-2 compliant key management would give an ISV some critical advantages.

Townsend Security not only supplies NIST and FIPS 140-2 certified encryption and key management, we'll help you achieve your own FIPS certification under our OEM program. In order to confidently protect your customers, NIST and FIPS certifications ensure that encryption key management has been tested against government standards and will protect compromised data in the event of a breach.

3. Protect Your Customers

While many payment applications have a PA-DSS certification, in order to protect your customers from a data breach, you must not only meet these certifications, but also build a security solution that will truly protect data at rest and data in transit using industry best practices. Data security must be a critical element in your risk management plan and conveyed well to your customers.

With our NIST and FIPS certified encryption and key management solutions, retail ISVs can offer easy and affordable industry standard data security. Townsend security has redefined what it means to partner with a security company. Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model.  So when (not if) your customer experiences a data breach, and you have implemented adequate security that renders the compromised data unreadable, you will not only be your customer’s hero, but your own company’s hero as well.

In this complimentary podcast, security expert Patrick Townsend discusses How Retail ISVs Can Improve Their Payment Applications” with Paul Taylor from Security Insider.
 

Download Podcast  


As always, we welcome your comments and questions! 

Topics: Payment Applications, Point of Sale (POS), Encryption Key Management, partners, ISV

Top 3 POS Security Issues Executives Should Be An Expert On

Posted by Michelle Larson on Jun 7, 2013 2:26:00 PM

Are you providing your customers with the very best in point of sale (POS) data security?

Data-Privacy-Ebook On an almost daily basis, the news media reminds us of the risks associated with unprotected data as they report on each massive data breach that cost companies billions of dollars in lost value and remediation costs.  Data breaches are not a matter of “if”, but more a matter of “when” as hackers get more and more creative.  Many CEO’s think that meeting the basic requirements of the Payment Card Industry (PCI) for data protection will keep their point-of-sale (POS) systems from being compromised. Truth is, hacking into retailer POS payment applications is a recurring problem worldwide, even for retailers who meet compliance standards.

1.     Know Your Data Breach Risks – Ask the Right Questions!

As CEO, security and risk management is your bottom line. You need to know if and how your product development team is following best practices to protect your company and your customers from a data breach.  Most payment application vendors offer encryption and key management, however not all of them are following best practices by using an encryption key management hardware security module (HSM). An HSM keeps the encryption key physically separate from the encrypted data, making sure that the data a hacker retrieves from a compromised system is functionally unusable.

With tighter security standards for data encryption, encryption key management, and constantly evolving regulations, you have an opportunity to go beyond basic compliance and gain consumers’ trust amid growing concern about the amount of electronic data companies collect, analyze, and share. 

So, what can you do as a CEO to ensure your products are fully protecting your customers’ data? One important thing to do is start asking more specific questions of your product managers. Asking the right question can quickly expose data protection risks that you didn’t know you have.

Here are some sample questions:

  • Where in our systems does sensitive data reside, even briefly, in unencrypted form? Could I get a list?
  • What type of encryption do we use in our payment application for data at rest?
  • How are we protecting encryption keys?
  • Are any of the encryption keys stored on the same server with the protected data?
  • Are we protecting our encryption keys with an HSM?
  • Are we using industry standard encryption and key management?
  • Are our encryption and key management solutions NIST certified?

There are really straight-forward answers to these questions. The lack of clear and unambiguous answers should raise an immediate red flag in your mind, and provide the beginning of a deeper discussion about data protection with your product development team.

2.     Know What Your Customers Fear– Think Like a Hacker!

Awareness is the first step toward point-of-sale security. Retail payment systems are frequently hacked by criminals who are employed seasonally or temporarily, and given access to a system with insufficient security measures in place.

Help gain your customers trust by training them on the importance of good password management and system log monitoring as a part of their overall POS security efforts.

  • A surprising number of retailers never change the factory passwords on their POS systems and this is a huge security risk. Not only should factory passwords be changed, subsequent passwords should be changed regularly. Often, cracking a payment application system relies on the merchant being lazy about password implementation and changes.  Make sure your customers know best practices and you’ll be their hero!
  • Hackers’ techniques have gotten more sophisticated and they can hide evidence of attacks; going undetected for months or even years. Yet, a study of confirmed breach cases in 2009 found that nearly 90 percent of victims had evidence of the breach in their system log files.  Do you train your customers in the importance of monitoring their system logs in real time?

3.     Proactive Security Planning - Use Best Practices To Start With!

Keeping on top of point-of-sale security is essential for every business.  Good encryption and key management is the cornerstone of good security. It can’t be an afterthought at the executive level; data security has to be a critical element in every risk management plan and conveyed well to your customers.

An effective data breach plan can mean the difference between a quick recovery and a serious blow to a company’s reputation. The steady pace of data breaches reinforces the need for encryption as a first line of defense. Firewalls and VPNs can provide some protection against data breaches and theft, but there is no substitute for strong encryption and effective encryption key management, especially in customer data and cloud environments. There’s no longer an excuse not to properly protect your POS payment application system and educate your POS system customers in security best practices.

In this complimentary eBook, "Turning a Blind Eye to Data Security: Mending the Breakdown of Communication CEOs and CIOs", authors Kevin Beaver, CISSP, Patrick Townsend, and Todd Ostrander will teach you about:

  • Business risks associated with unprotected sensitive data
  • Tools and resources to begin the discussion about data security in your company
  • 5 Common misconceptions
  • Actionable steps YOU can take
     
DOWNLOAD eBOOK Turning a Blind Eye to Data Security

Topics: Best Practices, Point of Sale (POS), Executive Leadership

3 Advantages of OEM Encryption Key Management for POS Vendors

Posted by Luke Probasco on Jun 7, 2013 9:48:00 AM

When it comes to encrypting credit card numbers to meet PCI security regulations and prevent data breaches, point of sale (POS) vendors selling payment application software often implement encryption key management that is cobbled together and doesn’t meet best practices. For POS vendors who supply retail businesses with complete cash register systems, including POS terminals and payment application software, inadequate key management solutions leave retailers vulnerable to data breaches.

POS Data Security Podcast

Although all POS vendors must certify their payment application software under the PA-DSS standard, many vendors skate by with poor encryption and encryption key management that has been thrown together to meet the bare minimum requirements.

Although their vendors have passed the test, retailers are still experiencing some of the largest data breaches because their POS vendors don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data.

At the end of the day, individual businesses are responsible for their own data security; however, POS vendors offering payment application software can boost their own security posture and protect their own reputation by offering better encryption key management for credit card numbers to their customers. Database administrators and information security officers in retail companies can ease their fear and anxiety about their POS solutions. They can rest easy if their POS vendor provides a FIPS-certified encryption and key management solution with these three advantages:

1. Encryption Key Management that is Easy to Use - Good encryption key management should be easy to install, configure, evaluate, license, and sell to end users. Townsend Security’s 1U server plugs right into your IT infrastructure and requires no on-site technician to install. Our cross-platform encryption key management HSM integrates seamlessly into Microsoft, IBM i, Linux and other legacy platforms. Our team provides training, OEM integration, NIST and FIPS certifications, marketing materials, and consistent back end support as well as sample code, binary libraries, applications, key retrieval and other tools you and your customers need to implement encryption and key management fast and easily.

2. Encryption Key Management that is Cost Effective - Small and mid-sized retailers are a growing target of hackers due to the fact that these companies tend to have less data security. These companies, however, need to secure their sensitive data and must meet compliance regulations just like larger businesses do. We strongly believe that cost should not be a barrier to any business. Townsend security offers cost-effective licensing and easy deployment for seamless integration in less time and at an affordable price. We also offer OEM and “white label” options to save time and pain around branding. The average data breach costs a company $5.5 million. With better encryption and key management, you can save your customers millions of dollars.

3. Encryption Key Management that Protects Your Company in the Event of a Breach - In today’s technology climate, data breaches are no longer a matter of “if,” but “when.” Even the strongest networks can be hacked. The only way to secure data is to encrypt the data itself, thereby making it unreadable and unusable to unauthorized users. However, the encrypted data is only as safe as the encryption keys! In the retail industry, the responsibility of a data breach will fall on the retail company that experienced the breach, as well as the POS and software vendors. If a breach occurs to one of your customers, encryption key management will protect your customers and protect your own organization as well.

Almost every single POS vendor offers encryption and key management for their payment applications, but not every POS vendor does the job right. In these cases, a retailer may pass a PCI audit but still be vulnerable to a data breach. With a NIST-certified OEM encryption key management solution, a POS vendor can offer retail customers the best data security available and generate new revenue with that offer.

The last thing a POS vendor wants is a data security plan that looks good on paper but doesn’t deliver when the going gets tough. The good news is that the right tools are easily available to companies who want to not only meet, but exceed compliance and prepare for evolving data security standards. “Good security breeds good compliance and not the other way around -- compliance is the low bar,” says Mark Seward, senior director of security and compliance for Splunk. With a Townsend Security partnership, POS vendors can offer their customers industry standard and NIST/FIPS certified solutions by implementing an OEM encryption key manager that is customized for their specific applications.

Podcast: Easy Ways POS Vendors Can Protect Customers

Topics: security, Payment Applications, Point of Sale (POS)

3 Reasons Point of Sale (POS) Vendors Should Offer Encryption Key Management

Posted by Luke Probasco on May 28, 2013 8:01:00 AM

In a world where data breaches are occurring nearly every day, and data security in many organizations looks more like a sieve than a safeguard, using a strong encryption and key management solution is a must. Protecting sensitive data using encryption and protecting encryption keys using a strong encryption key management hardware security module (HSM) is so important today that it is required, if not strongly recommended, by most data security industry regulations such as PCI-DSS, HIPAA/HITECH, and GLBA/FFIEC.

encrytion key manageament simplified ebook

If encryption and key management are so critical to protecting data, why are so many data breaches occurring every week? This is especially an important question to ask merchants and retail companies whose encryption and key management strategy has already passed a PCI test in order to operate their POS systems. Although they’ve passed the test, many are still the easiest targets for hackers and seem to be the most susceptible to data loss in general.

At the end of the day, individual businesses are responsible for their own data security, but POS vendors can boost their own security posture and industry leadership by offering better encryption and better encryption key management solutions to their customers. Since encryption and key management are necessary components of POS systems, providing customers with third-party OEM NIST-certified AES encryption and FIPS 140-2 compliant key management would give a POS vendor these critical advantages:

  1. Competitive Advantage - As we have seen over the past few years, industry regulations such as PCI-DSS and HIPAA/HITECH continue to become more stringent. POS vendors offering NIST-certified encryption key management will only retain customers if they can offer encryption key management solutions that fall in line with these regulations.
  2. Protect Customers to Protect Yourself - When a data breach occurs, two parties take the most heat: the CEO and the software vendor whose solution was inadequately protecting the data. Retailers who experience data breaches due to poor encryption and key management techniques employed in their POS systems will likely blame their vendor and are more likely to migrate to a competitor.
  3. Offer a Higher Quality Product and Generate New Revenue - Almost every single POS vendor offers encryption and key management on their devices, but not every POS vendor does the job right. In these cases, a retailer may pass a PCI audit but still be vulnerable to a data breach. With a NIST-certified OEM encryption key management solution, a POS vendor can offer retail customers the best data security available and generate new revenue with that offer.

In our opinion, POS vendors should absolutely offer their customers the best encryption and encryption key management solutions that are out there. It is clear that many POS vendors are not offering their customers the best data security tools, and the evidence is in the data breaches that happen nearly every week. POS vendors can offer their customers industry standard and certified solutions by implementing an affordable OEM encryption key management solution that is customized for their specific applications.

Download eBooK: "Encryption Key Management Simplified"

Topics: Point of Sale (POS), Encryption Key Management, OEM

4 Things a Point of Sale (POS) Vendor Can Do to Avoid a Data Breach

Posted by Luke Probasco on May 20, 2013 2:19:00 PM

It was revealed earlier this month that the St. Louis-based supermarket chain, Schnucks, had a data breach that exposed at least 2.4 million customer credit and debit card numbers to an outside hacker. Schnucks is currently involved in a class action lawsuit over the breach and possible leak of credit card info by its card processing company.

encrytion key manageament simplified ebook

Currently the news reports that this breach occured because:

  1. Leaders in the company don’t think that anything is wrong with their data security. According to a survey by CORE Security only 15% of CEOs are very concerned about network vulnerability; however, 65% of security officers “admitted to not having the sufficient data needed to interpret how security threats translate to overall business risk.”
  2. The point of sale (POS) and retail management software that retail companies use to process their customer’s card information often use inadequate security tools and minimal security best practices.

Data breaches caused by faulty security in credit card processing machines and software are surprising to most people because we expect credit card processing companies to protect our card information and personal data. In fact, credit card processing companies are mandated by the Payment Card Industry Data Security Standards (PCI-DSS) council to use encryption and encryption key management in order to sell their point of sales (POS) devices and retail management software to businesses such as Schnucks.

Despite the regulations, however, many POS and retail management vendors pass PCI-DSS audits by the skin of their teeth with data security solutions that have been cobbled together with the bare minimum requirements. If asked if they still felt exposed with their current data security solution, many database administrators will respond with a resounding, “YES.”  As we have seen over and over again, these piecemeal solutions are not good enough to prevent a data breach!

This has revealed a truth that is becoming more and more evident:

Just because a merchant or a POS vendor has passed a PCI-DSS audit does not necessarily mean they are protected from a data breach! Even though PCI-DSS is supposed to protect customers and prevent data breaches of this kind, loose interpretations by auditors of PCI-DSS and poor encryption and key management techniques leave businesses open and exposed to hackers.

Schnucks could have most likely prevented this data breach by having chosen a POS vendor and retail management software ISV who offered these guarantees:

  1. Encryption - Always use industry standard encryption such as AES encryption.
  2. Encryption key management - Companies encrypting data should always protect their encryption keys using an encryption key management hardware security module (HSM). This is a critical component to securing sensitive data.
  3. System logging - A good system logging solution can help you catch and prevent changes to your network in real-time in order to prevent a data breach.
  4. Certifications - Your POS and retail management software provider should have encryption and key management with NIST and FIPS certifications. These certifications ensure that your encryption and key management solution are up-to-date with the highest standards.

Unfortunately, these days passing a PCI-DSS audit is not enough. Merchants and retail software vendors need to stay ahead of the game by using data security tools that are going to protect their customers and protect themselves in the event of a data breach. The bare minimum will not cut it.

Townsend Security is a leading provider of encryption, key management, and system logging solutions. We partner with POS and retail management ISVs to help these companies protect and secure sensitive data fast, easily, and at a competative price. Here at Townsend Security our team works with our partners by providing hardware, training, marketing materials, and thorough back end support to help our partners and their customers achieve peace of mind.

Topics: Point of Sale (POS), Data Breach