Locking Out Data

Perkins Restaurant & Bakery hosts thousands of hungry patrons each day, many of whom use a credit card to pay for their pancakes. Data security is a concern of its customers and an ongoing responsibility for the merchant.

To meet its responsibility and ease concerns, Perkins turned to TransactionVault from enterprise and payment solution provider Merchant Link. Credit card information is housed in Merchant Link’s secure “vault” so that data does not reside in the merchant’s system, where it might be vulnerable to hackers.

“We didn’t integrate credit cards through our point of sale until 1999,” says Carla Bray, director of restaurant automation for the Memphis, Tenn.-based operator and franchiser of nearly 500 full-service restaurants throughout the Midwest, Florida and Pennsylvania. “Data security really wasn’t a big issue then.”

Since 2001, Perkins has used a private satellite network that connects to Merchant Link through Spacenet. Silver Spring, Md.-based Merchant Link currently supports more than 100,000 hotels, restaurants, retailers, ballparks and other venues and maintains connectivity to the major U.S. credit card processors.

Because of its existing relationships with Merchant Link and POS provider MICROS, Perkins did not look at any other systems before choosing TransactionVault for credit card data security.

Perkins hit the ground running with TransactionVault last year and implementation was easy, Bray says. The restaurants were already familiar with Merchant Link and credit card look-up, so training was not an issue. A third party completed all installations during non-business hours.

One of the primary reasons Perkins chose TransactionVault was to aid in PCI compliance. “We wanted to follow the law and not have any critical information at store level, regardless of whether we were on a private network or not,” Bray says. “We know now … there’s no risk of anybody being able to get anything out of our stores.”

Bray says she now has three reports waiting for her when she arrives at the office each morning. “The system gives me a list of stores for the previous day that didn’t settle, another of those that had more than one batch and a third list of stores that did settle, with the details such as the number of transactions and dollar amounts,” she says. “Based on this, I can immediately react.”

Partnering with POS
TransactionVault’s integration into merchants’ POS systems greatly simplifies the data security process. First, the POS sends the credit authorization request to the Merchant Link network, which forwards the request to the processor. Then the processor returns the authorization response to Merchant Link where customer data is stored in its secure database or “vault” with an assigned key.

The authorization response and key head back to the POS, which retains the masked credit card number and key in its database. The system wipes all occurrences of the full credit card number and tracking data from the database.

At end-of-day settlement, the POS sends Merchant Link that day’s transactions and the TransactionVault key. Merchant Link then substitutes the keys for actual card numbers and sends the settlement to the processor.

While no customer data resides at store level, merchants still have access to it when needed. If a financial change is necessary, such as an overcharge or undercharge, customer data can be integrated to back-end systems.

Part of TransactionVault’s allure “is that customers who aren’t into data security or are not technology experts … can use the system,” says Chris Justice, president of Merchant Link.

There is no single solution that covers all 12 PCI requirements (also known as the Digital Dozen), he says, but TransactionVault helps to mitigate six of them – including the protection of stored cardholder data, the No. 1 issue that causes merchants to fail audits, according to Trustwave and VeriSign.

Updates to TransactionVault are non-intrusive on merchants’ POS and instituted most times without the merchant’s involvement.