SECURITY

APRIL/MAY 2016
THE
SECURITY
ISSUE

INDEX
ISSUE 90 | APRIL/MAY 2016 connect
connect Executive Editor
RSPA Education Manager
AMurdock@GoRSPA.org
RSPA 2016 SPONSORS
PLATINUM LEVEL SPONSORS
Our Table of Contents has been temporarily disrupted! For the Connections and Association Updates you
Need, see the blue and red boxes below. Our regular TOC format returns in our next issue.
When you see these icons...
Conversation
Starters
Statistics
Take special note! The Conversation Starters will help you
have deeper conversations with your customers or your
future partners. The Statistics can provide color to those
conversations, all to help you close more deals!
AMBER MURDOCK
GABBY COOR
connect INFO
DEADLINES
June/July/August - Summer edition
Ads & Content: May 9
PAID ADVERTISING INDEX
APG (18)
BlueStar (22)
Business Solutions Magazine (10)
Cayan (16)
Datacap (32)
Discover (23)
EPSON (6)
Harbortouch (35)
Heartland (28)
RSPA CONTACTS
connect Layout/Production Manager
RSPA Graphics Specialist
GCoor@GoRSPA.org
connect Staff Contributors (April/May):
Kelly Funk
Stephen Gift
September/October
RetailNOW® 2016 Recap
Ads & Content: August 22
MMF (12)
Merchant Link (13)
Moneris (9)
NEC (25)
Payment Logistics (27)
ScanSource (20)
Star Micronics (7)
Synnex (30)
Vantiv/Integrated Payments (15)
Communications: 704.940.9729 | Publications@GoRSPA.org
Education: 704.940.9729 | Education@GoRSPA.org
Member Services: 704.940.9720 | Membership@GoRSPA.org
connect Issue 90 April/May 2016 (USPS 70)
POSTMASTER:
Send address changes to RSPA:
9920 Couloak Dr., Unit 120, Charlotte, NC 28216-2460
Published six times a year by Retail Solutions Providers Association.
P 800.782.2693 • F 704.357.3127 • E Publications@GoRSPA.org
Visit www.GoRSPA.org for subscription information and/or
advertising rates. Items or information you would like to see
published in connect may be sent to the above email address.
Materials may not be reproduced without permission.
© Copyright 2016 by RSPA
GOLD LEVEL SPONSORS
SILVER LEVEL SPONSORS
FOUNDING EDUCATION PARTNERS
EDUCATION PARTNERS
MEDIA PARTNERS
*Premier Media Sponsor
W2W COMMUNITY
founding sponsor
For a list of Canadian Community Sponsors, please see page 33.
How do I become a sponsor? www.GoRSPA.org
CONNECTIONS
04
President's Note
05
RSPA News &
Education Calendar
SPECIAL SECURITY SECTIONS
TECHNOLOGY
& KNOWLEDGE
TAKEOVER
SECTION 1: SECURITY
PREPPING FOR YOUR
BUSINESS...7
RSPA HELPS MEMBERS WITH SECURITY RESOURCES
BY: AMBER MURDOCK...8
DEVELOPER PARTNER SECURITY CHECKLIST -
DUSTIN NIGLIO, PAYMENT LOGISTICS:...11
SECTION 2: PROTECTING
THE GOODS...13
DIGITAL JOURNEY LEVERAGING NEW TECHNOLOGY IN
LOSS PREVENTION
BY: WILLIAM M. TITUS...14
TAKE IT TO THE BANK
BY: ANNE GRAY...18
DEVELOPER PARTNER SECURITY CHECKLIST -
DAVID GUDJONSSON, HANDPOINT...21
SECTION 3: SECURING
THE PAYMENT...23
PCI CHANGES DATE FOR MIGRATING FROM SSL AND
EARLY TLS...24
NEW POS SECURITY REQUIREMENTS AFFECT INDUSTRY
PARTNERS
BY: PAUL ST. GEORGE...26
RSPA SECURITY RESOURCES/10 STEPS AFTER A DATA
BREACH...29
DEVELOPER PARTNER SECURITY CHECKLIST - TODD
BURGE, FOOD ONLINE ORDERING SYSTEMS, LLC...31
ASSOCIATION
32
Special Contributors
33
Canadian Corner
34
In Memoriam
John Lockington
35
Calendar of Events
TABLE OF CONTENTS
2 APRIL/MAY www.GoRSPA.org
www.GoRSPA.org
connect 3

THE CONNECTIONS YOU NEED
THE CONNECTIONS YOU NEED
RSPA President's Note
Spring is in the air—that means daffodils,
warmer weather, and… security.
Wait—security?
Really, isn’t that a concern for all of us yearround?
Yes—I would say it is, but given the
higher level of interest and engagement in
recent months—I’d venture to say security
may be THE hottest topic in the industry this
season.
Recently, I spent several days at the NCC
dealer meeting. PCI, EMV, and Liability were
the focus of many of the conversations
that took place there. In the midst of so
much information (and, frankly, confusion),
I was again reminded of the important role
RSPA plays in helping our members. We
are committed to continuing to be your goto
resource. We are frequently updating
our website, www.GoRSPA.org, with new
content and news, as it becomes available to
us. We are providing access to certifications
and education to help you increase your
knowledge (www.GoRSPA.org/Education).
At RetailNOW®, in Dallas, July 31 - August
3, we will be providing live sessions on a
variety of topics, including security; oh yes,
and Josh Klein, former hacker and current
technologist will be our closing speaker,
sharing his thoughts on concerns that are
near and dear to us.
Yes—security is the current hot topic, which
will continue to be top of mind for most of us
in the foreseeable future. Much like, I hope,
RSPA is for you—there at the forefront, when
it’s most important, but also a consistent
partner you can count on year round.
Happy Spring!
Kelly T. Funk
RSPA President & CEO
Phone: 704.940.4274
Email: KFunk@GoRSPA.org
RSPA Scholarship Program—now accepting applications!
deadline to apply: May 27, 2016
Find out more at www.GoRSPA.org/Scholarship
OUR MEMBERS HAVE
NEWS TO SHARE.
• iPayment, Inc. Announces
Partnership with Harley Financial
• Future POS Certifies to Vantiv
Integrated Payments for EMV
Solution
• Heartland, Computop
Collaborate to Offer Heartland
Customers Secure International
Payment Processing
• Recognized Payment
Integrations Expert Bill Pittman
Joins Sterling Payment
Technologies
• Touch Dynamic Announces
Arrival of New All-In-One Touch
Terminal
• TSYS and Handpoint to Offer
Mobile EMV
Find these stories and
more industry news at
www.GoRSPA.org or
scan the QR code
Want to publish news about your
company? You must be an RSPA Member,
and you may send your business
announcements and press releases to
Publications@GoRSPA.org.
We want to hear from you.
Email it:
Publications@GoRSPA.org
Tweet it:
@InsideRSPA
Post it on Facebook:
www.facebook.com/InsideRSPA
Upcoming RSPA Education
Whether it’s live or online, RSPA has training options available for you and your
team, and on your schedule. Check out what’s in store, so far, for 2016. The
schedule is updated regularly, so please check our website: www.GoRSPA.org
for the latest updates to our calendar!
Wednesday, May 18th | 2PM:
What's New and Upcoming in SMB Cash Management Solutions?
Presented by Stephen Bergeron, APG Cash Drawer & Peter Wolf,
Glory Global Solutions
This webinar will showcase cash management solutions with tangible ROI
and proven benefits, adding value to your customer relationships – while
increasing your bottom line.
Topics will include:
• Increase hardware and services sales with cash management solutions,
including smart cash drawers, electronic coin dispensers, cash counting
solutions & cash recycling
• Sell cash management solutions that protect from employee theft
• Improve customer cash transaction times by 5-8 seconds
• Increase cashier proficiency and reduce training time
• Exponentially reduce shortages daily
WEBINARS NOW ON DEMAND:
⊲⊲
The Nuts and Bolts of PCI QIR Certification: For RSPA Members
Instructor: Ashley Naggy, RSPA’s Certification Program Leader
⊲⊲
The State of U.S. EMV Adoption: Perspectives from the RSPA's EMV
Committee | Presented by: RSPA's EMV Committee
To Access, visit www.GoRSPA.org and
click on the 'Knowledge' tab.
Want to subscribe to
Connect magazine?
Contact Publications@GoRSPA.org
To take advantage
of all RSPA member
benefits, join!
Contact Membership@GoRSPA.org or
visit www.GoRSPA.org/Join
4 APRIL/MAY www.GoRSPA.org
www.GoRSPA.org
connect 5

SECTION 1: SECURITY PREPPING FOR YOUR BUSINESS
SECTION 1: SECURITY PREPPING FOR YOUR BUSINESS
Security Prepping for
Your Business
Positively Outstanding Solutions
Being a security subject matter expert is important
for every VAR. Whether it’s physical security,
network security, payment card security, or
providing merchant customers with the protection
they need to retain their profits, security is now
a VAR’s priority. And, if it’s to provide both a safe
cyber and physical environment for a merchant’s
customers, who, in today’s world, will make buying
choices based on how secure their data might
be… retail technology professionals have the
opportunity to be the solution provider that helps
merchants attract and retain their customers.
As a member of the RSPA, VARs have a number
of resources available to help in building their
security business. RSPA’s legal benefit provides
members with free consultations with RSPA
Attorney Robert C. Goldberg, as well as a number
of form templates that will help members in all
aspects of security protection, ranging from
background checks to EMV liability waivers.
RSPA’s Professional Development program
provides exclusive member discounts to industryrecognized
certification programs, significantly,
the PCI Council’s Qualified Integrator and Reseller
(QIR) certification.
# of retail breaches
in 2014
Source: Verizon DBIR, 2015
were POS intrusions
were payment
card skimmers
Source: Verizon DBIR, 2015
According to Verizon’s 2015 Data Breach Investigations
Report (DBIR), the majority of retail breaches were
caused by POS intrusions. Yes, this means that POS
systems are a vulnerable point in the cybersecurity
chain. And, it means that protecting the POS and
reducing vulnerabilities provides a prime opportunity
for RSPA VAR members to provide additional value to
their merchant customers.
TM-T88V
TM-H6000IV
TM-U220 OmniLink
®
i
TM-m30 TM-m10
Mobilink P80 Plus
NEW MOBILE POS
For over 30 years, Epson has been a leader in the POS industry. Our POS printers are at the heart of thriving retail
and hospitality businesses around the world. With the broadest product line available, Epson has set the standard
with solutions that deliver unmatched reliability, speed and fl exibility. And we’re continuing to lead the way forward
with our innovative, new tablet POS solutions, all designed with one goal in mind: your success. To see our latest
solutions, visit epson.com/pos
EPSON is a registered trademark and EPSON Exceed Your Vision is a registered logomark of Seiko Epson Corporation.
Mobilink is a trademark and OmniLink is a registered trademark of Epson America, Inc. Copyright 2015 Epson America, Inc.
6 APRIL/MAY www.GoRSPA.org
www.GoRSPA.org
connect 7

SECTION 1: SECURITY PREPPING FOR YOUR BUSINESS
SECTION 1: SECURITY PREPPING FOR YOUR BUSINESS
RSPA Helps Members with Security Resources
By: Amber Murdock
RSPA works diligently to ensure members are adequately prepared for security concerns. Our website is the best
source for up-to-date information on security. One particular members-only resource is the “Join” section of our
website at www.GoRSPA.org/Join. According to many of our members, one of the premier benefits of membership is
the legal benefit. In the Join section, you can find a path to all of the legal templates available to members. Templates
include several documents you can use to bolster strategic security planning for you, and your customers.
RSPA's Background Authorization Form
“One of the QIR Company Administrative
Requirements include logistics of doing business, like
background checks. Background checks are required
for QIR certified company employees.”
ARE YOU U.S. EMV
READY? WE ARE.
Ashley Naggy, RSPA Certification Lead
EMV Compliance Waiver
“Waivers are not absolute protection from customer claims, but they
are an excellent defense. A waiver establishes that the current
industry requirements were communicated, however the customer
declined the upgrade or installation. The waiver also emphasizes
to the customer the importance of the requirement and prior
to signing the customer may reconsider the initial decision. If a
customer refuses to sign, note that on the form, sign, and date it.”
Bob Goldberg, RSPA Attorney
Partner with Moneris, the EMV leader
U.S. EMV Developer Ready Specs for quick and easy integration
A layered approach to data security including EMV,
end-to-end encryption and tokenization
More experience in EMV implementation than any
other payment processor in North America
RSPA's Data Breach Action Plan
“The need for a data breach action plan for RSPA members grew
out of necessity. We knew of resellers trying to help a breached
merchant once the breach had already occurred. A plan helps
the reseller be prepared, plus, it provides an additional talking
point in a sales or service conversation.”
Kelly Funk, RSPA President & CEO
number of security breaches that occurred in American
Restaurants, hotels, grocery, stores, gas stations, and other
brick-and-mortar outlets
Source: Verizon DBIR, 2015
Let us help you become EMV ready today!
Contact our strategic partner team at
866-423-8475 or partnerships@moneris.com
Visit monerisusa.com/EMV for details on EMV
8 APRIL/MAY www.GoRSPA.org
www.GoRSPA.org
connect 9

SECTION 1: SECURITY PREPPING FOR YOUR BUSINESS
SECTION 1: SECURITY PREPPING FOR YOUR BUSINESS
DEVELOPER PARTNER SECURITY CHECKLIST
Business Solutions Magazine
was humbled to win the Gold
Award for Reseller Support
Services for the sixth year in
a row at RetailNOW.
We’ve worked hard for the
past 29 years to educate and
support the retail IT channel,
and it’s an honor for you to
consider us a valued resource.
Rest assured we’ll work even
harder in the coming year to
prove that we deserved the
accolade you placed upon us.
You are what makes the
industry great. Together, we’ll
make it even greater.
Editor’s Note: As the POS industry continues to morph and the way
services are delivered continue to evolve, we here at RSPA realize
how crucial the VAR-ISV relationship has become in creating a
thriving industry. In the spirit of the Security Issue, we wanted to
provide RSPA members with some security talking points as they
are entering into partnerships with developers. As data/payment
card security looms as the industry’s biggest security issue of
the past few years, we asked several RSPA members to provide
VARs with insight on how to have constructive and informative
conversations with their future developer partners.
What are 3 questions you suggest that
VARs ask a developer partner about
data security/cyber security before they
decide to partner with them?
☐☐
Is DSS?
your POS application in-scope of PA-
If the POS application is in-scope
DN
of PA-DSS, then the VAR must
become QIR certified pursuant to the new
rules being put in place by Visa. Being
QIR certified is much more involved than
simply passing a test. On the other hand,
there are certain semi-integration payment
technologies in the market today which
utilize a payment terminal to process the
transaction and completely remove the
POS application from the scope of PA-DSS
and PCI-DSS compliance. Implementing
a semi-integrated payment terminal is
very similar to implementing a standalone
payment terminal and does not necessarily
require the VAR to be QIR certified.
☐☐Which SAQ (A, A-EP, B, B-IP, C, C-VT,
P2PE-HW, D) will merchants utilizing your
system be subject to if your system is the
only one they utilize to process credit and
debit card payments?
Acquirers require merchants in their
DN
portfolio to validate compliance
with the PCI DSS. As part of validating
compliance, most small and medium
sized merchants must complete a Self
Assessment Questionnaire (SAQ) that was
developed by the Payment Card Industry
Security Standards Council. SAQ C and D
are the most common SAQs for merchants
using POS systems with integrated
payments. These SAQs are also the most
challenging and because of this, merchants
often times end up misrepresenting the
truth on the questionnaire in order to
get a passing grade. On the other hand,
merchants that are subject to SAQ B-IP or
SAQ P2PE-HW have a much easier time
completing the questionnaire in a forthright
manner and receiving a passing grade.
Selling a system that subjects the merchant
to SAQ B-IP or P2PE-HW gives the VAR a
competitive advantage in the marketplace.
☐☐Are you EMV live today?
DN
insight provided by
Dustin Niglio, CEO,
Payment Logistics
Many POS systems are “EMV Ready”
but not yet live with EMV. Being EMV
ready generally means the POS system has
performed an integration with a solution
which includes EMVCo certified level 1 and
2 kernels, but has not obtained an end to
end EMV certification with the card brands
(often referred to as level 3 certification).
On the other hand, systems that are live
with EMV are actively able to support EMV
transactions in a production environment.
Deploying systems that are not yet EMV live
can be problematic for the VAR and the end
user since the end user has a higher chance
of suffering EMV related chargebacks, is a
greater target for data security thieves, and
the VAR will have more work to do in the
future to eventually convert the system from
EMV ready to live.
Payment Logistics is a
PCI DSS level 1 validated
merchant acquirer and
payment integration
solution provider.
10 APRIL/MAY www.GoRSPA.org
www.GoRSPA.org
connect 11

Enclose • Protect • Secure
SECTION 2: PROTECTING THE GOODS
PayVue Illuminated Cash Drawer
Innovative Design for Cash Handling in
Low-Light Environments
“PayVue has made it easier to
monitor cash operations. My staff
likes it because it helps them see what
they are taking in and giving back.
This has resulted in fewer shortages,
and ultimately higher profit. It’s good
for us all.”
Ken Hoffman, Owner, Howard Street Inn
Protecting the Goods
SECTION 2: PROTECTING THE GOODS
Physical Security is an element of the POS structure that has been
embedded from the very beginning. The invention of the cash
register was predicated upon the fact that storekeepers needed
a way to protect their profits from being pilfered. Back then,
storekeepers were attempting to protect their sales earnings from
employees. Now, even though more than 34% of the $44B in retail
theft in 2014 was due to employee theft (2015 NRF Retail Study),
there are so many other “trackable” factors that contribute to profit
loss, including shoplifting (37% of profit loss in 2014), vendor fraud
(6.8% of shrinkage), administrative errors (16.5% of shrinkage), etc.
All of these causes of shrinkage can be aided by an informed and
trusted advisor, like an RSPA VAR. In this section, we’ll hear about
the strategic journey of a major retailer, and, in an effort to hearken
back to the old days of the first cash registers, learn how to help
merchants get more of their earnings into their bank accounts.
Merchant Link
Payment Gateway
Hosted, Processor-Neutral
Gateway
TransactionVault®
Tokenization
TransactionShield®
Point-to-Point Encryption
TransactionLink
EMV Solution
E-commerce Solutions
Photos courtesy of Howard Street Inn, Niles, Illinois
Pictured left to right: Ken Hoffman, Owner, Rebecca Ebert, Manager,
Sergio Torres, Owner & POS Reseller, TEEPOS, Chicago, IL
Only
of Staff Responses to a loss
prevention alarm is “meaningful”
e.g. checking the receipt or
identifying the product that
triggered the alarm.
Acquire Program
Source: Hayes and Blackwood Study
PayVue Improves:
• Transaction Accuracy and Speed
• Customer Service
• Loss Prevention Management
• Low-Light Ambiance
Ideal for
restaurants,
bars and
nightclubs
Supermarkets and grocers lose
the highest percentage of sales
to shrink, seeing an average of
3.23% evaporate, or 2.5 times
more than the industry average.
Source: Fortune Magazine
There are many causes of shrinkage, in all verticals. For
many of RSPA member customers—SMB merchants—
they can ill afford the losses that shrinkage causes. If
you’re not selling security options outside of the POS, in
what ways can you start that overall security conversation
with your customer? Should you be thinking about video
surveillance options? Are there new mobile applications
that allow them to monitor on-the-go?
Trying to keep up in the
changing world of payments
can feel like another full-time
job – adding new payment
types, protecting cardholder
data, complying with evolving
PCI and security standards, all
while trying to keep your costs
under control. At Merchant
Link, our goal is to remove the
risk and hassle of payments so
you can focus on your business.
Contact us today to learn more
866.853.3845
www.merchantlink.com
An ISO 9001 Certified Company
www.mmfpos.com | 800.769.1954
For more information visit: www.mmfpos.com,
www.howardstreetinn.com and www.teepos.com
www.GoRSPA.org
connect 13

SECTION 2: PROTECTING THE GOODS
SECTION 2: PROTECTING THE GOODS
Editor’s note: We often get requests from RSPA
VAR members for more insight on what drives retail
technology purchasing decisions from the end user
angle. The inclusion of the following article is part of
our response to that request. William Titus was the
longtime vice-president of loss prevention at Sears
Holdings Corporation. While his company is not the
size that most of our members serve, the strategy he
used to apply technology in his overall loss prevention
strategy is one that can be replicated with a merchant
of any size. This article has been republished, with
permission from LP Magazine. The original article,
and other loss prevention insights (from the end
user’s perspective) can be found at the LP Magazine
website: www.losspreventionmedia.com
Digital Journey Leveraging New
Technology in Loss Prevention
By: William M. Titus
Imagine walking into a location for a visit. As you
sip your morning coffee, you pull up the store’s
current performance from your iPad or tablet PC.
At a glance you have all the vital statistics and
performance trending information you need.
As you enter the store, the tablet’s GPS identifies
your location and sends you three alerts that require
your immediate attention. During your visit you identify
possible signs of theft, so you pull the IP-video CCTV
feeds from your tablet and review the footage.
A week later you complete a follow up visit from
two states away via video-chat from your tablet.
Do these ideas sound like some far-fetched dream of
a future loss prevention organization? They are not.
This is the present at Sears Holdings.
While our customers are accessing Shop Your
WaySM special member offers from their mobile
devices, our Sears and Kmart loss prevention teams
are using similar devices to dynamically access
performance rankings, theft statistics, outlier reports,
and a vast array of other data, reports, and charts that
visually demonstrate the risks and relative “health” of a
given store location, district, or region.
As our economic and technological landscapes
have changed, so has the loss prevention industry.
More often, loss prevention and retail in general are
being challenged to do more with less. How can
we drive profit while mitigating risk and improving
performance? Our strategy at Sears Holdings has
always been to empower our teams with technology
that helps them increase efficiency and make informed
decisions.
Right: The external
dashboard allows
the user easy
access to review not
only external-theft
performance, but it
also provides quick
access to narratives
and exceptions. The
field teams can now
quickly validate case
procedures and
ensure each report is
written correctly.
Technology Is a Journey
We started on what we call our “digital journey”
over five years ago with a series of incremental
steps aimed at leveraging the emerging technology
landscape. At the time we had no idea smart devices
were the end game, but we knew that to stay
competitive, we needed to be prepared for the future.
Every time we’ve considered implementing
new technology, our first step has always been to
review our current processes and ask ourselves three
questions:
• Can we eliminate this process or task?
• Can we centralize this?
• Can we automate it?
We call this process “task modernization.” From our
first web-based applications to our current mobile
solutions, our vision has always been to leverage
systemic and technological advances that deliver the
highest value to the enterprise. This digital journey is
not about technology for technology’s sake; it’s about
giving our professionals a competitive advantage in
understanding their business and making informed
decisions.
Investing Strategically
The demands of end users have continually
exceeded network infrastructures, but as quickly as
network providers can meet demands, consumers and
developers create new ones. This cycle of evolution
continues throughout the landscape—IP phones have
replaced traditional landlines, smartphones have
replaced cell phones, online video has replaced video
rental stores, e-books have replaced book stores, and
we all know what happened to the music industry.
Consumers have even connected their homes
to control everything from their alarms to their
thermostats via smartphone. With so much change in
technology, how can the loss prevention industry keep
up?
Our first priority has been to invest in data.
From collecting data about theft to census data to
enhance environmental risk models, our ability to make
actionable decisions based on business results, trends
and outlier activities consistently results in the greatest
payback. Similarly, we constantly challenge ourselves
to better manage our data and improve the delivery
method to end users. The focus is to make our teams
more agile and prepared with actionable information.
We’ve always believed that knowledge is power, and
our technological investment decisions reflect that
philosophy.
We began our journey years ago by transferring our
data from a myriad of spreadsheets and disparate
sources to a uniform data storage platform. This paved
the way for the establishment of key metrics on our
business and a means for developing goals and rating
mechanisms for our locations.
Our latest investment in a business intelligence
platform has allowed us to standardize and optimize
reporting on key areas of loss prevention, such as
theft, shrink, labor utilization, and investigations, as well
as non-LP-related areas, such as sales, financial, and
pricing.
We’ve taken advantage of the explosive growth in
mobile computing by equipping our field personnel
with iPads, giving them access to data via a quick swipe
of a finger that might have required hours to compile in
the past.
It Pays to
Partner with Us
Be Proactive
Payments security is too important to be ignored. We’re here to help simplify it for you and your customers
with resources, technology, and tried and true strategies for guarding against security threats. From EMV,
tokenization and encryption, to PCI assistance and breach protection, Vantiv Integrated Payments has a solution
for every payment security need.
Security is our priority.
We offer incentives for partners who practice secure behaviors, and make it affordable for merchants to
implement secure technologies for their business. Together we can help merchants avoid becoming a data
compromise statistic.
Partner with Vantiv Integrated Payments for total peace-of-mind payments.
Learn more at: info.mercurypay.com/security-pays
14 APRIL/MAY www.GoRSPA.org
www.GoRSPA.org
connect 15

SECTION 2: PROTECTING THE GOODS
SECTION 2: PROTECTING THE GOODS
We invested the better part of a year preparing
our infrastructure for the new devices:
• We updated our existing web applications to
properly render on the new screens.
• We built iOS applications to truly take advantage
of all the capabilities of these devices, such as the
accelerometer, GPS, and touch navigation.
• We built mobile device management (MDM) profiles
specific to our team’s needs to manage application
deployment.
• We invested in a team of professionals who created
visually insightful charts and reports that allow
field personnel to instantly view trends over time,
performance to goal, and performance relative to
peers.
Our Journey Continues
We are busy developing models to help us explain
the past and predict the future. We’re able to
implement those models through our business
intelligence platform to create scoring algorithms,
cluster algorithms, and regression-based metrics.
This sets the stage for even greater peer-to-peer
benchmarking, outlier analysis, and forecasting
methodologies.
Giving our field teams the ability to “analyze on the
fly” has provided a real return on investment for our
LP enterprise since deployment five months ago.
Some key advantages we are realizing here at Sears
Holdings include the following:
• Store visits that used to take a full day are now
completed in a few hours, often allowing managers
to visit multiple stores in a day.
• Everyone in the company has access to the
same information, allowing for true transparency in
reporting and alignment of goals.
• Managers can consistently drive key behaviors
by ensuring the most important aspects of
performance, such as compliance, meeting notes,
and case performance, are covered during every
visit.
• Access to store outliers and the ability to dive
deeper into results allows our team to work almost
exclusively from the iPads.
• Access to our IP-video CCTV allow our teams
to easily review video from their mobile devices
without having to be in store.
Redefining Talent
To improve the science of data, we have
added statisticians to our team. To enable agility and
speed in our product creation, we now have dedicated
developers inside our LP organization. To manage
our infrastructure and integrate with IT, we have team
members with backgrounds in data architecture,
project management, and systems. To combat the
modern day thief who wields a computer instead of
a lined bag, we have an experienced online fraud
team. Our investigators are skilled in SQL and other
query tools.
The traditional loss prevention roles within
the corporation have changed. Making streamline
simplified technology available to our field teams
involves a complex team of players who spend their
day analyzing consumer and criminal behaviors,
both in-store and online. At the corporate level we’ve
created new teams, such as:
• LP Systems and Technology works as our liaison
between LP and IT to ensure we are involved in
system changes, infrastructure upgrade, and have a
voice on new company initiatives, including mobile
checkout, loyalty promotions, and so forth.
• LP Business Intelligence works to design and
develop new mobile and web applications and
reports for our field and corporate users.
• LP Analytics works on researching and
developing new performance metrics and
predictive models to gain insights from our data
and performance. e-Commerce/Payment Systems
teams are an integral part of investigations, scouring
millions of online transactions annually.
The same kinds of transformations are also true
for our field teams. Traditional security roles are still
vital, but we’ve also adjusted our core competencies
to include a Digital Innovator section. This new section
helps us identify competencies, such as forward
thinking, early adopters, computer literacy, and
systems knowledge.
From our web applications to our mobile solutions, we
have always held the belief that when the content
experts—in our case, loss prevention—are responsible
for application design, the end user always wins.
We currently design and develop our own mobile
apps, which have allowed us to reduce the time to
deployment considerably. Additionally, having teams
who work with loss prevention and safety data daily
allows them to build up expertise and anticipate the
needs of the end user.
The Future
What we have developed thus far should only
be considered our beta version. We are continually
reiterating and refining our existing dashboards and
audits to be smarter. At this point we have provided
our store teams with faster customized access to
information.
Our next challenge is to build enhanced
automation, alerts, and scheduling into our various
systems. Building on the concept of intelligent
reporting, we will develop a calendar app to help our
teams schedule the most important tasks and improve
time management. We are building “smart audits” to
manage which questions are asked in each store,
based on each store’s specific opportunities. More
importantly, we are integrating our various systems into
a single core application to drive greater efficiency.
Whether you’re accessing POS exceptions, financial
reports, CCTV, or training programs, everything our
teams do will be seamless and integrated. Whether
the next device innovation takes the form of a wrist
watch or some type of virtual heads-up display,
it is certain technology will continue to evolve. Be
prepared to say goodbye to your PC and your laptop.
Eventually, tablets will go the way of the VCR, but you
can be sure whatever replaces it will be connected and
mobile.
After all, it’s a journey, not a destination.
©2015 LP Magazine
16 APRIL/MAY www.GoRSPA.org
www.GoRSPA.org
connect 17

SECTION 2: PROTECTING THE GOODS
SECTION 2: PROTECTING THE GOODS
Take it to the Bank
By: Anne Gray
How would your customers react if you “increased”
their cash revenue by 25%?
During college, my summers were spent working
at a lakeside resort. One day the owner sent
me, in her MG convertible, top down through
the Paso Robles hills to make a bank deposit.
I took the deposit bag she’d left on her desk and
headed off. The deposit was significantly short.
Someone had been in the zippered pouch before
me, knowing it was not secure. If she’d had a tamperresistant/evident
deposit bag she’d be richer today.
As POS experts, our world revolves around a
microcosm of payment software and terminals, printers
and cash drawers. Everything that touches the pointof-sale.
A lot to keep up with in an Internet of Things
“IoT” world.
With all the great opportunities IoT brings, it’s also
brought security breaches, fraud and theft. All of which
are eating into merchant profit. Bringing us incredibly
delicate issues as well, like the debate between the
F.B.I. and Apple® over iPhone® access and encryption.
As a result, your ability to protect customers lost
revenue becomes harder.
Your focus may only be at the point-of-sale. Or
perhaps you’re a Managed Service Provider (MSP).
Either way you can help your customers take more of
the money they’ve earned to their financial institution.
This
article
focuses on
reducing back cash
room and bank or credit
union deposit theft. Looking
at your customer’s business from
what happens after revenue leaves
the point-of-sale. The “other part” of the
revenue cycle, to reduce the roughly 25%
being lost today.
Merchants want sales and profit. The point-of-sale is the
starting point. The finish line? The bank or credit union.
Yet, according to the 2015 US Retail Fraud Survey,
26% of theft comes from employees stealing cash. *
Therefore, it seems merchants are only taking 75% of
that revenue to a financial institution or have it available
for operating funds.
Some of the below solutions are available from your
valued distribution partner. Others you might just want
to recommend. They may not yield enough revenue
for you to offer directly.
Back Room/Cash Office
Currency and Coin Counters: Save time creating start
funds and closing, but also help insure an accurate
count of what you really have available.
Locking Till Covers: Useful for securely transferring
funds from the point-of-sale to the cash room, but also
for securing till contents while stored there.
POS Safes: More popular in Europe, but also deployed
in the US, these safes have tremendous advantages.
They are relatively small and can be discreetly
mounted under-counter. Saving valuable counter space
as well as reducing theft.
At the point-of-sale, high denomination notes are fed
into tamper-resistant and evident pouches. They are
taken directly to the cash room safe and finally to the
bank or credit union. No intermediate count is needed.
These safes are available with few bells and whistles
or complete with options such as counterfeit detection,
electronic audit trail and real-time data capture. From
the safe’s pouch to the bank or credit union. Saving
time while reducing theft. Sounds good to me!
Cash Room Safes: Utilizing a commercial safe for cash
storage, envelope drops and till sweeps is a simple
and secure way to deter internal and external theft.
Cash and Coin Recyclers: This technology has
significant deployment in US financial institutions. It’s
in the “Early Adopter” phase for retail markets due to
relatively high cost and ROI hurdles, a large footprint,
and limited understanding of the value they offer.
Recyclers store cash and coin in a secure safe with
limited access. They accept and dispense exact
amounts required—hence the term “recycler”. Most
with over 99% accuracy. Many are UL291 approved for
24 hour Level 1 storage.
The benefits are immense. Opportunities for theft, trips
to the bank, related commercial fees and armored car
or cash-in-transit “CIT” visits decline.
Beyond theft, operating funds can be managed more
efficiently. Also, depending upon the safe’s security
rating, financial institutions may treat the cash recycler
as a "second vault." Daily credit is given without the
need for physical deposits. Considerable advantages,
including preventing theft.
Smart Safes: These safes have many of the same
benefits that you get with a cash recycler. They are
“smart” because, as mentioned above, they are often
linked to a financial institution and if you use one, your
CIT. Again, daily credit is given without a trip to the
bank or credit union.
payments, but also for immediate short-term storage
of cash and coin, left behind customer credit cards and
other valuables. With this option you can place them in
the locked compartment temporarily until they can be
transferred to a secure location.
Look for inboxes or monitor stands with key-lock
compartments. But remember, they are not a secure
place for longer-term cash storage.
Employee Zippered Pouches: Provide clear “purses”
for cell phones, cash and other personal items. This will
help avoid situations where purses or backpacks find
their way anywhere cash and coin is used or stored.
Finally, do not forget the importance of sound cash
counting data validation which can catch mistakes and
fraud. Whether using a more manual process or an
automated one, an employee intent on stealing often
finds loopholes that good data validation can uncover.
Financial Institution Deposits
Single Use Deposit Bags - Tamper-resistant and
tamper-evident security features make attempts at,
or actual theft recognizable. Many are simple. Others
detect attempts to gain access through heat, cold,
chemical, and seam tampering.
Reusable Deposit Bags - Again with tamper-resistant
and tamper-evident security features they come in
various sizes with simple or complex combination or
key lock systems.
In closing, you can do a lot to help generate profitable
growth for your customers by helping them keep that
“25%”. Money that belongs to them and could be used
for building improvements, advertising and promotions,
or for improved EBIDTA. For hiring the best employees
they can afford. Or for POS enhancements that you
can offer.
Roughly 95% of all US businesses experience
employee theft. ** Whether you offer these theftreducing
solutions directly or simply bring them to your
customer’s attention, you come out a winner.
What would your customers say if you could “increase”
their bankable cash revenue by 25% though theft
reduction?
*US Retail Fraud Survey, 2015
** http://www.allfoodbusiness.com
Opportunities for internal and external theft are greatly
reduced. However, as with recycling technology, the
cost and ROI may be out of reach for many merchants.
For many, it’s definitely worth exploring.
Key Control: In addition to dual control cash
drawer lock options, effective key control prevents
unauthorized access to POS and other areas where
money is stored. From complex two-tag systems to
simple locked key portfolios, options exist for all needs.
of retailers increased
their loss prevention
budget for 2015
(Source: NRF Retail Study)
Locking Organizers: Useful not only for personal
items like cell phones, wallets, and outbound vendor
18 APRIL/MAY www.GoRSPA.org
www.GoRSPA.org
connect 19

SECTION 2: PROTECTING THE GOODS
POWERED BY
SCANSOURCE
SECTION 2: PROTECTING THE GOODS
DEVELOPER PARTNER SECURITY CHECKLIST
SECURE. SIMPLE. AFFORDABLE.
Editor’s Note: As the Digital Journey Leveraging New Technology
in Loss Prevention article recounted, the importance of having
mobile capabilities and technological flexibility is paramount for
loss prevention professionals, as well as retailers in general. When
partnering with a developer, make sure you’re asking how secure
their platform is so that when it is installed at a merchant site,
security will never be compromised!
insight provided by
David Gudjonsson,
CEO and Co-Founder of
Handpoint
MERCHANT CHALLENGES
• Data breaches are forcing
improved security processes
• Increased liability around
card data breaches
• Difficulty knowing which
solutions are most effective
SCANSOURCE SOLUTIONS
• Provide total POS offerings that
include payment terminal hardware
• Offer complete configuration
and key injection services
• Help navigate the complexity
of payments offerings
800.944.2432 X4219 | SCANSOURCEPOSBARCODE.COM/PAYMENTSOLUTIONS
What are 3 questions you suggest that VARs ask a developer partner
about data security/cyber security before they decide to partner with
them?
☐ DG ☐What kind of solution and provider are you using for EMV?
☐☐Is your solution / provider using an encryption?
☐☐
How us (VAR) is deployment with access and to TMS key injection and remote handled? config Do tools?
you provide
What are some of the precautions you’ve taken to ensure that your
platform is secure before the merchant even installs your product?
Handpoint is built from the ground up to completely abstract payments
DG
from the point of sale and deliver a secure payments solution for
merchants of all sizes. We built our proprietary payment application to
meet all of the PCI-P2PE certification requirements, and we host it within
the tamper proof environment of the card reader, providing multiple levels
of encryption from the instant a card is tapped, dipped, or swiped. No
sensitive information touches the merchant’s systems with our out-of-scope
architecture, and our PCI-DSS platform provides a secure switch to a range
of global processors. We also built a remote terminal management system
to keep merchants secure over time—our terminals stay up-to-date with the
latest security feature with zero merchant effort and lost devices can be
deactivated remotely. Together, the Handpoint solution keeps customer data
secure end-to-end and over time.
Quick poll: P2PE or E2EE? Why?
I N -S TO C K
I N V ENTO RY
TEC H N I C A L
S U P P O RT
WO R LD - C L A S S
LO G I S TI C S
DG
Both. P2PE to the secure decryption point and full E2EE to the
processor. P2PE simplifies the key management for the merchant side.
With E2EE the merchant might need to handle encryption keys itself.
For more information, visit www.handpoint.com
20 APRIL/MAY www.GoRSPA.org
www.GoRSPA.org
Payment Solutions Suite Ad 316.indd 1
3/9/16 9:08 AM
connect 21

SECTION 3: SECURING THE PAYMENT
SECTION 3: SECURING THE PAYMENT
Security in the
cloud
Securing the Payment
Without a doubt, the biggest acronyms this year in data/payment
card security have been PCI, QIR, and EMV; EMV made the biggest
splash in 2015, with the US EMV liability shift deadline of October
1. But with slow adoption by merchants and consumers, along
with certification delays, EMV was a timeworn subject by the end
of Q1 2016. However, never a topic to lay dormant, payment card
security’s hottest topic for RSPA VARs in Q1 came in the form
of six letters: PCI QIR. With a new mandate by VISA for all level
4 merchants—who want to accept VISA cards—requiring those
merchants who use third parties for POS application and terminal
installation and integration to engage only PCI QIR professionals
looming, QIR quickly became both the topic of conversation and a
top priority among RSPA members in 2016's first quarter. (See page
26 for more details.)
$75,000
average cost to
a restaurant for
a data breach
Source: Heartland Payment Systems
of restaurants
number of restaurants that
will suffer a breach event
within the next two years
Source: Heartland Payment Systems
Source: Heartland Payment Systems
will go out
of business
within one
year of a
breach.
These are restaurant
stats, but the statistics on
costs of data breaches for
merchants are staggering.
How can you leverage
statistics such as these to
help you close a deal with
a merchant who’s in need
of upgrading their data
security protections?
70
MILLION.
It’s more than
a big number.
It’s a big
opportunity.
Discover
Network
delivers over
70 million
loyal
cardholders * to
businesses in
185 countries
around the
world.
Welcome to
buying power
on a global
scale.
Welcome to
Discover. ®
DiscoverNetwork.com
© 2015 DFS Services LLC
*Nilson Report #1033, January 2014
22 APRIL/MAY www.GoRSPA.org
www.GoRSPA.org
connect 23

SECTION 3: SECURING THE PAYMENT
SECTION 3: SECURING THE PAYMENT
PCI Changes Date for Migrating from SSL and Early TLS
By: PCI Security Standards Council
As noted in our initial
post in December
2015, the Council
officially extended
the migration completion
date to 30 June 2018 for
transitioning from Secure
Sockets Layer (SSL) and
Transport Layer Security (TLS)
TLS 1.0 to a secure version of
TLS (currently v1.1 or higher).
This supersedes the original
dates issued in both PCI
Data Security Standard v3.1
(DSS 3.1) and in the Migrating
from SSL and early TLS
Information Supplement in
April 2015. While the date
has been changed to help
resolve business relationship
and customer issues, it is not an excuse to delay
addressing vulnerabilities. To best protect your data
and your customers, we encourage all organizations to
migrate as soon as possible and remain vigilant.
To help you better understand what this means for you,
we’ve put together the below information including
updated timelines, requirements and reasons for the
adjustments. We encourage you to share this with your
customers and business partners.
How Big is the Risk?
The vulnerabilities within SSL and early TLS are serious
and left unaddressed put organizations at risk of being
breached.
Q: Why change the original date for SSL included in
PCI DSS v3.1?
A: For more than 20 years Secure Sockets Layer (SSL)
has been one of the most widely-used encryption
protocols. It remains in widespread use today despite
existence of a number of security vulnerabilities and
being deprecated by NIST in 2014.
According to NIST, there are no fixes or patches that
can adequately repair SSL or early TLS. Therefore, it
is critically important that organizations upgrade to a
secure alternative as soon as possible, and disable any
fallback to both SSL and early TLS.
In April 2015, after extensive marketplace feedback,
PCI SSC removed SSL as an example of strong
cryptography from the PCI Data Security Standard
(PCI DSS) version 3.1, stating that it can no longer be
used as a security control after 30 June 2016. During
the implementation period of PCI DSS 3.1, PCI SSC
continued to seek feedback from the market, and has
now revised and updated sunset dates.
The new date of June 2018 offers additional time to
migrate to more secure protocols, but waiting is not
recommended. The existence of the POODLE and
Heartbleed exploits, among others, prove that anyone
using SSL and early TLS risks being breached.
Q: What is the PCI Standards Security Council doing
next?
A: PCI DSS v3.1 will be updated in 2016. Information
supplements and additional guidance will also be
updated at this time.
Understanding the Risk
Q: What is SSL/TLS?
A: Transport Layer Security (TLS) is a cryptographic
protocol used to establish a secure communications
channel between two systems. It is used to
authenticate one or both systems, and protect the
confidentiality and integrity of information that passes
between systems.
Q: What are the SSL/TLS Vulnerabilities?
A: Because of its widespread use online, SSL and
TLS have been targets by security researchers and
attackers. Many vulnerabilities in SSL and TLS have
been uncovered over the past 20 years.
Q: What are the different classes of vulnerabilities?
A: Protocol Vulnerabilities: There are many!
Cryptographic vulnerabilities in either the SSL/
TLS protocol itself, or in how it uses cryptographic
algorithms. e.g., POODLE, BEAST, CRIME.
Implementation Vulnerabilities: Vulnerabilities in
TLS software. E.g., Heartbleed’s Buffer over-read
vulnerability in OpenSSL.
Configuration Vulnerabilities: e.g., weak cipher suites
or key sizes. Logjam attacks using export-grade
cryptography.
Q: What are the impacts of vulnerabilities?
A: Loss of confidentiality or integrity: Many of the
attacks, particularly protocol vulnerabilities, allow for
Man-in-the-Middle attacks allowing an attacker to
decrypt sensitive information.
Loss of cryptographic keys: In some of the most serious
cases, vulnerabilities could allow an attack to steal
long-lived cryptographic keys.
Q: Who is most susceptible to SSL vulnerabilities?
A: Online and e-commerce environments using SSL
(and early versions of TLS) are most susceptible
to the SSL exploits and attacks and should be
upgraded immediately. With that being said, the PCI
DSS migration date of 30 June 2018 applies to all
environments (except for Point of Interaction (POI)
environments as stated above).
Q: What you can and should do now?
A: Migrate to a minimum of TLS 1.1, preferably TLS 1.2.
While it is possible to implement countermeasures
against some attacks on TLS, migrating to a later
version of TLS—notably TLS 1.1 and TLS 1.2—is the only
reliable method to protect yourself from the current
protocol vulnerabilities.
Patch TLS software against implementation
vulnerabilities. Implementation vulnerabilities, such
as Heartbleed in OpenSSL, can pose serious risks.
Keep your TLS software up-to-date to ensure you
are patched against these vulnerabilities, and have
countermeasures for other attacks.
Configure TLS securely. In addition to providing
support for later versions of TLS, ensure your TLS
implementation is configured securely. Ensure you’re
supporting secure TLS cipher suites and key sizes,
and disable support for other cipher suites that are not
necessary for interoperability. For example, disable
support for weak “Export-Grade” cryptography, which
was the source of the recent Logjam vulnerability.
Q: If my payment terminals (POIs) use SSL or TLS 1.0 for encryption, do I
need to replace my payment terminals?
A: Not necessarily. POIs are currently not as susceptible to the same
known vulnerabilities as browser-based systems. Therefore, after 30 June
2018, POI devices (and the termination points to which they connect) that
can be verified as not being susceptible to any of the known exploits for
SSL and early versions of TLS may continue to use SSL / early TLS
If SSL/early TLS is used, the POIs and their termination points must have
up-to-date patches, and ensure only the necessary extensions are enabled.
Additionally, use of weak cipher suites or unapproved algorithms—e.g.,
RC4, MD5, and others—is NOT allowed.
Q: Who can verify my POIs meet the above characteristics?
A: Entities may contact the terminal vendors directly for evidence
or attestation that payment devices are not susceptible to known
vulnerabilities. Entities may also consult with knowledgeable security
professionals to obtain verification. The verification will need to occur any
time a new SSL/TLS vulnerability is discovered, and organizations will
need to remain up-to-date with vulnerability trends to determine whether
or not they are susceptible to any known exploits. New threats and risks
must continue to be managed in accordance with applicable PCI DSS
Requirements, such as 6.1, 6.2, and 11.2.
Q: Do all POIs use SSL for encryption?
A: No. Newer payment devices should already be using secure protocols
such as TLS version 1.2. Check with the terminal manufacturer or terminal
documentation to understand what level of encryption your particular POI
uses. If a device does not need to support SSL/early TLS, disable both use
of and fallback to these versions.
Q: My ASV scan is flagging the presence of SSL and my scan is failing.
What should I do?
A: Prior to 30 June 2018: Entities that have not completed their migration
should provide the ASV with documented confirmation that they have
implemented a Risk Mitigation and Migration Plan and are working to
complete their migration by the required date. Receipt of this confirmation
should be documented by the ASV as an exception under “Exceptions,
False Positives, or Compensating Controls” in the ASV Scan Report
Executive Summary.
After 30 June 2018: Entities that have not completely migrated away
from SSL/early TLS will need to follow process outlined in the ASV
Program Guide section entitled “Managing False Positives and Other
Disputes” to confirm the affected system is not susceptible to the
particular vulnerabilities. For example, where SSL/early TLS is present but
is not being used as a security control (e.g. is not being used to protect
confidentiality of the communication).
To read the entire article, scan the QR code or
visit www.GoRSPA.org/Newsroom.
Re-printed with permission from the PCI Security Standards Council ©2016
18 months after the Heartbleed vulnerability was
announced, it was reported there were still
200,000+
VULNERABLE DEVICES
on the internet.
Do you have
the right partner
to help your
business grow?
The Stanchion suite
of retail IT bears all
of NEC's highest
standards to help
your commerce
succeed tomorrow,
the next day and
years to come.
Hardware. Software. People.
contact us at: retaildirection@necam.com
© 2015 NEC Corporation of America. All rights reserved. NEC and
NEC logo are trademarks or registered trademarks of NEC Corporation
that may be registered in Japan and other jurisdictions.
24 APRIL/MAY www.GoRSPA.org
www.GoRSPA.org
connect 25

SECTION 3: SECURING THE PAYMENT
SECTION 3: SECURING THE PAYMENT
New POS Security Requirements Affect Industry Partners
By: Paul St. George
ONE SIMPLE PAYMENT INTEGRATION WITH
Retail businesses are
constantly under attack
by cybercriminals trying
to steal payment card
data—and in some cases,
retailers are making it easier
for hackers to succeed. In fact,
credit card company Visa has
found that improperly installed
POS applications and merchant
payment devices create the
conditions hackers like to exploit
to steal information.
That’s why the financial services
giant is pushing merchants,
payment application developers,
POS system integrators and
resellers to comply with security
requirements designed to combat
the threat of hacker attacks. Visa
has set a deadline of March 31 for
small merchants to meet a set of
requirements that restricts who
they can buy POS technology
from.
As of March 31, all new Level
4 merchants (owner-operated
retail locations of franchise or
corporate organizations) must
use only Payment Card Industry
(PCI)-certified QIR resellers and
integrators for the installation and
integration of POS applications
and terminal installations. Also,
as of Jan. 31, 2017, all Level 4
merchants must validate full PCI
DSS compliance annually.
Requirement Revisions
As the March deadline looms,
it’s important to know that the
Payment Card Industry Security
Standards Council (PCI SSC)
has eased QIR requirements.
Changes to the requirements,
which had caused some concern
among solution providers, include
condensing the QIR agreement
(from 12 pages to less than
three) and requiring only one
employee per company—or a
sole proprietor—to qualify for QIR.
The previous requirement called
for two qualified employees.
This easing of requirements
should remove some of the
obstacles for POS solution
providers to earn their QIR
certifications. While the mandate
may feel like a burden, integrators
and resellers should look at it this
way: Visa is effectively forcing
merchants to work with the best
qualified providers to ensure
retail operations have properly
designed and installed systems
with the security they need to
protect themselves and their
customers.
For you, our partners, QIR
certification brings some real
benefits. Qualified providers
stand to expand their businesses
with existing customers, win new
customers and boost revenue. So
if you don’t have QIR certification
yet, it’s time to start the process.
Learn more about the process
by visiting the PCI site, or by
contacting RSPA for more
information.
3/15/16 UPDATE:
(NEW) Effective 31 March 2016,
acquirers must communicate
to all Level 4 merchants that
beginning 31 January 2017, they
must use only Payment Card
Industry (PCI)-certified Qualified
Integrators and Reseller (QIR)
professionals for point-of-sale
(POS) application and terminal
installation and integration.
Effective 31 January 2017,
acquirers must ensure that
Level 4 merchants using third
parties for POS application
and terminal installation and
integration engage only PCI QIR
professionals.
Effective 31 January 2017,
acquirers must ensure Level 4
merchants annually validate PCI
DSS compliance or participate
in the Technology Innovation
Program (TIP).
EMV LEVEL 3 CERTIFIED
LOGISTICS
When you integrate your POS application with Paygistix, you gain a partner who handles the
configuration, testing, deployment, end user setup and ongoing support associated with adding a
payment device to your system - freeing you up to focus on what you do best.
BENEFITS
Add immediate support for EMV & NFC
Remove POS application from scope of PA-DSS & PCI DSS
Connect to multiple major processing networks
Maximize ROI with competitive revenue sharing options
The QIR (Qualified Integrators and
Resellers) designation is issued
to solution providers that have
received training and qualification
on the secure installation of
Payment Application Data
Security Standard (PA-DSS)-
validated payment in compliance
with the PCI Data Security
Standard.
Visa’s new requirement affects
merchants and their POS
suppliers alike. If, as a reseller
or integrator, you have yet to
earn QIR certification, you’ll be
excluded from a lot of business
opportunities going forward.
More than 1/3 of consumers reported
they ignored data breach notification
letters, taking no action to protect
themselves from fraud.
Source: 2014 Ponemon Institute Study
FEATURES
• Traditional Tip Adjust on EMV sales
• PIN Bypass
• Online Signature Capture
• Pay at the Table
• Tokenization
DEVICES
• ISV / VAR End User Billing
• P2P Encryption
• Recurring Billing
• Customer Interaction Platform
• Real-time Transaction Management
888.472.9564 | paymentlogistics.com
26 APRIL/MAY www.GoRSPA.org
www.GoRSPA.org
connect 27

SECTION 3: SECURING THE PAYMENT
SECTION 3: SECURING THE PAYMENT
Security Resources
Available 24/7 for RSPA Members
Start with our website
RSPA is committed to helping you gain the knowledge
you need to be successful in your business, especially
when it comes to the security solution area of your
business. There are several resources available to you
with regard to payment card security.
A data breach can be a merchant’s
worst nightmare, especially those
SMB merchants. Solution providers
can often be the voice of calm during
the storm.
Do you know how to advise your customers
if a breach occurs? This infographic from
RSPA member Netsurion gives you 10 steps
you can follow to advise and help your
merchant if a breach happens:
Click on our “Knowledge” banner, and you’ll find RSPA’s EMV Central.
Consider this one of your business’ key resources on EMV. One of its
most important features is the RSPA’s EMV Integrated Solutions Grid.
Want to know which Integrated and Semi Integrated EMV solutions are
available? Make the grid your first stop. Looking for training resources
for your team or your end users? EMV Central has videos, webinars,
whitepapers, articles, handouts, and more to help you stay informed and
educated about the ongoing EMV rollout.
In the “Join” section, you’ll be able to access those legal document
templates mentioned on page 8. Remember, you’ll need your Member
username and password to access.
Contact RSPA Education at Education@GoRSPA.org
The RSPA Education team is constantly working to collect new and useful
information for RSPA members. If you’re interested in getting PCI QIR
certified at a significant discount for RSPA members (available only until
the end of April), please email us at Education@GoRSPA.org.
We’ve also recently held a webinar, hosted by RSPA’s Certification Lead,
Ashley Naggy. The Nuts and Bolts of PCI QIR Certification featured tips
for success on examination prep from two newly QIR certified RSPA VAR
members. Check out a recording of this webinar in our Education 24/7
library: www.GoRSPA.org/Education.
Check out the RSPA Webinar series, including our on-demand
webinars
Speaking of our webinars, we have featured security topics of all types in
our bi-monthly webinar series. You can always find the schedule/register
for our webinars on our website. We also archive all webinar broadcast
recordings on our www.GoRSPA.org/Education site.
Take RSPA’s PCIwise Course
Are you looking for a rigorous course that will prepare your team with
a crash course on PCI Compliance? Look no further than RSPA’s own
PCIwise course! 7 courses (all approximately 1 hour each) are available
FREE to all RSPA members, and accessible 24/7. Upon completion of the
course, a certificate of completion is issued. Contact RSPA Education to
get access to this course: Education@GoRSPA.org.
44
people
completed
7hours
of coursework
in 2016...
and scored
over 90% on
136
test questions
28 APRIL/MAY www.GoRSPA.org
www.GoRSPA.org
connect 29

SECTION 3: SECURING THE PAYMENT
See Past The Storefront...
SECTION 3: SECURING THE PAYMENT
DEVELOPER PARTNER SECURITY CHECKLIST
SYNNEX STORESolv can help you grow your education, IT, or network business
by offering complete POS/AIDC solutions.
And we don’t stop there:
• Eliminate POS complexity for retail customers
• Help retailers react quickly to sales trends
• Become the MSP your retail customers need
• Offer complete POS solutions
PHYSICAL
SECURITY
POS
mmf article
PROAV
SYNNEX
TECHNOLOGY
SOLUTIONS
DIGITAL
SIGNAGE
SERVERS,
STORAGE & POWER
SYSTEMS &
SOFTWARE
WIRELESS,
NETWORKING & UNIFIED
COMMUNICATIONS
Editor’s Note: All of the Developer Partner Security Checklists
featured in this issue have provided insight from various software
developers on data security as it relates to software. As data and
cyber security become a top priority for merchants, PCI and EMV
should hold equal priority for VARs. While the customer only wants
to see the positive outcome (translation: no breaches occur), it
becomes imperative for the VAR to ask detailed questions to
ensure all aspects of systems are secure.
What are 3 questions you suggest that VARs ask a developer partner
about data security/cyber security before they decide to partner with
them?
TB
☐☐
☐☐
☐☐
Hosting Environment—Ask about the hosting environment.
Who manages it? Where? Ask about redundancy and
backup.
Customer
share information Data—What with information third parties? do Who you and store? Why?
Do you
PCI
Security Compliance—How protocols?
do you protect the data you store?
What are some of the precautions you’ve taken to ensure that your
platform is secure before the merchant even installs your product?
We do regular PCI compliance scanning to ensure our dedicated
TB
private servers remain up to par and secure. Many providers use
things like Amazon Web Services where they will not tell you where
your data is stored. In that type of environment your data could be
anywhere or even everywhere across multiple data centers. You
do not want your company in the news regarding a drive that went
missing from some data center causing a PCI breach. There are
benefits to Amazon in terms of scaling faster and savings on pay-foruse
type arrangements; however, not knowing where our data was
going to be stored was too risky for our palette. In our environment
we use dedicated private servers in fully managed data centers.
insight provided by:
Todd Burge, Chief
Executive Officer, Food
Online Ordering Systems
11 WAREHOUSES • GSA SCHEDULE • GRANT SPECIALIST • STATE CONTRACTS • SITE CONTRACTS • CLOUD SERVICES • TECHNICAL SUPPORT
Simplified POS • Data • Retail Management
CONTACT SYNNEX TODAY:
STORESolv@synnex.com | 800.456.4822
For more information,
visit www.foodonlineorderingsystems.com
Copyright 2016 SYNNEX Corporation. All rights reserved. SYNNEX, the SYNNEX Logo and all other SYNNEX company, product and services names and slogans are trademarks or
registered trademarks of SYNNEX Corporation. SYNNEX and the SYNNEX Logo Reg. U.S. Pat. & Tm. Off. Other names and marks are the property of their respective owners.
30 APRIL/MAY www.GoRSPA.org
www.GoRSPA.org
connect 31

CONNECT CONTRIBUTORS
THE ASSOCIATION YOU NEED
About Anne Gray
Anne Gray is a Senior Product Manager with MMF POS where she works with cross-functional teams
to ensure profitable growth from existing and new products. Previously, she was a Product Manager
with De La Rue (now Glory Global Systems) where she was responsible for North American banking
and retail cash-handling equipment, including cash recyclers, cash dispensers, currency counters
and coin counters. Anne’s current interests include POS trends in Nightclubs, Bars and Restaurants,
and the relationship between IoT—the Internet of Things—and POS Physical Security.
About Paul St. George
Paul St. George is the Director of Product Management for Mobile and Interface Solutions at APG
Cash Drawer. In this role, Paul focuses on cash drawer solutions that meet the needs of retailers
deploying mobile and thin-client hardware platforms. He manages a team dedicated to development
of new products and software solutions designed to meet these emerging trends.
About William M. Titus
William M. Titus is a former vice president of loss prevention for Sears Holdings Corporation. Prior
to his appointment to VP of LP at Sears, Roebuck and Co. in April 2003, Titus was senior VP of LP
and risk management at OfficeMax. He also held LP and operations management positions with
T.J. Maxx and Montgomery Ward. Titus was also a chair of the Loss Prevention Research Council
and past chairman of the National Retail Federation loss prevention advisory committee. He holds a
management and accounting degree from the University of Southern California.
NOMINATIONS FOR RSPA BOARD
OF DIRECTORS ARE NOW OPEN!
The August election will feature 2 open reseller
seats and 2 open vendor seats on the RSPA’s
Board of Directors.
To nominate yourself, or another RSPA member,
please contact a current RSPA Board Member
(www.GoRSPA.org/Board-of-Directors)
or Kelly Funk at KFunk@GoRSPA.org.
Canadian Corner
There’s still time to register!
The RSPA Canadian Community will host its first 2016 event on Thursday,
April 14th from 6-9pm at Le Place D'Armes Hotel & Suites in Montreal,
Québec. The event is open to RSPA members and non-members who are
interested in connecting with individuals in the POS ecosystem as well as
learning more about the Association.
Check out the photos below to see what you can expect!
Le Place D'Armes Hotel & Suites
For those who cannot make the journey to Montreal, save the date for
our next Canadian Community event to take place at RetailNOW® 2016 in
Grapevine, TX on Monday, August 1st.
Canadian Community Sponsors
After three successful
years of hosting
Canadian networking
events, the Community
is new to Montreal. Participation
in events held in Toronto and
Vancouver has been healthy,
and the Community—including
Co-Chairs Jacques LaPierre
(BlueStar Canada), Maureen
Chomica (Epson Canada) and
Paul Leduc (Globe POS)—is
hopeful that the 4th annual
gathering on Canadian soil
will be just as productive for
attendees. Held in conjunction
with the 2016 SIAL Canada
event, the RSPA Canada
gathering has great potential
to draw additional attendees
from Canada’s largest agrifood
industry event, which attracts
more than 850 national and
international exhibitors from 50
countries, and hosts over 15,000
buyers from Canada, the U.S.,
and 60 other countries.
Attendees for this year’s event
can expect an event primarily
focused on networking with a
short program on the value of
RSPA membership as well as
food and beverages. For more
event details and to register for
this event, you can visit
www.GoRSPA.org/Canada.
The success and growth of
this community would not be
possible without the help of
the RSPA Canadian Committee
and Community Sponsors. For
questions or to find out how to
get involved with the Canadian
Community, contact
Membership@GoRSPA.org.
32 APRIL/MAY www.GoRSPA.org www.GoRSPA.org
connect 33

THE ASSOCIATION YOU NEED
THE ASSOCIATION YOU NEED
Remembering John Lockington
RSPA Hall of Famer and Former Executive
Director of the DTSDA/SDA leaves lasting legacy
of dedication, humor
By: Amber Murdock
On February 9, 2016, the POS technology
industry lost one of its giants. John
Lockington, a 2011 RSPA Hall of Fame
inductee, and the only executive director
of the Data Terminal Systems Dealers Association
(DTSDA) and Systems Dealers Association (SDA),
passed away in Naperville, Illinois, after a short illness.
Remembered fondly as a tireless and devoted leader
in the point of sale industry, John Lockington was
considered a “man of great integrity,” declares Wayne
Williams (Co-Founder, Macro Integration Services),
who, while serving as president of the SDA, began
working with Lockington in the early 1980’s. Lockington
was the driving force behind the SDA’s annual dealer
meeting, called Advantage. The event was a “must
attend,” according to Bob Bauer, (President, BMC)
who first met Lockington in the summer of 1982. “The
education seminars and the tradeshow were all key to
the success of many SDA dealers,” Bauer adds. The
education sessions were segmented, so that a dealer
could develop team members from every department:
“There were sessions for sales people, led by sales
people and trainers in our business; [sessions for]
service people, which were led by the service leaders
in our business and leaders in the industry,” Bauer
recalls. Additionally, Business Owners and General
Managers were able to spend time reviewing best
practices and learning about future industry trends.
The Advantage event usually spanned three days, and
SDA members spent more than 15 hours each day in
education sessions, on the show floor, and networking.
All that valuable information was highly sought after—
so much so that “John stood guard at the door, to
assure that only registered attendees participated,”
recalls Bob Goldberg, RSPA Attorney and longtime
friend of Lockington.
In addition to the trailblazing Advantage event,
Lockington was an integral part of the merging of
the SDA and the ICRDA (Independent Cash Register
Dealers Association). In the spirit of what Goldberg,
Bauer and Williams consider Lockington’s devotion to
the health of the industry, Lockington could see that
the unity of two organizations with such similar goals
and interests made sense for industry growth. “John
was a proponent [of the merger],” Goldberg shares.
“He recognized the advantages even though it would
lessen his role.”
It’s that selflessness that was a hallmark trait of
Lockington’s. “John would (and did) do his best to
help anyone if they were sincere, including many onsite
visits,” says Bauer. “He did not complain about
the low pay, short staff, and long hours, he just got
the job done.” Lockington and his wife, Joan, often
had to postpone payroll for their own staff in order to
accommodate the needs of the association and the
industry. Goldberg, who hired Lockington for the SDA
position, also finds Lockington’s humility and generosity
From L-R: Bob Goldberg with John Lockington and wife, Joan.
to be quite memorable. Whether it was his commitment
to the ongoing education of dealers, or in small ways,
like interviewing for the SDA Executive Director position
while sitting on a bed in a Texas Holiday Inn hotel room,
Goldberg says that Lockington “dedicated himself to
the point of sale industry.” So much so, that he made it
a family affair: “Joan was brought on as his assistant at
the SDA after a few years,” says Williams.
While he spent so much of his time and energy giving
to the industry, Lockington is also remembered for his
kindness, loyalty, as well as his lively sense of humor.
Williams says that Lockington’s Chicago roots appeared
often: “He adopted an Al Capone or Dick Tracy
persona at times,” laughs Williams, while remembering
his friend’s light-hearted nature. “But it was all in jest.”
Goldberg remembers affectionately the trip back to
Illinois from the Texas SDA interview: Lockington’s
cleverness even cheered up a harried flight attendant.
“John told her he could make her laugh and she just
frowned,” he recalls. “John then cut out chicken feet
from paper and placed them down the aisle. The flight
attendant laughed long and loudly. I appreciated the
free drinks.”
Without a doubt, the groundwork Lockington laid with
the SDA Advantage conference created the foundation
of today’s RetailNOW®. His unswerving pursuit of
success for the industry through his direction of the
SDA as well as his mentorship of up-and-coming
professionals (like Bauer) echo in today’s RSPA, with
many of his mentees carrying the torch he lit many
years ago, in the days where a staff of two worked to
provide resources for a growing and evolving industry.
John Lockington, Navy veteran, POS industry
champion, committed association executive, RSPA Hall
of Famer, and loving family man leaves behind his wife
and soul mate, Joan. She notes that her husband was
“strong to the end, even though the pain was severe.”
His perseverance and strength, until the end, is
certainly a loss for the POS industry in general, but for
those who knew him well and had experienced working
with him, the loss is devastating. “It is impossible to
calculate John’s contributions to the channel and our
industry,” says Bauer. “Goodbye, my mentor and friend.
We’ll miss you.”
APRIL 2016
CALENDAR OF EVENTS
10-13
14
19-21
Synnex Varnex
Conference
Dallas, TX
RSPA's Canadian
Community Event*
Montreal, QC
TRANSACT16*
Las Vegas, NV
MAY 2016
CALENDAR OF EVENTS
16-18
16-18
Shoptalk*
Las Vegas, NV
Toshiba Connect
Las Vegas, NV
JULY 2016
CALENDAR OF EVENTS
31
RSPA's
RetailNOW® 2016*
Grapevine, TX
(through August 3)
* indicates RSPA presence at event.
Have an event you’d like other RSPA members to
know about?
Submit to us (at least 6 weeks in advance) at
Publications@GoRSPA.org.
34 APRIL/MAY www.GoRSPA.org www.GoRSPA.org
connect 35

R
CONNECT MAGAZINE
2016
July 31 - August 3
Gaylord Texan Resort & Convention Center
Grapevine, TX
RetailNOW 2016
Event Sponsors
33+
Education
Sessions
2000+
Attendees
170+
Exhibitors
A very special thanks to all our
Package sponsors, visit them at
www.GoRSPA.org/Our-Sponsors
Registration Opens May 2016
Learn More | www.GoRSPA.org/RetailNOW
connecting the Point of Sale technology ecosystem
36 APRIL/MAY www.GoRSPA.org