Thursday, January 15, 2009

MC Discounts Charges "Interchange is Way Too High"

In an attempt to dispel myths regarding Interchange, MasterCard has put together a brochure (PDF) designed to show how priceless Interchange is. 

They have also created several documents trying to "discount" charges that interchange is too high.

It all makes for some interesting reading.  Below I have included links from their website, followed by their press release.


Every business establishes a price for the goods and services it provides, and the electronic payments business is no exception. As one element of the cost of acceptance, interchange is a small fee in relation to the enormous value merchants receive for accepting MasterCard payment cards.

For almost 40 years, MasterCard has established default interchange fees that have proven to be the most efficient way to balance costs in the system and promote a strong, competitive payments industry that benefits cardholders, merchants and financial institutions. Today, some 25,000 financial institutions provide the cards and services that allow hundreds of millions of consumers and 25 million merchants around the world to benefit from the convenience and security of electronic payments.

Learn more about interchange from the information below:

MasterCard dispels myths, highlights benefits of payment networks

Purchase, N.Y., Jan 15, 2009 -- In light of the ongoing discussion and debate about the role of credit in today's economic environment, MasterCard Worldwide has issued a paper that dispels misperceptions (Editor's Note: shouldn't it be "misconceptions" or am I "misperceiving" this?) about payment systems and explains the tremendous economic value that electronic payments bring to the economy as a whole and their role in advancing commerce.

The paper, entitled "Benefits of Open Payment Systems and the Role of Interchange," underscores the enormous benefits delivered by electronic payments, which have become so ingrained in everyday life they are often taken for granted or misunderstood. Few people ever stop to consider the complex and sophisticated system that allows transactions to occur within seconds, almost anywhere in the world.

"Perhaps the easiest way to grasp the value of electronic payments is to envision a world without them. Clearly, if electronic payments came to a sudden halt, many facets of commerce - travel, trade and the Internet just to name a few - would face dire consequences," MasterCard President and CEO Robert W. Selander says in the introduction.

The paper also discusses the role of interchange - a relatively small fee paid for the benefits merchants get from card acceptance. Interchange is critical to ensuring the system provides maximum benefits to all participants, including consumers and merchants in a fiercely competitive marketplace.

MasterCard has created this brochure as a resource for all those interested in the payments industry. To access the paper, please visit, .

About MasterCard Worldwide

MasterCard Worldwide advances global commerce by providing a critical economic link among financial institutions, businesses, cardholders and merchants worldwide. As a franchisor, processor and advisor, MasterCard develops and markets payment solutions, processes over 18 billion transactions each year, and provides industry-leading analysis and consulting services to financial institution customers and merchants. Through its family of brands, including MasterCard®, Maestro® and Cirrus®, MasterCard serves consumers and businesses in more than 210 countries and territories. For more information go to .

Source: Company press release

Reblog this post [with Zemanta]

Google Checkout "Searches" for Way to Increase Adoption

Google Checkout adoption is dropping.  Maybe they ought to start "searching" for ways to increase market share.  Maybe a globally patented PIN debit application from HomeATM would help...

The adoption of Google Checkout by online retailers is stalling, according to a study by interactive agency Rosetta.

The report states that 37% of 100 leading online retailers surveyed currently offer alternative payment methods, a 23% increase since November 2007.

Of those, Bill Me Later is most popular at 26%, with PayPal now nearly tied at 25%. Google Checkout showed a tiny increase from 10% in 2007 to 11%. Only 7% of the retailers examined offer all three methods.

“Even though it boasts high consumer confidence, Google Checkout is struggling in retailer adoption,” said Adam Cohen, a partner at Rosetta's consumer goods and retail practice, which conducted the study last month. “Adoption of the service started out very strong last year, but has stagnated in the last 12 months."

The discontinuation of incentives for retailers during the holiday season is likely to negatively impact Google Checkout adoption on an ongoing basis, he said.

Reblog this post [with Zemanta]

How Cards Are Processed has provided an interactive guide to show how merchants and banks process cards purchases.  For the interactive guide click here, (or the graphic on the left)
For a printable  version, click the PDF link at the bottom of this post.
How credit card transactions work
Interactive guide shows how merchants, banks process card purchases

By Tyler Metzger -

More than 23 billion credit cards transactions were processed in the United States in 2007, and they are projected to grow by 26 percent over the next five years, according to the Nilson Report. But have you ever wondered what exactly happens after your card is swiped?

Use this guide to to find out how your credit card transactions are processed.  PDF

"Underground Economy Booming" - Followup

Symantec Report on the Underground Economy

On November 24th, I posted about Symantec's release of a detailed report called the "Internet Security Threat Report."  That report is now available to anyone who wishes to download the whitepaper.

This from their website.  For your convenience, I have included links to more detailed information.  Click any of the graphics to enlarge.

The Symantec Report on the Underground Economy examines activity on underground economy servers observed by Symantec between July 1st, 2007 and June 30th, 2008. It includes analysis and discussion of the goods and services advertised, advertisers participating in the economy, the servers and channels that host the trading, and a snapshot of piracy activity observed.

As I previously stated, this report, is now available to the general public for free download.

Symantec Report on the Underground Economy
Executive Summary: Symantec Report on the Underground Economy:

Symantec Weblog: Postings on the Underground Economy Learn more

Report Highlights

"The underground economy has matured into a global market with the same supply and demand pressures and responses of any other economy. There are a great many servers and channels available to advertisers to market their wares, which they do, and often. Most people associate identity theft with money because most reported cases involve criminals using the identity for activities such as obtaining credit cards, applying for loans, obtaining expensive medical or pharmaceutical treatments, or even stealing house titles. Symantec estimates the value of total advertised goods on underground economy servers was over $276 million between July 1, 2007 and June 30, 2008.

During the reporting period, Symantec monitored 44,752 unique samples of sensitive information publicly posted on underground economy servers, which accounted for 10 percent of the total distinct messages. Sellers often publicly post samples of their goods in the channels on underground economy servers. These samples serve several purposes: to prove that sellers actually have the goods in their possession; to show potential buyers the quality of goods they can expect; to enhance their credibility, and; to allow users to validate the information. The table (above left) identities the top samples of information posted:

Credit card information may rank high because there are many ways it can be obtained and used for fraud. This includes phishing schemes, monitoring merchant card authorizations, the use of magnetic stripe skimming devices, or breaking into databases and other data breaches that expose sensitive information.

Another explanation may simply be that there is a high frequency use of credit cards.

For example, the 22 billion credit card transactions in the United States in 2006 represent a growth of eight percent over the previous year.  High frequency use and the range of available methods for capturing credit card data would generate more opportunities for theft and compromise and, thus, lead to an increased supply on underground economy servers.

Credit card information may be in such demand because using fraudulent credit card data for activities such as making online purchases is relatively easy. Online shopping can be easy and fast, and a final sale often requires just credit card information. Someone knowledgeable enough could potentially make many transactions with a stolen card before the suspicious activity is detected and the card is suspended.

The second most common category of goods and services advertised was financial accounts, with 20 percent of the total. This category includes bank account credentials, magnetic stripe skimming devices, online payment services, online currency accounts, and online stock trading accounts. This category ranked third for advertised requests, with 18 percent of the total. By far the major contributor to the popularity of the financial accounts category was bank account credentials, which accounted for 18 percent of all goods and services advertised for sale.

Financial accounts are attractive targets because of the opportunity to withdraw currency directly.  Although this may involve more steps than using stolen credit card data to make online purchases, the process of cashing out financial accounts can be easier than retrieving cash from credit cards because  criminals would require a PIN for the card. Also, most ATMs have security cameras, which may deter criminals from using this medium. In addition, withdrawing currency from a bank account has the advantage of a more immediate financial reward than with online purchases, which would need to be sold to realize a purely financial reward.

Credit card information includes credit card numbers, credit cards with CVV2, and credit card dumps; financial accounts includes bank account numbers, magnetic stripe skimming devices, online payment services, online currency accounts, and online stock accounts; spam and phishing information includes email addresses, email passwords, scams, and mailers; withdrawal services include cash outs and drops that are used to withdraw money and items from purchases; identity theft includes full identities and Social Security numbers; server accounts are for file transfers and virtual networks; compromised computers includes hacked computers, bot-infected computers, and shells; website accounts include online accounts for access to specific websites such as social networking sites; malicious tools includes
Web-based attack tools and malicious code; and retail accounts includes gift cards for online stores and online auction accounts.

Magnetic stripe skimming devices are small machines designed to scan and retain data contained in the magnetic stripes on credit and debit cards.  To cash out bank accounts, individuals can either use a reliable cashier or can assume the identity of the bank account owner to withdraw funds. Since many bank accounts can only be cashed out from within the issuing country, criminals may prefer the use of cashiers that specialize in extracting currency from these accounts. Such cashiers use a variety of methods to convert the information into true currency, transferring money either through wire transfers or to online currency exchange accounts. They can also hire an intermediary to receive the transfer in person using a fake identity. Symantec observed requests on underground economy servers for cashiers in specific locations and of a particular gender (as matching
the cashier’s gender to the identity of the bank account holder is essential to not raise suspicion when withdrawing funds).

Reblog this post [with Zemanta]

Financial Institution Breaches Up 47%

US financial institutions were hit by 78 reported data breaches last year, a 47% increase and now own a 70% larger piece of the pie. 

Reported data breaches in the US during 2008 were up 47% on the previous year, to 656, of which 78 affected financial institutions, according to a study from the Identity Theft Resource Center (ITRC).

Financial services accounted for 78 breaches, which is 11.9% of the total.  Whereas last  year, Financial services accounted for 7% of the total in 2007 it's 11.9% total this year represents a 70% bigger piece of the pie than they had last year.

According to Finextra
, ...

"The ITRC says at least 35.7 million records were potentially breached but the true figure is likely to be far higher because 41.9% of cases went unreported or undisclosed.

Financial services accounted for over 18.1 million compromised records, 52.5% of the total.

This is largely down to the biggest single breach last year, which saw BNY Mellon Shareowner Services losing around 12.5 million records - including social security numbers, names and addresses - when a box containing unencrypted customer data tapes went missing in transit in February.

In addition, RBS WorldPay was hit by a breach affecting 1.5 million records and Countrywide had two million compromised last year.

Most of the financial sector breaches were the result of hacking, followed by insider theft. Of all breaches across all sectors, 3.5% are attributable to hacking at financial firms, 2.4% to insider theft, 1.7% to data on the move, 0.8% to accidental exposure and 0.8% to subcontractors.

Electronic breaches account for 82.3% of the total, compared to 17.7% for paper. Despite this, just 2.4% of all breaches had encryption or other strong security methods in use and only 8.5% even had password protection." - Finextra

For those interested, I have included links to the following 2008 Year End Reports from the ITRC website:

Reblog this post [with Zemanta]

Hacker Thai'd to TJX Breach Arrested

M'sian nabbed in Bangkok over US$150m credit card fraud
BANGKOK: A Malaysian man wanted in the United States for credit card fraud amounting to US$150mil (RM540mil) was arrested by Thai authorities and US Secret Service agents in Nonthaburi on the outskirts of Bangkok on Tuesday. Local media reported that the 43-year-old man had a warrant of arrest issued for him by a US court for illegal possession of data access device, hacking into computers and stealing data.

Crime Suppression Division police chief Supisal Pakdinaruenar said the man was a prominent member of a credit card fraud gang operating in the United States for the past three years and was believed to have fled to Thailand to evade arrest. He was arrested in a house in the Pak Kret district where he was staying with his Thai wife.

The group is believed to be involved in stealing credit card transaction data from people patronizing major restaurants and retail outlets like TJX, WalMart and Office Depot, and selling the information to other groups making counterfeit cards.

According to Supisai, the man had denied all the charges and was currently facing extradition to the United States. - Bernama
Reblog this post [with Zemanta]

Macy's Debit Card Glitch Internal

Macy's Own Software Caused Its Holiday Debit Card Glitch

In a follow up story written by Fred Aun and Evan Schuman at, they report that Macy's has determined an internal glitch caused some 8000 debit cards to be double and triple charged.  He's an excerpt:

"After initially suspecting that one of its third-party payment card processors had caused a December 20 mess where some 8,000 Macy's customers had their debit cards charged as many as three times for one transaction, the chain's payment management has now concluded that the fault lied solely within their internal software.

"We were looking at the processor and the bank networks, trying to determine whether this was an issue with specific banks," Mike Gatio, president of Macy's credit and customer services division, said in a Wednesday (Jan. 14) interview. "We've now narrowed it down to our own gateway. We deal with a number of processors, but it's not their issue.  It's ours."...

Continue Reading at StoreFront Backtalk

Reblog this post [with Zemanta]

Tick Tock

I apologize for the "time stamp" I'm putting on this...
I've just been given, "hands down", some great news, 

Not sharing it kinda "ticks" me off,  and
"secondly", it's late and I'm "winding down"...

"Wait a minute"...when the "time" comes,
I promise to tell you "hour" news...

Wish you knew what I knew
You will...stay tuned...

JBF - PIN Debit Payments Blog

Phishing 2.0 - PAN Fried

FYI: A Credit/Debit Card "Personal Account Number: is what creates the "PAN" acronym.

Over the past couple of months, I've posted that: eCommerce and Browsers Don't Mix, I've talked about how unsafe web browsers are...why you should NEVER enter your PAN into a browser space.

I've also pointed out that recent data shows that software is 92 times more likely to be breached than hardware.

So, if you're like me, you're probably starting to get the "pheeling" that browsers are an extremely unreliable platform for ecommerce. 

That said...let me put it another way. 

I'm sure that you would agree that most of the time browser's are not even safe for browsing, let alone typing in our PAN or PIN's...

 It seems like almost everyday, we read about how hackers are getting more sophisticated in the ways they try to obtain your personal information from financial sites:

Now, comes a story from Kelly J. Higgins published by Dark Reading which explains how the next generation of phishing attacks are so-phisticated that it targets users in real time . (they call it "In Session Phishing," because it targets online banking sessions with phony popups...but I'll call it PAN Fried - Phishing 2.0)

Here's a portion of the story from Dark Reading. Click the link below to read it in it's entirety... 

'In-session phishing' the latest Web-based method for phishers to steal users' banking credentials

Researchers have discovered a sophisticated, new method of phishing that targets users while they are banking (thus making payments) online -- sending phony "pop-up "messages pretending to be from their banks/payment providers. (So I guess the only thing "that's safe"to say about pop-ups is that they're "not safe"...and I'll bet you're glad I didn't say there's something fishy about them...were you not?)

The so-called "in-session phishing" attack prompts the victim to retype his username and password for the banking site because the online banking session "has expired," for instance, via a pop-up that purports to be from the victim's bank site, according to researchers at Trusteer, which today published an advisory (PDF) on their findings about the potential for such a phishing attack.

From Trusteer's PDF:

"This is the next generation of sophisticated phishing attack," Klein says. "It combines an online vector -- the attacker waits for user to come to a genuine site that's hacked -- and browser shortcomings to detect which site the user is logged into in a different window or tab. This provides a very powerful avenue to conduct a sophisticated attack."

The popup message could take other forms according to the researchers (such as a Graphical User Interface I have to wonder out loud?) -- anything that could dupe the user into handing over credentials. In order for in-Session phishing attacks to succeed the following conditions are required:

1. A base website must be compromised from which the attack can be launched

2. The malware (injected on the compromised website) must be able to identify which website the victim user is currently logged on to.

The first condition is easily achieved, since more than two million legitimate websites are known to be compromised by criminals, and hundreds more are being compromised every day. Each one of them can be used as a base for this attack.

Once the website is compromised, the attacker injects code into the website. This code does not change the appearance of the website and does not download malware to the user’s PC.

Therefore it is very hard to detect. 
This code is designed to search for online banking websites that visitors are currently logged onto, and present them with a pop-up that claims to be from the banking website they are logged on to. These pop ups ask for log-in and personal information.

Therefore once again, I state for the record: "NEVER type your PAN or your PIN into a web browser...

Is it Safe? Know...NO...Know!
PIN Debit Payments Blog -JBF

Reblog this post [with Zemanta]

Disqus for ePayment News