Friday, March 13, 2009

Reminder: ProPay's 2009 Data Security Summit

Data Security Summit Spring 2009 - Hosted by ProPay
March 18th -19th Cliff Lodge at Snowbird Resort, Little Cottonwood Canyon, Utah


I posted about this a month ago (Propay Security Summit) but as the event quickly approaches, (March 18th and 19th) I thought I'd do a refresher post. ProPay has put together quite an impressive lineup of featured speakers. HomeATM's Chariman and CEO, Ken Mages will be attending the event, which takes place at the Snowbird Resort in Salt Lake City, Utah.

FOR IMMEDIATE RELEASE
ProPay Gathers Industry Experts to Address Payment Industry Trends at 2009 Data Security Summit

Bob Russo, Chris and Dr. Heather Mark, and Michael Dortch among featured speakers to discuss PCI compliance, risk mitigation and data security

Orem, Utah -February 9, 2009- ProPay is gathering the brightest minds in the digital transaction industry to educate attendees about the latest trends and best practices to protect sensitive customer data at the 2009 Data Security Summit on March 18-19, 2009, at the Snowbird Resort in Salt Lake City, Utah.

Headlining the Summit’s speakers are Bob Russo, General Manager, PCI Security Standards Council; Chris and Dr. Heather Mark, Founders, Society of Payment Security Professionals; and Michael Dortch, former Senior Research Analyst, Aberbeen Group. Speakers will address the latest in PCI compliance, risk mitigation, security, and other relevant topics pertaining to the payment industry.

Editor's Note: See if you can find the common denominator between what HomeATM is doing with their SwipePIN PED device and what ProPay is doing with it's MicroSecure® Magnetic Stripe Card Reader. If you said Hardware vs. Software in order to protect Cardholder data then you've been paying attention!

Below the graphic there's a quick Bio on the featured speakers:





Bob Russo, General Manager, PCI Security Standards Council


Mr. Russo brings more than 25 years of high-tech business management, operations and security experience to the PCI Security Standards Council. Most recently, he served as the vice president of Commercial Sales for Secure Info, a provider of security, risk and compliance services and software. He was also a founder of a number of software and security companies including Network-1 Software & Technology and ATC Security, a security compliance company created to assess compliance of payment industry stakeholders, later acquired by Ambiron LLC.

Chris Mark, Founder, Society of Payment Security Professionals


Chris is an experienced information security professional and recognized payment card industry security expert. Chris is a co-founder of The Aegenis Group and the Society of Payment Security Professionals. From 2007-2009, the Aegenis Group was the worldwide trainer for all Qualified Security Assessors (QSA) and trained over 2,800 QSA. Additionally, the company contracts with Visa Inc. to conduct PCI related training internationally to merchants and banks. Chris has conducted PCI and payment security training in over 10 countries on 5 different continents.

Dr. Heather Mark, Founder, Society of Payment Security Professionals


Dr. Mark is an experienced information security and privacy professional that is both well known and respected within the Payment Services industry. Prior to joining Halcyon Dr. Mark co-founded a Qualified Security Assessment Company and worked at various technology companies supporting PCI efforts. Dr. Mark helped to develop a variety of assessment methods and practices that assisted companies in achieving compliance in a cost-effective, timely manner.

Michael Dortch, Founder and Managing Editor, DortchOnIT.com


Michael Dortch is Founder and Managing Editor of DortchOnIT.com, and has been an IT industry analyst, consultant, evangelist, speaker, writer, and "information entrepreneur" for more than 30 years, focused on enabling and emerging technologies and their effects on business value. Before starting DortchOnIT.com, Michael was a Senior Research Analyst at Aberdeen Group, and Director of IT Infrastructure Management Strategies and Executive Editor for Robert Frances Group. Michael has worked with IT users and both established and start-up vendors to help them align their strategies with business goals. He has been widely quoted and is a frequent and popular speaker at industry events. He began his career in the 1970s at The Yankee Group after attending the Massachusetts Institute of Technology (M.I.T.). He lives and works in Santa Rosa, CA, approximately an hour north of San Francisco.

John Verdeschi - VP of Sales and Standards - MasterCard Payment System Integrity Group


John Verdeschi is Vice President of Sales and Standards, in the MasterCard Payment System Integrity group. In this role, he is responsible for managing MasterCard's global risk product sales team, the Payment Card Industry (PCI) Data Security Standard and MasterCard SecureCode. Mr. Verdeschi is a member of the PCI Security Standards Council executive committee which is comprised of MasterCard and other leading payment brands. Since joining MasterCard in 1999, Mr. Verdeschi has concentrated on programs which help secure transaction data and manage fraud within the electronic payments channel.

Representatives from the various card brands and payment industry companies, as well as experts from law enforcement agencies and the F.B.I will be on hand to network with attendees and talk about the latest from their businesses and organizations.





"The landscape of the payment industry is ever-changing and the need to educate the market on best practices and the latest technology to protect businesses is essential to the survival of every company,” said Greg Pesci, ProPay Executive Vice President of Business Strategy. “This Summit is a great opportunity to bring experts and non-experts together to educate each other on the trends in the market and the pains customers and businesses are experiencing in regards to digital transactions."

For more information about the 2009 Data Security Summit and how to register, please visit www.propay.com/summit or e-mail Jennifer McClintock at events@propay.com.


About ProPay


Since 1997, ProPay has led the market in providing simple, safe and affordable credit card processing and electronic payment services for businesses ranging from the small, home-based entrepreneur to multi-billion-dollar enterprises.

ProPay understands the unique needs of these businesses and has created merchant services specifically for them. With ProPay, merchants can set up accounts online and begin accepting credit cards without buying special equipment or making long-term commitments or investments. ProPay leads out in educating merchants about how to reduce or eliminate the risk of touching or holding sensitive cardholder data. The company also leads the payments market in the development of secure end-to-end solutions for protecting sensitive data and of alternative payment options that significantly reduce business costs.

ProPay is a privately held company, headquartered in Orem, Utah. For information, visit
www.propay.com/pressroom.












Reblog this post [with Zemanta]

Apple iTunes Card's Codes Cracked?


In a non-surprising development,  (Acculynk: Where's the PIN Offset?  My PVV) someone got their hands on data they weren't supposed to... Oh well...it's not like they hacked the PIN numbers to our debit cards or anything!  What was that 100% Guarantee that our CEO was talking about yesterday?  Something about PIN numbers being breached...Click here to refresh YOUR memory...in the meantime...

On to the next breach...

From MacMod.com


Apple's iTunes Gift Card algorithm has been cracked in China. Apparently you can order a $200 gift card for about $3 USD on someChinese online stores.  The store owner says that he has bought thecodes from a generator supplied from people who have cracked Apple'scode.  77,593 codes were available on the taobao shop.

Right nowyou can buy up to 10 cards a day.  No response from Apple yet, but I'msure that an improved algorithm has already been developed and newcards are hitting the press as I type this.


Get a $200 iTunes gift card for $3
In the early 2000s, Internet file-sharing in the form of Napster andsimilar services put the brakes on the music industry's profits. Butlegislation and alternative purchasing methods, such as the iTunes giftcard, helped alleviate some of the monetary pain felt by bands andtheir labels by funneling legitimate money to the legitimate creators.
Here comes more pain. Chinese hackers recently unveiled another wayto hit the record industry: Buy a $200 iTunes gift card for $3

itunes-gift-card-fraud.jpg

Here's a still from the online auction site taobao.com that showsmultiple iTunes gift cards for sale. As of March 13, 1 USD is equal to6.8 CNY, which is the currency used in China. CNY is also known as RMB.
Hackers in China are selling the gift cards for mega cheap because theydiscovered the algorithm Apple uses to generate the card's numbers. According to multiple accounts,the fake numbers are created by a key generator, which are also used tocreate serial numbers for pirated software, and then are sold on onlineauction sites, such as Taobao.com, the Chinese equivalent of Ebay.

Outdustry, a blog covering the Chinese music industry, verified that the counterfeit card numbers work.A blogger for the Web site went to Taobao.com, purchased a $200 iTunesgift card from a seller who was online, and redeemed the card numbervia instant message. The blogger also talked to the seller via onlinechat. The seller flat out admitted the gift card numbers were createdusing a key generator, and that he or she had to pay money to use thegenerator. The seller also said the phony card numbers went on themarket about a year ago, when a $200 iTunes card sold for about $46.But the prices have dropped due to the growing number of customers andan infinite amount of numbers to generate.

Continue Reading at Taking Charge...The CreditCards.com Blog




Reblog this post [with Zemanta]

M-Banking to Hit 900 Million by 2014 - Study

Newsflash from Finextra.com.

13/03/2009

M-BANKING USERS TO HIT 900 MILLION BY 2014 - STUDY

Global mobile banking take up is set to soar over the next five years, with the number of people using the technology growing from 20 million in 2008 to 913 million in 2014, a CAGR of 89%, (Compound Annual Growth Rate) according to Berg Insight.

The research suggests Asia Pacific will be become the most important regional market, accounting for 65% of the total user base, whilst the technology will also pick up in Africa and the Middle East, bring financial services to people currently unbanked.

Continue Reading at Finextra: http://www.finextra.com/fullstory.asp?id=19769




Reblog this post [with Zemanta]

Google Checkout Adjusts Pricing Upward - Matching PayPal


Yesterday, Google Checkout announced that it was changing its fee structure beginning May 5 - eliminating the previous credit that Google AdWords customers got that reduced their Google Checkout fees.

Instead, the new Google Checkout fee structure essentially parallels that of PayPal’s - a long-standing fee structure that the online payments leader has had in place for many years.  Below are the two fee tables:


Monthly Sales
Google Checkout
fee per transaction
Less than $3,000
2.9% + $0.30
$3,000 - $9,999.99
2.5% + $0.30
$10,000 - $99,999.99
2.2% + $0.30
$100,000 or more
1.9% + $0.30



Monthly Sales
PayPal fee
per transaction
$0.00 - $3,000
2.9% + $0.30
$3,000.01 - $10,000
2.5% + $0.30
$10,000.01 - $100,000
2.2% + $0.30
> $100,000
1.9% + $0.30

Google Checkout continues to only support funding via the four major payment card brands for US sellers: Visa, MasterCard, American Express and Discover. Unlike PayPal, Google Checkout continues not supporting funding directly (via ACH) from checking accounts.


Both Google Checkout and PayPal have a 1% surcharge to US sellers on all cross-border transactions.

What about Amazon Checkout (or Amazon SimplePay)? You guessed it - the fee structure is essentially the same - starting at 2.9% + $0.30 per transaction in the lowest tier and going down to 1.9% + $0.30 per transaction for monthly sales over $100,000. Sound familiar? Amazon allows buyers to pay using Visa, MasterCard, Discover, American Express, JCB, or Diner’s Club credit cards.

Amazon does have a subtle difference - those fees apply to transactions of $10.00 or more. For transactions of less than $10.00, Amazon’s fees are 5.0% + $0.05 for all transactions - with no tiering based on monthly sales.

So, that’s where things stand today. With Google’s just announced changes, all of the three major online payment players have priced their services essentially the same - for US sellers. However, there are more differences “under the covers” between these services than just the pricing would seem to indicate.





Reblog this post [with Zemanta]

Citibank Launches Citi Mobile In-dia

Source: Citi

Citibank Launches Citi Mobile
Everyday Banking on Your Mobile Phone Made Effortless

New Delhi, Delhi, India, Thursday, March 12, 2009 -- (Business Wire India)


Citibank today announced the launch of Citi Mobile, its mobile banking solution that combines the consumer need for convenient, on-the-go banking with advanced mobile technology that is compatible with popular mobile devices across most GSM operators. Through Citi Mobile, customers can check account balances, send money, issue drafts, pay bills, make credit card payments, register for services like e-Statements, request for a cheque book, stop payments and much more.

Citi Mobile can be quickly downloaded onto a mobile phone, making mobile banking for Citibank customers as fast and effortless as banking online. The requirements for accessing Citi Mobile are a Citibank Banking/Credit Card account, an active Internet PIN, a mobile number that is registered with the bank, and a Java-enabled mobile phone with a GPRS connection.

Customers can SMS MBANK followed by the last 4 digits of their Debit/Credit Card number to 52484. An SMS response will be delivered to the customer’s mobile phone indicating the URL for Citi Mobile. This URL can be used to download Citi Mobile onto the mobile phone. On Citi Mobile, all customer interaction is https secure and encrypted using 128-bit SSL; further, no customer data is stored on the mobile phone, making this one of the most secure access channels.

Announcing the launch of Citi Mobile in India, N. Rajashekaran, Country Business Manager, Global Consumer Group, Citi India, said, “Citibank has always been a forerunner in putting technology to work for our customers. With Citi Mobile, we are happy to address our customers' emerging lifestyle needs and support them in accessing their money in a fast, convenient and secure manner through something they always have with them – their mobile phones. Given the recent growth trends in mobile phone usage in India, we expect this to grow into a significant channel for customer service and contact.”

About Citi:

Citi, the leading global financial services company, has approximately 200 million customer accounts and does business in more than 140 countries. Through its two operating units, Citicorp and Citi Holdings, Citi provides consumers, corporations, governments and institutions with a broad range of financial products and services, including consumer banking and credit, corporate and investment banking, securities brokerage, and wealth management. Additional information may be found at www.citigroup.com or www.citi.com.





Reblog this post [with Zemanta]

Retailers Form Association to Defend Closed-Loop Gift Cards


The Retail Gift Card Association is recruiting new members with the aim of building a positive image of closed-loop gift cards, getting members to follow an ethics code, and countering the bad publicity directed at gift cards in recent months by consumer groups and legislators monitoring marooned cards whose sponsor retailers have failed.

The RGCA announced its birth in early December, but waited until Tuesday to outline its growth plans at the Prepaid Card Expo trade show in Orlando. The group has nine members and is looking to grow to about 40 in its first year, according to association spokesperson Carman Wenkoff, president of Value Pay Services LLC, a prepaid card firm owned by franchisees of the Subway sandwich chain. Wenkoff and Tom Boucher, senior program manager of gift cards at consumer-electronics retailer Best Buy Co. Inc., gave a progress report at the conference.

Continue Reading at Digital Transactions




Founding Members of the RGCA




Reblog this post [with Zemanta]

Fraud Continues to Increase Across Canada


March is Fraud Prevention Month in Canada and leading fraud prevention expert, Equifax Canada Inc., is joining lenders and others in raising consumer awareness of the issue.

Figures show that true identity theft rose in Canada by over 20% in 2008 compared to 2007.

This rise illustrates the need to intensify efforts to reduce this threat to both consumers and lending institutions.

A good defense to combating identity theft is found in Equifax's fraud database.

"With true identity and fictitious identity frauds continuing to increase, it is crucial that the lending industry maximize the benefits of fraud data sharing", said Carol Gray, President Equifax Canada.

"Fraudsters are clearly becoming more inventive and lenders need to deploy more sophisticated data-sharing solutions than they have traditionally used. Today's solutions need to deliver flexible cross-matching techniques that can be fine-tuned by users to try to stay ahead of the curve."

The good news for consumers and businesses alike is that fraud solutions, such as Equifax's web-based fraud prevention database Citadel, are addressing even the most sophisticated fraud threats.

With Citadel, credit applications are submitted and compared to a national syndicated database containing historic suspicious information.

"The Citadel solution is aimed at stopping fraud dead in its tracks", Gray added.

For decades, Equifax has been in the business of fraud detection and prevention with products and services like Safescan ID, eID, Synthetic File Indicator, Deposit Alert and most recently, Citadel. As Equifax continues to innovate and deliver modern fraud solutions, top priorities include detecting fraud at the first possible opportunity, minimizing the number of legitimate consumers impacted by fraud and improving analytics to help organizations stay nimble when preventing and responding to fraud.

For consumers, Equifax encourages them to remember to be diligent and pay attention to signs that their identity may have been stolen and/or compromised. Some of the signs include:

  • A financial institution or cell phone company contacts you regarding
  • application activity in your name;
  • You start receiving suspicious contacts where the person or alleged
  • company is seeking more information about you;
  • A collection agency contacts you about a debt that is unknown to you;
  • Unknown transactions appear on a statement;
  • Bills or statements are not arriving in the mail; and
  • Bills or statements arrive in your name for unknown accounts.

How can you help prevent identity theft?
  • Disclose personal information discretely and to trusted parties only;
  • Dispose of information securely;
  • Monitor your mail closely;
  • Shield your PIN and keep your card in sight;
  • Review statements and report discrepancies immediately;
  • Create strong on-line passwords and change them periodically; and
  • Do not send confidential information over email.

SOURCE: Equifax Canada Inc.





,

Society of Payment Security Professionals Welcome 50 New CPISM/CPISA's

Society of Payment Security Professionals Welcomes 50 New CPISM/CPISAs


PARK CITY, UT--(Marketwire - March 12, 2009) - The Society of Payment Security Professionals(SPSP) is pleased to announce that they have now certified more than 200people as Certified Payment-Card Industry Security Managers (CPISMs). Inaddition, the SPSP has certified 50 Certified Payment-Card IndustrySecurity Auditors (CPISA). The enthusiasm with which the new certificationshas been adopted is further proof of the industry's need to identify thoseindividuals that have both security and payment card industry expertise.The rapid adoption of security regulation at the state and federal level,coupled with the dynamic nature of the payment card industry, make thecertifications appealing to a wide range of industry participants.

"We've seen individuals representing almost every business model in theindustry take the CPISM or CPISA courses," said Chris Mark, CPISM/A, CISSP,CIPP and Founder of the Society of Payment Security Professionals. "Thecertifications were designed specifically to create a level playing fieldfor everyone from merchants, to acquiring and issuing banks to QualifiedSecurity Assessors. The materials covered in the course go far beyondsimple compliance with the PCI DSS, to include risk management, state andfederal regulations and other vitally important topics. In addition tooffering education, the courses offer an opportunity for Payment SecurityProfessionals™ to share ideas and experiences. Ultimately, suchdiscourse can only be a positive influence on the security practices of theindustry."


The CPISM and CPISA certifications have been developed with the goal ofenabling the certificate holder to demonstrate proficiency andunderstanding of the Payment-Card Industry, fraud and data theft trends,the relevant regulations that impact the industry, and application of theregulations to various business models that are unique to the industry.The certifications were carefully developed to adhere to educationalpedagogy and instructional design theory. In addition, the certificationexams and the training were vetted by veteran Payment SecurityProfessionals to ensure that the materials were accurate, relevant, andtimely.

According to co-founder Mike Dahn, "As former QSAs, and QSATrainers that currently provide PCI related training worldwide for a majorcard brand, we understand the needs of the industry and the challenges ofsecuring data within the payment card industry. These certifications havebeen designed to allow individuals to more effectively manage risk andcomply with the PCI DSS and other related standards."

The Society is offering a public CPISM and CPISA Training and exam seminarin the San Francisco area in June 2009. For more information, or toregister for the event, please visithttps://www.paymentsecuritypros.com/training-dates/.

About the Society of Payment Security Professionals

The Society of Payment Security Professionals' objective is to provideindividuals and organizations involved in payment security with an onlinecommunity to share information, and access education and certificationopportunities. Society members come from a variety of businesses includingcard brands, merchants, acquirers, ISOs, and more. Though theirorganizations may vary, they all share one purpose: to protect sensitivecustomer data using the most current, viable technologies and processes.The SPSP is managed by The Aegenis Group. For more information about theSociety of Payment Security Professionals, please visitwww.paymentsecuritypros.com.

Contact:
Heather Mark
Company Name: Society of Payment Security Professionals
Telephone Number: 888-616-3330
Fax Number: 435-608-6403
Email Address: Email Contact
Web site address: www.paymentsecuritypros.com




Reblog this post [with Zemanta]

Perils of Prepaid


The Pitfalls of Prepaid Cards - SmartMoney

Credit-card issuers are cracking down on cardholders, slashing their credit limits and even closing their accounts. As a result, many skittish consumers are turning to prepaid cards.

On the surface, prepaid cards seem like a "safer" way to spend. Backed by major issuers, such as Visa (V: 52.59*, -1.50, -2.77%), MasterCard (MA: 156.08*, -0.99, -0.63%) and Discover (DFS: 5.90*, -0.72, -10.87%), these cards can be used just like regular credit cards -- with the exception that holders can only spend up to the amount they've deposited into their account.

There's no risk of overcharging (and getting hit with an over-the-limit fee) or potential damage to a credit score since the cards don't represent a line of credit. In fact, parents have long turned to prepaid cards as a tool to teach teenagers how to spend responsibly.

But there are drawbacks to this convenient shopping option. Among them: hefty fees that can add up to hundreds of dollars if you're not careful. Here's what you need to know:

Fees, fees and more fees

Prepaid cards may not come with the sky high late-payment fees or APRs of traditional credit cards, but they do carry a slew of other charges. “[Prepaid card issuers are] pretty creative with coming up with random fees,” says Curtis Arnold, founder of credit-card information site CardRatings.com. Cardholders can get hit with a fee when they activate their card, call customer support, withdraw money from an ATM, refill their card or order a replacement card.

Continue Reading at SmartMoney.com




,

On to the Next Breach...

Anthony Freed, Financial Editor for Information-Security-Resources.com,  wrote an exclusive on Visa having put Heartland on "double secret probation" over it's recent breach.  It's already been picked up by Seeking Alpha.

Anthony is a researcher, analyst and freelance writer whoworked as a consultant to senior members of product development,secondary, and capital markets from the largest financial institutionsin the country during the height of the credit bubble. Anthony’s workis featured by leading Internet publishers including Reuters, TheChicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha,and ML-Implode.

He also is the official live blogger for the upcoming 2009 Sarbanes-Oxley Conference.  For more information visit: ISR

Visa Puts Heartland on Probation Over Breach

By Anthony M. Freed, Information-Security-Resources.com Financial Editor


Heartland Payment Systems (HPY),one of the largest credit card processors in North America, is finallybeing called to the carpet for the apparent lapses in Payment CardIndustry Data Security Standards (PCI DSS) that contributed to the largest data breach of 2008, perhaps even the largest breach ever considering the full extent of the exposure has yet to be determined.

Called to the carpet sort of, anyway; the sanctions and guidance laid out by Visa (V) seem a little lackluster when weighed against the severity and duration of the breach.

Given that Visa is now considered themost likely of several candidates for inclusion in the Dow IndustrialAverage, taking up slack from soon to be sidelined Citigroup (C) and Bank of America, (BAC) it is not surprising that they do not want to call too much attention to the situation:
On January 20th of this year,Heartland Payment Systems (HPS) publicly disclosed a large-scalecompromise involving account data from all card brands. In light ofthis event, Visa has taken the following actions to help protect theVisa system:

CAMS Alerts - Between January 18thand February 4th Visa issued a series of Compromised Account ManagementSystem (CAMS) alerts (US-2009-046-IC) to financial institutions relatedto this compromise event. Providing this information can help financialinstitutions act quickly to minimize fraud on exposed card accounts.
It is worth noting here that Visa and MasterCard (MC) reported anomalies to Heartland in late October, about two and a half months before the CAMS alert was issued.

Data breaches in the financial industry always reignite the debate between those who want full and immediate disclosure, and those who would prefer to subdue the news. A lot seems to depend on your preferred usage of words like “quick” and “help”.

As for the sanctions Visa hasprescribed for Heartland, I believe it’s something akin to when DeanWormer put the Delta House on Double Secret Probation, or at leastthat’s how it reads:
Removal from Visa’s List ofCompliant Service Providers - Visa has removed Heartland from itsonline list of Payment Card Industry Data Security Standard (PCI DSS)compliant service providers. HPS has advised, however, that it isaggressively working on remediation and re-validation of its systems tocomply with PCI DSS standards. The company will be relisted once itrevalidates its PCI DSS compliance using a Qualified Security Assessorand meets other related compliance conditions.

System Participation - HPS is now in a probationary period,during which it is subject to a number of risk conditions includingmore stringent security assessments, monitoring and reporting. Subjectto these conditions, Heartland will continue to serve as a processor inthe Visa system.
So Heartland is off of Visa’s Christmas card list for 2009, but they still get a fruitcake.

A breach of unknown scope and impact toconsumers, participating banks, their shareholders, merchants, theeconomy in general, the source of multiple class action lawsuits anduntold losses for years to come, and the big smack down is thatHeartland has to sit in the back of the bus?

Profits over protocols; some actuarymust have crunched the numbers, the underwriters drew the bottom line,and the executives decided to mush on.  Damn the torpedo (holes).

And Heartland may not be the whole story.

There are multiple access points in thedata chain.  Heartland may be where the malware disease did its worstdamage, but that does not guarantee that Heartland is also the point ofinfection.

And as far as being PCI DSS compliant, there has been some confusion as to what that exactly means for security assurance.

PCI DSS compliance is only a momentarymeasure. Think of it along the lines of a kitchen inspector who gives arestaurant the highest rating after inspection, that is no guaranteethe cook will wash his hands well next week, or that the mayonnaisewill never get left out.

That is why you will hear a CEO of a breached credit card processor plead “But we were PCI DSS compliant“  and simultaneously you will hear the PCI council (made up of the major payment card brands American Express (AXP), Discover Financial Services (DFS), JCB International, MasterCard Worldwide and Visa) exclaim that “No PCI compliant processor has ever been breached.”

Both of these statements can not be correct.

Also included in Visa’s belatedresponse to the Heartland breach is a fine to be levied against theparticipating banks - most of whom rightly consider themselves to bevictims of the breach as much as their customers are.  This must be like when the mean DrillSergeant makes everyone march in the rain because one jerk made agoof.  I guess the client banks are supposed to exert peer pressure onHeartland to mend their ways, or something:
Fines - In accordance with VisaOperating Regulations, fines will be assessed to Heartland’s sponsoringbanks. Such fines are part of the program Visa uses to assurecompliance with system rules. Ongoing compliance with PCI DSS helpskeep the system more secure for all participants.
I fail to see the purpose of penalizingbanks that send their processing business to Heartland unless it can beshown that the bank somehow contributed to the breach in a materialmanner, otherwise this is just more fodder for the lawyers in the formof damages to recover through litigation.

Another mystery contained in Visa’sannouncement is the requirement that all fraud related to the Heartlandbreach has to be reported by May 19th.  This is ridiculous, as it couldbe a year or two before all fraud cases can be identified and thensubstantiated; requiring this to happen in the next two months isunrealistic, if not unreasonable:
Account Data Compromise Recovery -Visa has determined that this event qualifies for the Account DataCompromise Recovery (ADCR) program. Subject to its terms, this programprovides issuers the ability to recover a portion of their lossesrelated to accounts that are determined to be the subject of a breach,by assessing acquirers for the ADCR financial liability. An acquirer’sADCR financial liability is determined based on a percentage ofmagnetic stripe-read counterfeit fraud and specified operating expenseliability amounts. Issuers will have until May 19th to report fraudlosses related to this event to Visa. Until this reporting windowcloses, specific recovery amounts cannot be determined. Visa willprovide clients with additional information as it becomes available.
Finally we get to that last paragraph,and I can say there is something there that I actually agree with:  ThePCI DSS is a decent start.  What really needs to be fixed is how PCIDSS is implemented and maintained throughout the data access chain:
This recent compromise underscoresthe importance of all parties maintaining ongoing compliance with thePayment Card Industry Data Security Standard. These standards continueto serve as a robust and critical foundation to protect cardholder dataand, when implemented properly, have proven to be highly effective inpreventing and mitigating the impact of data compromises. Compromiseevents are a reminder of the importance for all parties in the paymentsystem to maintain ongoing vigilance when it comes to protectingcardholder data. Each stakeholder in the Visa system has a criticalrole in our collective fight against the criminals that perpetuate cardfraud.
So in summation, Heartland (and others)may be full of holes, and Visa belatedly recommends business as usualuntil such time as the holes can be found and filled.
On to the next breach.

Anthony is a researcher,analyst and freelance writer who worked as a consultant to seniormembers of product development, secondary, and capital markets from thelargest financial institutions in the country during the height of thecredit bubble. Anthony’s work is featured by leading Internetpublishers including Reuters, The Chicago Sun-Times, Business Week’sBusiness Exchange, Seeking Alpha, and ML-Implode.

The Author gives permission to link, post, distribute,or reference this article for any lawful purpose, provided attributionis made to the author and to Information-Security-Resources.com





Related Articles by Anthony Freeman:




Zemanta Pixie

Contactless M-Commerce Failing?

Finextra: Contactless m-commerce fails to take off
The development of contactless mobile payments has failed to live up to expectations and the technology will account for just a fraction of the value of commerce transacted over cell phones this year, according to data from ABI Research.

The firm says the value of mobile commerce transacted via non-NFC methods - SMS, Internet and applications - will total $1.6 billion in 2009. In contrast contactless mobile commerce will be "minimal".

Dan Shey, practice director, ABI Research, says: "NFC is the 'holy grail' that provides the easiest user experience. Other methods require more work and expertise from the consumer."

Continue Reading at Finextra





, , , , ,

Disqus for ePayment News