Monday, April 6, 2009

House Questions Visa, Visa Questions Heartland, Heartland Has No Answers Yet

Heartland Data Breach: Visa Questions Processor's PCI Compliance

Visa Executive: "We've Never Seen Anyone Who Was Breached That Was PCI Compliant"

Despite the Heartland Payment Systems (HPY) data breach and other noted compromises, Visa staunchly supports the Payment Card Industry Data Security Standard (PCI DSS). 

This is the message from Adrian Phillips, Visa's Deputy Chief Enterprise Risk Officer, who in an exclusive interview hammers home the credit card company's support for the security standard - and suggests that, contrary to Heartland's own statements, the payment processor may not have been PCI compliant when it was breached sometime in 2008.

"We've never seen anyone who was breached that was PCI compliant," Phillips says without specifically naming - or excluding -- Heartland. "The breaches that we have seen have involved a key area of non-compliance."

Editor's Note:  Meanwhile the House is blaming V/MC...see next post and Heartlands stock (see chart below) continues it's free fall.  (well maybe not a "free"'s costing shareholders some major kahunas.  And they're so UN-HPY...they're suing...

Interviewed during last week's Visa Security Summit in Washington, D.C., Phillips acknowledges Heartland and other recent breaches, but uses them as an opportunity to support the PCI standard. "Let's remember we've had some bad breaches, but if we had not had PCI DSS, it would have been much worse," Phillips says. "As of today, I am confident that PCI DSS works."

Phillips comments come one week after news that Visa had removed Heartland Payment Systems from its certified PCI-DSS Compliant Service Providers list.

Continue Reading at Bank Info Security

Reblog this post [with Zemanta]

House Says Visa, MasterCard Are to Blame for Hacks

House says Visa, MasterCard are to blame for security hacks, card compromises

• 06 Apr 2009

Editor's Note:  This obviously bodes well in Heartland's decision to defend their case vigorously.  However, the first shovel of dirt may have already been thrown on Heartland's grave.  Class action lawsuits by consumers, banks and shareholders mean a ginormous legal bill for HPY. 

The fines will be a mere pittance compared to what they may have to pay out in these legal cases.  Of course, with the government saying V/MC may be to blame, HPY's strategy may be to countersue.  That might keep them alive, but they'd still be dead in the water because they'll make bitter enemies out of V/MC in a court case. 

Visa is already on making rumblings that Heartland may not have been in PCI compliance when the breach happened.  This is shaping up to be one heck of a legal battle.  We'll keep following the events as they develop.  Keep your eyes tuned to the PIN Payments Blog for regular updates in this matter.  - JBF

Forbes: In security breach cases last year, such as Hannaford Bros. supermarket and the card processing firm Heartland Payment Systems, cybercriminals gained access to millions of consumers' credit card details, and those criminals have yet to be identified and punished. So in a hearing last week, the House of Representative's Committee on Homeland Security turned its attention to the card networks, Visa and MasterCard, which are responsible for creating and enforcing the Payment Card Industry standards that failed to prevent those breaches. Given that both Hannaford and Heartland had complied with PCI rules, the congressional panel turned the spotlight on the credit card companies, arguing that their security measures need to be redesigned or supplemented with federal laws — a potential crackdown that could require changes on the part of both retailers and financial services companies.

Reblog this post [with Zemanta]

The Day the Mighty Case(Y Convenience over Security) Struck Out!

Wow. American's ranked "financial security" as their top security fear!

So, to all those who continue to argue the "convenience" over "security" issue, it seems that "convenience" isn't such a good marketing ploy after all... is it? Hate to say I told you so! NOT!!! As I've stated all along, a "secure" software PIN Debit application (notice I didn't say "solution") is a Figment of the PIN-agination!

At the end of the day, perception rules, and if EFT Networks or Financial Institutions want to sell convenience over security, when financial security is American's biggest fear...then one might say they are barking up the wrong tree. I understand why they want software over hardware. It's more convenient! But according to this latest Unisys Security Index report, American's aren't buying it.

So, let's review:
  • Convenience vs. Security. (Security Wins!)
  • Card Present Rates vs. Card Not Present Rates (CP rates [are] lower...and thus CP Wins over CNP.)
  • Hardware vs. Software (Software responsible for 92% of all breaches, Hardware, 1%, (Hardware Wins)
So, in three pitches, it look's like, with an 0-3 count, a software application for PIN Debit STRIKES OUT! Hope this "opens" some eyes to which company has the right pitch. (and which one is throwing the industry a curve, which has the screwball...and which...(nevermiind...I'll keep the knuckle comment in my head) Batter Up!

Enjoy Opening Day!

From the Unisys Security Index:

Nearly 75 percent of Americans believe that the global financial crisis increases their risk of identity and related fraud, according to the Unisys Security Index due to be released on Monday.

More than two-thirds surveyed said they are extremely or very concerned about other people obtaining and using their credit and debit card data, with 90 percent at least somewhat concerned.

Credit and debit card fraud is the top security concern for people, with 68 percent saying they are extremely or very concerned. And 66 percent said they are seriously concerned about unauthorized access to or misuse of personal information.

More than 40 percent of respondents said they are extremely or very concerned about security related to viruses and unsolicited e-mail.

Overall, people are more worried about their financial security and less worried about national security than in previous surveys, according to the survey.

The survey of more than 1,000 respondents in the U.S. was conducted from February 20-22.

Click here to download the full report. (PDF)

Reblog this post [with Zemanta]

Pumping Up PIN Debit

Petroleum Equipment Forum -


Visa is believed to be considering postponing or at least easing some of its costly new security deadlines for dispensers.

At issue is whether the credit card company will delay requirements that marketers adopt a new encryption standard for PIN numbers on debit, known as Triple DES.

Currently, marketers must install new encryption devices by July 1, 2010 if they want to continue accepting PIN debit at the pump under Visa's new Payment Card Industry (PCI) standards.

Some refiners believe that that the current credit squeeze and equipment installation backlogs could lead Visa to push back the deadline by two years, to July 1, 2012.

Alternatively, Visa may opt to ease up on enforcement of a 2010 mandate, although majors consider that option less likely.

Visa is expected to make an announcement within the next month on which path, if either, it will take. Visa did not respond to a request for comment by presstime.

"We're all waiting to hear what Visa will do," says a marketing exec with one major. "People just aren't in a position to get the money right now, even if they want to get loans to comply."

Some oil companies are trying to help marketers scare up funds to start complying with multiple new PCI requirements. Shell, for example, has launched a program that offers marketers the ability to claim up to $500 in co-op funds per site for new software, or a 1ct/gal payment spread over two years.

While majors say they would welcome any such move by Visa, some are concerned that a postponement might give marketers an excuse to procrastinate further on PCI compliance.

"Retailers must realize that there will still be other PCI rules that they'll have to follow, so they shouldn't use any postponement as an excuse to put things off for too long," says one official.

Some marketers have been toying with the idea of not accepting debit cards at the islands in order to shave their PCI costs.

The most-talked about idea involves disabling PIN debit at dispensers. That would mean that customers who use a check card that can be processed as a debit or credit card would be forced to push the "credit" button on the pump for the sale to go through. The driver using a pure debit card would not be able to pay at the pump at all, but would have to go into the store to pay for fuel.

Alternatively, some marketers wonder if it would be possible to accept PIN debit at just one dispenser, slapping a decal on the pump to warn customers that they can only use their debit card at that dispenser, as first reported (OE 03/23/09).

The National Assn. of Convenience Stores says it would welcome any move by Visa that would give c-store operators more time to make "a reasoned assessment" as to whether the costs of upgrading to the new encryption devices at dispensers are worth the investment to keep PIN debit at the island. It is "a hard decision given the rising costs of PIN-debit transactions," NACS spokesman Jeff Lenard said.

Reblog this post [with Zemanta]

Visa Hit With Antitrust Case Again...This Time in Europe

Visa Europe Accused of Antitrust Violations by EU (Update2) -
By John Rega

April 6 (Bloomberg) -- Visa Europe Ltd. was charged with anticompetitive behavior by European Union regulators over payment-card fees after failing to cut its levies as much as MasterCard Inc. did to settle a similar case last week.

The company’s fee guidelines prevent competition among Visa-issuing banks and drive up the costs for stores accepting credit cards, the European Commission said today in a statement.

Five days after settling with MasterCard, Competition Commissioner Neelie Kroes is seeking further fee reductions on the 1.6 trillion euros ($2.1 trillion) of annual card payments in the region. Visa Europe, the operator of the largest card network in the region, must convince the commission its arrangement benefits consumers.

“I’m just staggered by this on a point of principle,” Visa Europe Chief Executive Peter Ayliffe told reporters on a conference call, adding he was “disappointed” not to at least reach a settlement on fees for debit cards.

Ayliffe said his point of principle was that the commission compared the economics of Visa cards versus using cash, rather than other forms of credit.

“We’ve got quite a bit of evidence,” he said, that Visa’s card systems save money for consumers. He declined to specify numbers on the grounds that they will be the basis of his defense.

Payment Systems

Visa Europe, like MasterCard, also argues that transaction fees are necessary to defray the costs of payment systems that benefit consumers and the economy.

The European Retail Round Table, an advocacy group for retailers that includes Wal-Mart Stores Inc. and Carrefour SA, has complained that the fee at issue raises costs by 13.5 billion euros a year.

The so-called interchange fee is based on the card company’s guidelines. It’s paid by the retailer’s bank to the bank that issued the customer’s card. The terms of last week’s MasterCard settlement will reduce fee revenue by 2.6 billion euros, halving the profitability of issuing cards, the Lafferty Group research and consulting firm estimated.

MasterCard, in its settlement, cut its credit-card fees to 0.30 percent per transaction, from a range of 0.80 percent to 1.90 percent in 2007. Debit-card fees were reduced to 0.20 percent, from at least 0.40 percent and in some cases more than 0.75 percent. The commission said the changes will save consumers 200 million euros a year.

Credit-Card Fees

Visa Europe on March 11 cut its credit-card fees to an average of 0.61 percent, from 0.7 percent, while debit-card transaction costs fell to an average of 18 euro cents per transaction, from 28 cents.

The commission said Visa Europe also restricts competition by requiring retailers to take any card without adding a surcharge, and by setting a flat fee for merchants that doesn’t make a distinction between the types of cards used.

The agency has the power to force antitrust violators to change their practices and impose fines of as much as 10 percent of yearly sales.

Visa Europe separated from Visa Inc. before the U.S. card company’s initial public offering a year ago. The London-based company, which is owned by its member banks, has sought an agreement with the commission on interchange since a previous settlement expired at the end of 2007.

To contact the reporter on this story: John Rega in Brussels at
Last Updated: April 6, 2009 12:58 EDT

You Say You Want a Revolution II

Revolution Money gets $42 million from Goldman
07:35 AM EDT  By Phil Wahba

NEW YORK (Reuters) - Revolution Money, an online payment firm backed by AOL co-founder Steve Case, said on Monday it has received funding of $42 million from a group that includes a Goldman Sachs (GS.N) affiliate and earlier investors Citigroup (C.N) and Morgan Stanley (MS.N).

Revolution Money, part of Washington-based Revolution LLC, competes with EBay Inc's (EBAY.O) PayPal service in peer to peer money transfers, and offers a credit card. 

Editor's Note:  Did you know that HomeATM provides TRUE peer to peer money transfers...i.e. you don't have to "load" a card with money in order to send money. 

That's the problem I see all the time.  Let's use the recently announced TwitPay as an example.   In order to use "TwitPay" users must first "load" or "FUND" their TwitPay account, which is administered by Amazon.  But Why?  What a PITA.  In order to use a peer to peer money transfer program you first have to transfer money to an account that you'll use to transfer money?  Sounds redundant.  Am I alone or do you perceive that as an extra unnecessary step as well? 

We say why "load or fund" a third party card when you can use the card you already know, the one you need in order to "load or fund" that "third party" card.   

With HomeATM's money transfer program, it's simple.  You use YOUR email and YOUR EXISTING bank card to do it.  Therefore HomATM eliminates the painstakingly unnecessary task of "using your bankcard" to "load another card." 

How EZ is HomeATM's methodology? Just go to our site:,  enter the email of the individual you'd like to send money to, pull out "your"existing bankcard, (again, not a third party card, but "yours") swipe it in our SafeTPIN device and enter your PIN.  You're done! 

The recipient gets an email, takes out "their bankcard"  swipes it in their SafeTPIN device, enters "their" PIN and instantaneously..the money is moved from your account to their account in "REAL-TIME." 

Nothing competes!  Anyway, back to the revolution...

The company will use the money to beef up its technology and help retailers promote the credit card, with a view to reaching 3 million retailers by 2011 despite tumbling U.S. retail sales, chairman Ted Leonsis told Reuters.

"We see more rapid adoption of our service as merchants fight in this economy for more margin from sales," said Leonsis, who owns the National Hockey League's Washington Capitals.

Revolution Money estimated its RevolutionCard credit card is accepted at about 650,000 locations in the United States including those of bookseller Barnes & Noble Inc (BKS.N), upscale grocer Whole Foods Market Inc (WFMI.O) and department store chain Nordstrom (JWN.N).

Leonsis said Revolution competes with PayPal by letting users transfer funds to one another for free and with major credit card issuers, such as Visa Inc (V.N) MasterCard Inc (MA.N) and American Express Co (AXP.N) by offering competitive interchange fees for merchants.

Interchange fees are paid by merchants to a credit card company when a customer makes a purchase.

The new investment follows on a $50 million funding in 2007 from Citi, Morgan Stanley and Deutsche Bank (DBKGn.DE), Case and others.

Despite attracting these investments in a difficult capital market, Leonsis said Revolution Money would not consider an initial public offering or put itself up for sale before 2011.

"Right now, we are focused on the build-out of the platform, but at some point to really scale the business, we would have to go public," Leonsis said.

Still, Leonsis thinks the business will be large enough in two years to attract public investors or a possible acquirer.

(Reporting by Phil Wahba; editing by Mohammad Zargham)

Reblog this post [with Zemanta]

WOW! Get a FREE HomeATM SafeTPIN! (including S&H)

Attention: PIN Payments Blog Readers! Get a FREE SafeTPIN PCI 2.0 PIN Entry Device!

In order to celebrate 2 years of painstaking engineering prowess, HomeATM CEO Ken Mages is presenting PIN Payments News Blog Readers with an "unprecedented" opportunity!

What do I have to do you ask?

Answer the poll, located on the sidebar to the right of this post and...send your email and shipping address to and you will receive a FREE HomeATM SafeTPIN (including shipping, handling, processing etc.!)

Of course, we're not completely mad, so this is a limited time offer. 10 days or 2500 units...whichever occurs first.

So...partake in the poll, send me your email address (all emails will obviously be verified) and receive the worlds only PCI 2.0 PED designed for use on the web, (with online shopping, online banking, online authentication, Person 2 Person "real time" transactions, or even to simply send your money from one account to another!) Also works with Facebook, Twitter, Cell Phones, and as a standalone Point of Sale device... etc.

This is the SAFEST, MOST SECURE and OBVIOUSLY, THE LEAST EXPENSIVE way to protect your cardholder information.

The HomeATM SafeTPIN provides End-to-End Encryption, (including Track 2 Data) of your cardholder data and replicates a traditional retail store transaction...using a dually authenticated DUKPT process...previously unavailable to the general public. Oh...and did I mention it works with cell-phones? (Coming soon!!!...Blackberrys too!!!)

Remember, it's easy. Send me an email ( ...enter "Free SafeTPIN" in the Subject Line, and of course, your home address...(where you want it sent to) HomeATM will provide you and your family with our recently PCI 2.0 Certified PED for FREE. No catches. HomeATM pays for shipping, handling, insurance, and the processing of your order.

Oh...and to read more about HomeATM's recent PCI 2.0 PED Certification, click the related link below:

Reblog this post [with Zemanta]

Disqus for ePayment News