Tuesday, May 26, 2009

BSMS Part Deaux!

It was nice that Javelin Strategy and Research took the time to write about HomeATM in their analysis of Finovate Startup09 but I'm a little confused about something they say in their report.  Maybe a reader might be able to clarify what they mean.  Cause right now I've got kindova BSMS (Both Sides of the Mouth Syndrome)...taste in my...well, for lack of a better word, "mouth."    Editor's Note: You may click the picture to enlarge and read.

Why do I say BSMS? Welll..in the first portion of Javelin's analysis of HomeATM, they say that our Safe-T-PIN device provides (the more secure) card present (vs. card not present)  credit card transaction and the "even more secure" PIN Debit transaction.  Here's their quote:

"Launched in April 2009, P2P Safe-T-PIN offers home-based “card present” credit card and PIN debit transactions online using a PCI-certified device attached to a personal computer through a USB port.  Users also could make online purchases by swiping their credit card or debit card and PIN at checkout. The device allows for secure real-time money movement with an option for delayed transactions."

Then, after stating that, the next thing they say is:

There is greater potential for HomeATM as a frequent high-value P2P solution such as a Western Union money transfer than for enabling e-commerce. Many consumers may be hesitant to swipe their ATM cards on hardware attached to their computer because of security concerns.

Therein lies my confusion.  First they state that our PCI certified device allows for "Card Present" and "Online PIN Debit" transactions, along with the statement that our "device" ALLOWS SECURE REAL TIME MONEY MOVEMENT" and then in their next breath they say, that many consumers may be hesitant to use that very same PCI 2.0 Certified PIN Entry Device because of security concerns?

Did they possibly mean to imply that many consumers may be hesitant to swipe their ATM cards on hardware attached to their computer because they don't want "improved" security?  Someone help me out here!  I'm not being sarcastic.  I'm being serious.  Okay, I admit...I'm being "totally" sarcastic.

But there's good reason.  In fact 117 good reasons.  You may have noticed when you first visited the blog, there was a popup that appeared asking if you would please partake in our survey.  (and I hope you have, if not please do, just refresh the page and it should pop up again)  Well, I started the survey yesterday and already have 117 responses...and it doesn't appear to me that very "many consumers may be hesitant to swipe their ATM (or debit or credit) cards on hardware attached to their computer".  In fact, 117 said they would prefer to Swipe their Card and 117 said they would prefer NOT to Type in a Username/Password.  Thank to those who have participated thus far!  There's only 5 questions if you refresh you can participate as well.

Click below to enlarge and read two questions pertaining to whether individuals (who read this blog) would prefer to Type or Swipe their Card information at a merchant website or Online bank: 

The analysis did go on to say that two of the "differentiators" enjoyed by HomeATM is that we provide "end to end encryption" and our device is PCI certified, so I'm still left confused by what they meant about many consumers being hesitant because of security concerns...chime in!

HomeATM Differentiators:

• A HomeATM Mobile device will be also available for mobile phones with Web access, allowing transactions on the go
PCI-certified device.
Hardware-based end-to-end encryption
100% acceptance with all bank cards.

Editor's Note:  Plus our PCI 2.0 Certified PED also "encrypts" the Track 2 data and utilizes DUKPT key managment as an additional layer of security. 

Reblog this post [with Zemanta]

EMV: Coming to a Town Near You?

In a very well written article, Andy Williams, the Associate Editor for Avisian Publications, argues that EMV (also known as Chip and PIN) will eventually wind up in the United States. 

When it happens HomeATM is EMV ready.  Which leads me to ask an obvious (yet rhetorical) question.  If a consumer must enter their smart card in a smart card reader, then how in the world wide web could there possibly be a Chip and PIN solution with a software application?  Did you say it cannot be done?

Then congrats!  You're right...it couldn't and therefore wouldn't be done.  Segway: That fact falls directly in line with the fact that a PIN (online) Debit transaction cannot take place without swiping the card and obtaining the PIN Offset and PVV.  Thus, a software PIN Debit application, like a software Chip and PIN transaction, not only doesn't...it cannot exist.  (See:
It Doesn't Exist...Figment of the PIN-agination or:
Updated: Acculynk...Where's the PIN Offset? My Pet PVV )

Here's the article:

EMV takes aim at U.S.

Tuesday, May 26, 2009 in Library
Technology may be a solution to domestic payment card fraud

Like a massive tidal wave, EMV continues to roll across the world,changing the global payments landscape. Since UK banks first committedto EMV five-years ago, more than 100 countries have taken the plunge inefforts to stem credit card fraud.

But the U.S. has always remained outside the EMV plan. This,however, may be changing as fraud, technology and business is changingthe payments landscape.

Brian Byrne, head of product technology for standards andspecifications at Visa estimates there are some 730 million EMV cardsand 10 million terminals in existence around the world.

ToniMerschen, group head of chip at MasterCard Worldwide, notes that theSingle European Payments Area initiative requires 38 countries tocomplete the migration to EMV by Jan. 1, 2011.

EMV gets its name from the companies which originally created it,Europay, MasterCard and Visa. Seven years ago Europay merged withMasterCard and the new standards body was renamed EMVCo. Its membersnow include Visa, MasterCard, Japan-based JCB and its newest member,American Express.

EMVCo’s primary goal “is to facilitate global interoperability andcompatibility of chip-based payment cards and acceptance devicesthrough deployment of relevant EMV Specifications,” says an EMVCospokesperson.

EMV also goes by “chip and PIN,” because the card contains a chipand a PIN is required before a transaction is processed. But nowadays,that chip and PIN moniker may be misleading. As Byrne, points out, manycountries are foregoing the PIN part of EMV implementation, thepredominant reason being that many consumers don’t want to remember aPIN.

The country most advanced towards EMV implementation is the UK, thebanks their were the first to adopt chip and PIN, says Merschen. Othermarkets that have reached maturity for EMV migration on either cards,point-of-sales devices and ATMs include France and Turkey in Europe andMalaysia in the Asia-Pacific region, he adds.

The migration isn’t easy. Merschen says a number of infrastructurechanges are required to handle EMV. “For issuers, there are new dataelements that need to be supported by the issuer authorization andclearing host systems. Card data preparation, including key management,and card personalization also require hardware and software upgrades,”Merschen says. “On the acquiring side, the impacts are similar.Acquirer host systems must be able to receive new data fields fromterminals, which also need to be upgraded from both a hardware andsoftware perspective.”

Glitches all but resolved

In the early days of EMV there were issues, Merschen says, such as ashortage of approved products, lack of customer and vendor expertisewith EMV and areas where the specifications left implementation options.

That was then. These issues from the early days of EMV have largelybeen resolved, says Merschen. “Robust migration processes are availableto guide the banks, merchant, and consumers in their migrationinvolvement,” he adds.
Visa’s Byrne describes the early road bumps as minor. “This cardissued in country A was having some acceptance problems in country B.In some cases, some of the older terminals wouldn’t work properly, butthat was usually due to configuration issues, fairly minor stuff.”

EMV in the U.S.?

So with the U.S. sandwiched between two EMV countries–Mexico andCanada–most think it’s only a matter of time before the U.S. joins theEMV parade.

Paul Beverly, president of Gemalto North America, believes increased fraud will mandate such changes.

In an article in the spring 2009 issue of Regarding ID magazine,Beverly wrote: “The rest of the world is well on the way to EMVimplementation. Europe and Asia have long been issuing cards and …Latin America, faced with exploding credit card skimming fraud, isfully committed to EMV smart cards. .. Yet stakeholders in the UnitedStates still find fraud losses and identity theft risks acceptable. Itis disappointing that U.S. companies are trailing the rest of the worldin this area.”

Charles Walton, executive vice president for payments for INSIDEContactless, believes that the U.S. will ultimately get on board withthe secure cards. “We’re seeing inherent insecurities in the system,such as the Heartland Payment Systems hack. It’s only a matter of timebefore these types of hacks will become intolerable.”

Walton says hackers will look at the weakest point in the paymentchain and exploit it. “If you start securing one point in the chain, itbegins to expose the other points, the path of least resistance forwater, will find the lowest point.”

MasterCard’s Merschen says that these fraud migration and datacompromise incidents, plus the possibility of government regulationwill lead several U.S. banks to consider EMV.

The handwriting is on the wall, so to speak. “It’s inevitable thatthe U.S. migrate to EMV, primarily because fraud is escalating,” addsRandy Vanderhoof, executive director of the Smart Card Alliance. “Majorfinancial institutions in the U.S. are also international so it willnot be a big step for them to issue these cards in the U.S.”

Contactless and EMV

At first blush it would seem that contactless and EMV would beworking toward opposite purposes, but Walton says EMV can run on top ofcontactless. “I would think of EMV as a security protocol that workswith contactless as well as contact chips.”

Visa is using EMV specs in its contactless payWave technology, Byrnesays. “The way we’re deploying contactless in the U.S. is using EMVspecs,” says Byrne. “It’s based on EMV technology making use of strongsecurity elements baked into EMV. These new cards will not only beaccepted in readers in the U.S. but also in the UK.”

The next generation of contactless cards will be a step toward EMV,says Vanderhoof. For example, MasterCard terminals certified forcontactless also carry elemental portions of EMV. “We’re seeing thesegradual upgrades of the infrastructure to support it,” he says.

Vanderhoof says these new rules for EMV contactless are differentthan those for EMV contact cards. Purchases under about $25 can be acontactless transaction in the UK, just like in the U.S. “Just tap itand go, no PIN or signature. After a certain number of transactions youmight be required to enter your PIN.”

EMV vs. contactless overseas

While EMV and contactless will have to coexist in the U.S., it’s notthat simple where’s there’s already an EMV infrastructure in place.“Europeans have a lot invested in EMV,” says Urs A. Lampe, vicepresident, product marketing and new business for contactless smartcard provider LEGIC Identsystems, in Switzerland. “Now contactless ishappening and the EMV installed base is all on contact, so you’llprobably see some swapping out of terminals in the next few years.”

Or they could opt for integrated contactless readers or readers thatare configured to accept contactless peripherals, adds Byrne.

Another solution is dual interface products in which a single chipcan communicate in contact or contactless mode. INSIDE will be bringthe Micropass 6002, a dual interface chip to market in the fourthquarter of this year, Walton says.
Merschen adds that a number of markets, such as Canada, the UK,France, Malaysia and Taiwan, have already embraced dual interfacesolutions, running both EMV contact and contactless transactions usingone single chip. “Some banks have clearly stated that contactless willbe a standard feature for many of their portfolios,” he says.

Canada, Walton says, is an interesting market because 10 millioncontactless chip cards have been deployed. He projects that by the endof the year, dual-interface cards will make an appearance there. “We’llbe seeing use of chip-based cards in the U.S. for security reasons. Thebuildup of EMV in Canada will tend to cause fraud to migrate to theU.S.,” he adds.

But there’s no getting around that the purposes of EMV andcontactless can be at odds. “EMV certainly brings about much moresecurity and flexibility to today’s mag-stripe cards,” Merschen says.“While contactless brings transaction speed and cardholderconvenience.”

In the U.S. it may come down to a question of speed versus security.As retailers transition to newer payment terminals it will be up to thecard issuers on whether or not to deploy EMV and put a safeguard inplace to help stem the tidal wave of payment card fraud.

EMV definitely works, but…

Latest card fraud losses reported by APACS, the UK paymentsassociation, show EMV does work, but it’s not a cure all. Certain typesof credit card fraud will require other measures.

While 2008 fraud loss figures totaled about U.S. $902.5 million thetwo main areas of fraud were on transactions not protected by chip andPIN: Internet, phone and mail order fraud, and fraud abroad committedby criminals using stolen UK card details in countries yet to upgradeto EMV.

This second fraud type has nearly doubled in two year, providingmore ammunition to those pushing the U.S. to become EMV compliant.

Phone, Internet and mail order fraud (card not present) accountedfor more than half of those losses at U.S. $485.9 million, just a 13%increase over 2007 losses but is double the losses suffered in 2004.

Counterfeit card fraud increased 18%, to about U.S. $250 million.But that’s down from the 46% increase reported in 2007. The vastmajority of this fraud is due to criminals stealing card details in theUK to make counterfeit magnetic stripe cards for use in countries yetto upgrade to chip and PIN, says APACS.

“The industry continues to apply pressure on those countries, suchas the U.S., where chip and PIN has still to be rolled out,” the APACSreport adds. “Increasingly effective use of intelligence systems andthe ongoing global rollout of chip and PIN have contributed to thisslowdown.”

Although card fraud losses have increased, losses as a percentage ofplastic card turnover amounted to just 0.12% in 2008, equaling about atenth of a penny lost to fraud in every dollar spent. This, too,reflects EMV’s “positive effects as well as the fact that we continueto use our cards more and more each year,” says APACS.

As to card not present losses, that can happen with or without EMV.More retailers, APACS notes, need to encourage cardholder and retaileruse of the secure codes found on the back of most credit cards.

However, one area where EMV is still vulnerable is with ID theft.Card ID theft losses have increased by 39% where criminals take overthe running of another person’s credit or debit card. This fraudtypically involves a criminal obtaining a genuine card and a genuinePIN, and has contributed to the fraud increases seen at UK shops andcash machines, APACS says.

Reblog this post [with Zemanta]

Discover Small Business Watch Shows Drop in Economic Confidence

Discover® Small Business WatchSM:

Small Business Economic Confidence Drops Sharply after 3-Month Climb

Cash Flow Issues Increase; Spending on Business Development Decreases

Many Small Business Owners Putting in More Hours and Canceling or
Postponing Vacations

RIVERWOODS, Ill.--(BUSINESS WIRE)--After reaching its highest level in 14 months, the economic confidence
among small business owners fell in May as owners reported cash flow concerns and expect to cut back on business development spending, according to the latest Discover® Small Business WatchSM.

The monthly index dropped more than 10 points to 78.1, down from 88.5 in April. The Watch also recorded significant drops in the numbers of small  business owners who think the overall economy is getting better, and number of owners who thought economic conditions were improving for  their own businesses.

“We saw cash flow problems jump this month to their highest level in 2½ years, which is certainly not going to boost the optimism of a small  business owner, especially in this economic climate,” said Ryan Scully, director of Discover's business credit card. “However, for the past three months we’ve been recording our highest confidence levels since summer of 2008, so all is not lost.”

May Highlights:
  • 49 percent of small business owners say they have experienced
    temporary cash flow issues in the past 90 days, up 10 percentage
    points from April. That’s the highest percentage in that category
    since the Watch started in August 2006.
  • Nearly half of small business owners, or 48 percent, see economic
    conditions for their businesses getting worse, up from 40 percent in
    April; 24 percent see conditions improving, down from 32 percent last
    month; and 23 percent say conditions are the same; 4 percent were not
  • 60 percent of small business operators rate the economy as poor, up
    from 54 percent in April. Only 7 percent rate the economy as excellent
    or good, and 32 percent called it fair.
  • 57 percent believe the economy is getting worse, up from 51 percent in
    April, while 23 percent believe it’s getting better, down from 31
    percent in April; 16 percent say it’s staying the same; and 4 percent
    weren’t sure.
  • 53 percent of small business owners say they plan to decrease spending
    on business development over the next six months, an increase over the
    46 percent in April who said the same. Twenty-two percent plan to
    increase spending, which is largely unchanged from 21 percent in
    April; while the number of owners who were not planning any changes in
    spending dropped from 30 percent in April to 23 percent in May.
POLL: Small Business Owners Continue to Toil Harder Than Most Americans, Even More During Tough Economic Times

As documented in previous Watch surveys, American small business owners report working more hours, more days and more holidays than their general public counterparts, and during the past year, that gap has widened.  While the amount of days and hours on the job for the average American  have been relatively flat since 2007, the number of small business
owners who work more than 10 hours a day jumped from 30 percent in 2008 to 39 percent in 2009. In comparison, only 20 percent of average workers make the same claim.

When it comes to days worked per week, 61 percent of small business   owners said they work six or more, up from 45 percent in 2008 and 43 percent in 2007. Comparatively, only 22 percent of workers in the  general population say they work more than five days a week.   “The economy has obviously been a factor for small business owners caught in the slowdown; they’re grinding out more hours serving existing  customers and likely putting in more time looking for new business,” Scully said.

More Work Survey Results:

  • Given their heavy work schedules, small business owners are finding
    less time for vacation than in years past. Today, only 29 percent say
    they have taken a vacation in the past year that lasted a week, down
    from 40 percent in May 2008 and 41 percent in May 2007. Thirty percent
    say it’s been four years or more since they had a vacation that lasted
    a week, up from 23 percent in both 2008 and 2007.
  • 56 percent of small business owners say that the economy has caused
    them to postpone or cancel vacation time this summer, compared to 45
    percent of the general population who said the same.
  • 27 percent of small business owners define a day off as not working at
    all, followed by 37 percent who say a day off means not actively
    working, but available for calls and e-mails; 25 percent define it as
    working an hour here and there; 7 percent said it’s working all day,
    but from a remote location; and 3 percent weren’t sure how they would
    define a day off. In the general population, 54 percent of people
    define a day off as not working at all.
  • 57 percent of small business owners say they always or most of the
    time work on holidays, up from 47 percent in 2008.
  • 31 percent of the general public says they always or most of the time
    work on holidays, up from 29 percent in 2008.
  • The spouses of small business owners haven’t changed their opinions
    much since 2007 on whether they approve of checking work e-mail when
    away: 56 percent approve, 19 percent disapprove and 24 percent aren’t
  • Spouses in the general public seem to be getting much more used to the
    idea of checking work e-mail when off: In 2007, only 21 percent of
    spouses approved of the practice, while 74 percent disapproved and 5
    percent weren’t sure. This year, 39 percent of spouses approve, 22
    percent disapprove and 39 percent aren’t sure.
The views and opinions expressed by small business owners and  consumers who participate in the Small Business Watch survey are their  own and do not necessarily reflect those of Discover Financial Services or its affiliates.

About the Small Business Watch

The Discover Small Business Watch is a monthly index measuring the   relative economic confidence of U.S. small business owners who have less than five employees, a segment that consists of 22 million businesses producing more than a trillion dollars in annual receipts. The Watch is  based on a national random survey of 750 small business owners. It is commissioned by  the Discover Business Card, which strives to offer the best business credit card for American small businesses, and is conducted by Rasmussen Reports, LLC (www.rasmussenreports.com), an independent survey research firm. The numeric index is calculated by assigning values to responses to a set of six consistent questions. The base value of the Watch was established at 100.0 based on surveys conducted in August 2006. In addition to generating the index, the Small Business Watch surveys small business owners every month on key issues,
and polls 3,000 consumers four times per year to gauge purchasing behavior and attitudes towards small businesses. For past results and survey data, visit www.discovercard.com/business/watch.

For information on Discover Business Card, visit www.discovercard.com/business.

About Discover Financial Services

Discover Financial Services (NYSE: DFS) is a leading credit card issuer and electronic payment services company with one of the most recognized brands in U.S. financial services. Since its inception in 1986, the company has become one of the largest card issuers in the United States. The company operates the Discover Card, America's cash rewards pioneer, and offers student and personal loans, as well as savings products such as certificates of deposit and money market accounts. Its payments businesses consist of the Discover Network, with millions of merchant and cash access locations; PULSE, one of the nation's leading ATM/debit  networks; and Diners Club International, a global payments network with  acceptance in 185 countries and territories. For more information, visit www.discoverfinancial.com.

Reblog this post [with Zemanta]

Trustwave Sounds Alarm

Trustwave raises alarm, advises hospitality sector

 In response to a growing number of data security breaches in thehospitality industry, information and security compliance firmTrustwave issued an alert to help hotels and restaurants identify andaddress security weaknesses.

Colin Sheppard, Forensic PracticeManager for Trustwave, said much of the problem involves themultichannel acceptance of payments. Channels of acceptance includeMO/TO, card-present, point-of-service transactions and card-not-presentpayments done via the Internet.

According to Sheppard, when aguest books a hotel room online for a property that is part of a hotelchain, a link is formed between the chain's enterprise wide, onlinereservation system and the individual hotel being booked; perhaps acentral corporate headquarters will have remote access to the data aswell. But weak links in the system can be infiltrated by fraudsters.

Regardlessof the method of attack, such as key logging, skimming or sniffing, "ifthe attacker is able to gain access to a specific property, and there'sdeficiency in their security, there's the potential to exploit thatlink back to possibly another property," Sheppard said. (Translation: Security is only as strong as the weakest link)

He alsocited noncompliant or improperly configured payment applications as amajor weakness that can increase the risk of data breaches. "In manycases, that includes the use of vendor default passwords," he said.

Third-party peril
MichelleGenser, Corporate Communications Manager for Trustwave, added thatbusinesses without internal information technology resources havethird-party vendors set up their hardware and software securitysystems. Hospitality companies, such as resorts, bed and breakfasts andmotels, that do not employ security experts trust third-party vendorsto correctly install and manage the right security systems for theirbusinesses, she said.

Even if companies are certified PaymentCard Industry (PCI) Data Security Standard (DSS) compliant and arefollowing the PCI's best practices today, if their security vendorshire new employees who disregard best practices tomorrow, businessesthat rely on those vendors can be noncompliant and vulnerable tobreaches.

Laurence Barron, Vice President and Chief InformationOfficer for the American Hotel and Lodging Association and Member ofthe PCI Security Standards Council, said when breaches occur, thebusiness entities breached are liable, not the third-party securityvendors that may have been the actual problem.

"The propertiesneed to be aware of the potential liability [and] make sure that thirdparties are compliant, make sure they have conformed to PCI regulatedscans, make sure that the companies they get actually do follow bestpractices," Barron said. "The [entity] that's ultimately liable, and alot of people miss this, is the place that actually takes the creditcard. I've had different hotels say, 'Well I called my company. Theysaid they're compliant, so I'm good.'"

Sheppard also noted thatmany location managers are under the impression that maintaining datasecurity compliance is handled on a corporate level. "But they need tofocus on security themselves and not assume that those systems aresecure," he said.

Barron believes that "at some pointlegislation is going to have to be acted on or the [card brands] aregoing to have to say, 'If you take a credit card, you must becompliant, you must conform.'" He noted that many business owners stillbelieve security breaches can't or won't happen to them, with theadditional problem being smaller operations often don't want to spendmoney on compliance.

Call to action
In itsalert issued May 14, 2009, and entitled Security Alert for Businessesin the Hotel, Motel and Lodging Industries, Trustwave offered eightactions that should be taken immediately by hospitality companies toreduce their security risks and better protect the financial andpersonal data of their clientele.

  1. Establish firewalls that properly filter incoming and outgoing data traffic
  2. Upgrade to Payment Application- (PA) DSS-validated applications and ensure they are configured in accordance with the PCI DSS
  3. Periodically reboot payment systems to deactivate hidden viruses
  4. Enforce strong username/password policies for system access
  5. Properly secure remote access applications
  6. Review system activity logs daily
  7. Disable Windows file sharing if not required (if required,grant access to shared folders only to specific user accounts securedwith strong passwords)
  8. Ensure anti-virus/anti-malware software is installed and updated consistently
Access point vulnerability
Trustwaveanalyzed the cause of breaches it had investigated. The Chicago-basedglobal security firm found that over half of the problems originated inthird-party access to businesses' electronic payment systems.
Tolimit the possibility of weaknesses resulting from third-party accessto data, Trustwave wrote a white paper entitled Protecting CardholderData for Hospitality Businesses Accepting Payment Cards throughMultiple Channels: Hotels, Motels and Lodging. It suggests businessesobserve the following best practices:
  • Choose compliant service providers recommended by Visa Inc. or MasterCard Worldwide
  • Use PA DSS-compliant payment applications
  • Require PCI DSS compliance in contracts with third parties handling cardholder data
  • Maintain strict policies and procedures for remote access to networks
"It's the hospitality industry today, but obviously wehave many other businesses that follow that model," Sheppard said. Forexample, grocery store chains commonly use payment gateways toaggregate all card data from individual stores within the franchise tocentral data storage locations. He stressed that these franchise modelsare a target because, once attackers break into a system, they hop fromone franchise location to the next to steal card data.

Accordingto Genser, Trustwave expects the number of breached hospitalitybusinesses to increase. She indicated that hotel owners often switchhotel brands. "If they switch brands with a compromised network, it caninfect other brands and their respective networks. Due to a lack ofdata security resources, many hotel owners or operators are unawarethat they have fallen victim to a security breach."

The alert and the white paper can be obtained from Trustwave's Web site at www.trustwave.com. In June 2009, the company will present a webinar on the subject of data security in the hospitality industry.

Reblog this post [with Zemanta]

Merrick Sues Over CardSystems

Source: Finextra
Complete item: http://www.finextra.com/fullstory.asp?id=20067

Merrick Bank has launched a multi-million dollar lawsuit against Savvis, accusing the vendor of erroneously telling it that CardSystems Solutions complied with Visa and MasterCard security regulations less than a year before the payment processor's systems were hacked, compromising up to 40 million credit card accounts.

Atlanta-based CardSystems - now owned by Pay By Touch - (actually, I believe Planet Payment bought Pay By Touch's portfolio which included the former cardsystems) - identified a security incident in May 2005 that exposed more than 40 million credit cards to hackers.

The following year the company agreed to settle federal charges that it failed to protect the financial data of millions of consumers. The US Federal Trade Commission (FTC) said the breach "led to millions of dollars in fraudulent purchases".

The FTC concluded CardSystems created unnecessary risks to the information by storing it and failed to ensure that its network was secure from attacks.

Merrick, which is an acquiring bank for around 125,000 merchants, has now filed a federal complaint claiming the breach cost it around $16 million in payments to Visa and MasterCard for using a processor that did not meet their standards as well as payouts to affected banks and legal fees.

Before the breach Merrick agreed to use CardSystems for processor and independent sales services if it proved compliance with Visa and MasterCard security requirements.

The processor asked Savvis to assess and certify its compliance and got the all clear, and consequently the Merrick contract.

Less than a year later the security breach occurred. Merrick says hackers were able to get hold of the data because CardSystems kept unencrypted card information on its servers - in contravention of the regulations for which Savvis certified it.


Reblog this post [with Zemanta]

Center for Internet Security Issues Free Security Metrics

Center For Internet Security
Issues Free Security Metrics

Global coalition of enterprises, government, and vendors looks to its vendor members to automate collection of new metrics in their products

By Kelly Jackson Higgins |DarkReading

The Center for Internet Security last Wednesday issued a set of free metrics for organizations to use in measuring their security postures.

CIS, a coalition of enterprises, government agencies, universities, and vendors from around the world, in September provided an overview of the user-driven metrics project. The organization now has published a series of metrics for organizations to measure their key security operations -- incident management, vulnerability management, patch management, application security, configuration management, and financial metrics.

Continue Dark Reading

Here's more information: 

The Security Configuration
Benchmarks below are distributed free of charge to propagate their
worldwide use and adoption as user originated, de facto standards.

The CIS Benchmarks are the ONLY consensus best practice security
configuration standards both developed and accepted by government,
business, industry, and academia.

The Benchmarks are:

  • Recommended
    technical control rules/values for hardening operating systems,
    middleware and software applications, and network devices;
  • Unique, because the recommendations are defined via consensus among hundreds of security professionals worldwide;
  • Downloaded approximately 1 million times per year;
  • Distributed freely by CIS in .PDF format (some are available to CIS Members only in XML format via the CIS Members web site);
  • Used
    by thousands of enterprises as the basis for security configuration
    policies and the de facto standard against which to compare them.

For more information about the benchmarks and tools:

Reblog this post [with Zemanta]

The Dawning of the Biometric Age

The Dawning of the Biometric Age - BusinessWeek

Editor's Note:  The Dawning?  It just dawned on me that maybe we were a little early with Pay By Touch when we came out with it in 2002. 

The Dawning of the Biometric Age
Say goodbye to PINs and photo IDs. Say hello to digital fingerprints (actually they are finger scans, not prints) and iris scans (see)...and to new opportunities for security businesses

By Ellen Gibson
In baby steps and giant leaps, the world is moving further into digital identification and biometrics. The new technology raises concerns about privacy, of course, as well as opportunities for security companies.

The latest to join the migration: Switzerland. On May 17, Swiss voters narrowly approved a government plan to switch over to electronic passports, tied to a national fingerprint registry. The new passport will contain a microchip that stores personal data, a digital photo, and two fingerprints. At border crossings or airport checkpoints, travelers would have their fingerprints scanned and digital photos taken to make sure they match info in their e-passports.

Switzerland is actually behind much of Europe. Every nation in the European Union must institute fingerprint-enabled e-passports by next summer. Germany, France, and the Netherlands have already started issuing them.
Unhindered Trip

Some locales are testing more advanced systems. For instance, at Manchester Airport in Britain, where facial-recognition devices have been installed in security gates, passengers with optional e-passports can bypass long lines and stroll right through. While travelers enjoy the unhindered trip through the airport, boosters say e-passports enable the government easily and swiftly to check anyone entering the country against international watchlists.

The digitization of personal information is a boon to companies in biometrics, or technology that can identify people based on unique physiological traits, such as fingerprints, (the media will never learn...once again, it always was, and always will be finger scans!)  DNA or even a person's gait or blood-vessel patterns. There are countless applications for biometrics—in border control, medical records, computing, and commercial transactions—and many experts predict it won't be long before such scans are part of everyday lives.

Continue Reading at BusinessWeek


MasterCard and Visa Warn on Payments Regulation in Canada

Visa, MasterCard warn on payments regulation

MasterCard and Visa last week presented themselves as champions of the consumer who would be hurt by "price controls" if the federal government acts on a plea by merchant groups to regulate Canada's $500-billion electronic payments system.

But MPs from all political parties weren't buying their argument.

Kevin Stanton, MasterCard Canada president, painted a dismal picture for consumers if government acts on the pitch from the coalition representing 250,000 businesses in retail, grocery, restaurant, hotel and independent sectors. He cited Australia's 2003 decision: "Prices didn't come down, but rewards and benefits went down. The interest rates went up, fees went up and there was reduced competition."

Continue Reading

Reblog this post [with Zemanta]

Coordinated Cybercrime Defense Needed - ITU

ITU head calls for coordinated cybercrime response

Published:26-May-2009 | By Kevin White | CBR

Exclusive interview with Secretary General of the UN’s ITU

New proposals published by the UN’s International Telecommunication Union could help harmonise global cybersecurity legislation, with the body’s chief Dr Hamadoun TourĂ© insisting it is vital that countries cooperate in a coordinated fight against cyber threats, cybercrime and other misuses of IT.

In an exclusive interview with CBR, Secretary General Touré said the level of international cooperation being demonstrated through the ITU showed how it is possible to formulate a response to cyber terrorism which is truly global.

Continue Reading


  • The threats are real. The sustained attack on Estonia in 2007
    highlighted the real dangers of cyber terrorism and demonstrated that
    the more wired a country is, the more vulnerable it becomes.
  • More
    recently, Canadian researchers at the Munk Center for International
    Studies at Toronto University reported the existence of a huge
    GhostNet’ phishing network that successfully infiltrated at least
    1,295 computers in government offices of 103 countries
  • The line
    from the ITU is that unless governments and business leaders recognize
    the dangers and begin to work together to combat cyber crime and cyber
    terrorists, then the consequences could be catastrophic
  • Large enterprises are to some degree better placed to protect themselves, but the ITU reckons 85% of businesses are vulnerable.

Mobile Banking Hits Mainstream in 2009 - TowerGroup

TowerGroup - Content Page

Exhibit Title: US Mobile Device Subscribers (2008–13)

Directions: To download the exhibit: right click on the chart and choose "save picture as" to save the file

Credit Scam with a Twist

Source: UPI

KANSAS CITY, Mo., May 25 (UPI) -- U.S. fraud investigators say they're finding new schemes to improve bad credit histories so lenders will approve mortgages or lines of credit.

The Kansas City (Mo.) Star reported Monday.  Prosecutors in Kansas City allege some listings on the Web site Craig's list recently offered to "rent" a credit history dating to 1999 on a Chase Visa card with a low balance and a $55,000 limit.  Similar scams discovered in other states threaten to further undermine the already shaky credit industry and the nation's economy, Assistant U.S. Attorney Linda Marshall said.  "As we've seen in recent years, what hits the lenders hits all of us," Marshall said.

It's estimated that 19 of the largest U.S. banks could absorb $82 billion in credit card losses by the end of 2010, the Star reported.

Online Retailers See "Friendly Fraud" Rise Sharply

Source: Wall Street Journal
Businesses Get Tougher on 'Friendly' Fraud - WSJ.com

Online merchants are fighting a surge in so-called friendly fraud, as more consumers try to get out of paying for their Internet purchases in the recession. 

Online jeweler Ice.com Inc. and travel site Expedia Inc. are among companies seeing at least 50% spikes from October in friendly fraud, a term used to describe when a consumer disputes an online charge but doesn't return the item or has already used the product. 

(Editor's Note:  I think they should come up with a better name for it than friendly fraud.  Maybe something like theft?)
Common scenarios include consumers falsely claiming they never received a product or they received the wrong item. Other consumers deny they ever authorized the charge and refuse to pay...

Continue Reading at WSJ (subscription required)

Editor's Note II: For those of you not familiar with the process, when a chargeback does occur, regardless of what the merchant did to verify the transaction, the merchant will always be responsible.

Some Merchant Service Providers will tell the unfortunate merchant that if you  receive an AVS match, you are fine; but in fact, that’s not true.

The challenge with “friend fraud” is simply that there is no way to verify the authenticity of the transaction.  While the transaction itself was legitimate, it is the consumer who isn't and it becomes a he said/she said scenario.   While “technically” the consumers themselves are committing fraud in this case, law enforcement feels that successfully prosecuting these crimes would be too expensive.  

However...there is a way to "prevent" friendly fraud.  Insist that your customers use a HomeATM PCI 2.0 Certified PIN Entry Device.  Hard to say: "It Wasn't Me"  when a PIN is involved...which is why PIN based transactions have virtually ZERO chargebacks.  As an added benefit, our device would get rid of "unfriendly fraud" too!  Oh, AND lower your interchange rates to "card present" and TRUE PIN Debit rates.  What is TRUE PIN Debit?  See the "related article" below.

, , ,

Reblog this post [with Zemanta]

Search for Kumo and Bing Shows Up

Microsoft is planning to unveil new internet search engine next wee k, to catch up with the search engines leaders Google and Yahoo, reported the Wall Street Journal.

The new search engine, code named Kumo, is expected to minimize the amount of time spent on clicking around web pages by better organizing the information being searched for.  Kumo has been undergoing testing by the company employees. It said that the
search engine will club results of a search into smaller groups,
cutting down on the time needed for web searches.

The Wall Street Journal also reported that Microsoft might consider using Yahoo's search engine and working together on advertising. It reported that Microsoft is expected to show off the search engine at the All Things Digital conference in Carlsbad, CA.

Microsoft has been
testing its search engine under the name Kumo, but if a report in Advertising Age is on target, it will launch under the name "Bing."

The advertising trade magazine says Microsoft will spend $80 million to
$100 million on print, online, TV and outdoor ads touting its latest
search effort.   The magazine notes that figure is higher than most
consumer product launches. Rival Google, meanwhile, spent just $25
million total on advertising last year, AdAge said.

Research firm ComScore said that 64.2% of the searches conducted by the Americans last month were at Google sites, up from 63.7% in March. Yahoo's share slipped slightly to 20.4% while Microsoft was down to 8.2%.

Disqus for ePayment News