Thursday, July 16, 2009

Top 10 PIN Debit Networks

Rhetorical Question of the Day: Are Web Applications a Security Concern?

Are Web Applications a Security Concern?

Editor's Note:  Here's an excerpt from an excellent article in today's New York Law Journal.  I think it adequately explains "todays" risks inherent with transacting on the web.  That said, I'm more worried about tomorrow than I am today.  After all, yesterday "https:// was safe, SSL was safer and EV SSL was safest.  Not today.  Click any graph to enlarge...JBF

by Richard Raysman and Peter Brown
New York Law Journal - July 16, 2009

...Several high-profile computer hackers have recently been indicted or face prison time as a result of their unlawful activities. For example, a hacker named "Max Vision," who stole almost 2 million credit card numbers from financial institutions, merchants and other hackers, recently pleaded guilty to federal wire fraud charges and is awaiting sentencing. In another matter, a 19-year-old blind hacker was sentenced to 135 months in prison for unauthorized access to telecommunication company information, among other crimes.[FOOTNOTE 1]

Also, in ongoing proceedings, an accused British hacker, who allegedly accessed data on NASA computers, is seeking judicial review of a prior order permitting his extradition to the United States, arguing he should not be held criminally responsible because he is a sufferer of Asperger's syndrome.[FOOTNOTE 2]

Facing similar concerns to operators of government networks, private companies with external Web sites can be susceptible to attackers looking to commit defacement or infiltrate computer networks to steal sensitive information. The increased corporate reliance on complex applications and technologies contribute to the potential for security vulnerabilities and an increased need for computer security.

A growing concern, legitimate Web sites continue to be targeted by hackers, with a reported 30,000 pages affected every day by malware attacks.[FOOTNOTE 3] Successful attacks can compromise confidential resources or consumer data and harm an organization's image. Further, an improperly configured Web server can be attacked directly to obtain unauthorized access to an organization's internal resources.

This article will discuss Web application security concerns, common Web application attacks and some of the enforcement actions taken by the Federal Trade Commission against companies that have suffered security breaches allegedly due to inadequate security practices.


Business sites have become an indispensable means to communicate with prospective customers and conduct transactions. Sites have become more dynamic, giving users new capabilities to run applications, query databases and access personal and financial content.

Highly interactive sites boast multiple ways to reach out to users, namely through login and informational fields, electronic shopping carts and data uploading systems that collect, process and electronically transmit potentially sensitive consumer information.

Such interactions are performed by Web applications, which are programs that act as the intermediary between a site's servers and its database servers such that data submitted or requested by users can be transmitted from a company's database to users' browsers.

For example, a database might maintain information related to login credentials, financial information, statistics, pricing or inventory information, or other sensitive data that, when accessed legitimately, gives a site its functionality for users and customers.

When a user's submission requires additions to or retrieval from a company's database, whether it be a simple search, account information request or e-commerce transaction, the application accesses the database servers to run the particular request, with the information displayed on users' screens.

However, as hackers and identity thieves have become more adept at exploiting programming vulnerabilities to gain access to a company's Web and database servers, the use of Web applications raises cybersecurity concerns.

The intruders seek unauthorized access for several reasons, such as to deface a site (i.e., changing information on the server or redirect traffic to embarrass a company or make a political statement); steal sensitive data for illicit gains; plant malicious code to further a phishing scheme or other online scam; or create a distribution point for attack tools, spam, pornography or pirated software.[FOOTNOTE 4]

In addition, sensitive information transmitted unencrypted between the server and a user's browser may be intercepted or malicious entities may attempt to gain unauthorized access to resources elsewhere in the organization's network via a successful attack on the server.

Such attacks are consistent with a trend in malicious user behavior, which focuses on attacking applications accessible via the Internet, as opposed to attacking the operating system of the host platform.[FOOTNOTE 5] 

Indeed, the growth of attacks has been fueled by the easy availability of automated programs or "rootkits" that can perform a sweep across the Web to detect which sites have known vulnerabilities. Thus, if a site's applications are not secure, then sensitive consumer information could be at risk from one of many common exploits.


In recent years, as the security of networks and server installations have improved, poorly written software applications and scripts that inadvertently allow attackers to compromise the security of a Web server or collect data from backend databases are the routine targets of attacks.

Common attacks include "structured query language" injection, where an hacker is able to input commands to a database, and "cross-site scripting," where an attacker manipulates the application to store malicious scripting language commands that are activated when a subsequent user opens the Web page.[FOOTNOTE 6]

Generally speaking, XSS refers to the act of injecting a malicious code into a Web page, which is then executed in the user's browser, in order to perform some sort of manipulation. XSS exploits the browser's (as well as the user's) trust that the page they are viewing is safe for downloading information and/or clicking on links presented.

XSS often takes advantage of Web servers that return dynamically generated pages. A successful attack potentially allows the hacker to redirect the page to a malicious location, hijack a user's browser, engage in computer network reconnaissance or plant backdoor programs, all while being completely transparent to the end users.[FOOTNOTE 7] As a result, a hacker can typically gain access to a company's database servers, deface Web pages, spread worms or execute malicious computer script.[FOOTNOTE 8]

Another common attack, SQL injection, allows commands to be executed directly against the database, thereby permitting disclosure and modification of the data within.

SQL is a computer language for querying and modifying data and the management of databases. The most common pathway for an SQL injection attack occurs when a hacker is permitted to enter SQL commands into a certain Web feature (e.g., login form, search query boxes, feedback forms) or directly into the browser address bar and query the database without authorization.

SQL injection usually involves a combination of inappropriate security permissions, unfiltered user input, and software code errors or omissions. Since SQL injection is possible even when no traditional software vulnerabilities exist, mitigation is often more complicated than simply applying a security patch.[FOOTNOTE 9]

With more and more Web servers comprising a front end for a database server, there is an ongoing risk that an intruder can compromise the database unless adequate security precautions are taken.

Read the Article in Full

Richard Raysman, a partner at Holland & Knight, and Peter Brown, a partner at Baker & Hostetler, are co-authors of "Computer Law: Drafting and Negotiating Forms and Agreements" (Law Journal Press).


Reblog this post [with Zemanta]

AirTran Airways is 3rd Merchant to Accept Acculynk PIN Debit Transactions

AirTran Airways To Accept Pin-Debit Transactions Online

July 16, 2009
Source: CardLine

AirTran Airways, an Orlando, Fla.-based low-fare airline, has become the third merchant to agree to pilot Acculynk Inc.'s PaySecure Internet PIN-debit product. Acculynk enables PIN-debit purchases online by integrating its PaySecure software into a merchant's online-checkout system. Atlanta-based Acculynk plans to announce PaySecure partnerships with three other merchants by September, Nandan Sheth, Acculynk president, told CardLine sister publication ATM&Debit News last month. AirTran customers can choose the PaySecure option during online checkout. The airline tells customers debit cards can be used for a PIN-based purchase. Cardholders use their computer's mouse to enter their four-digit PINs into an Acculynk virtual PIN pad that appears on the computer's monitor. Acculynk also is conducting PaySecure tests with Metavante Technologies Inc.'s NYCE, Fiserv Inc.'s Accel/Exchange and Discover Financial Services' Pulse networks (CardLine, 3/24). Two online retailers are accepting PIN-debit cards online using PaySecure:, a luxury-cooking retailer, and, an authorized reseller for online retailers. Elavon Inc., which processes transactions for AirTran and, was the first processor to support PaySecure, according to Acculynk. Elavon did not respond to a request for comment by CardLine's deadline. Merchant e-Solutions Inc. processes transactions for
Reblog this post [with Zemanta]

Visa Releases Registered ISO List (PDF 44 pages)

Visa Releases List Of Registered ISOs; Industry Gives Overall Positive Response

Source: ISO & Agent Weekly

This article appears in the July 2, 2009, edition of ISO&Agent Weekly.

Industryprofessionals have guessed 300, 5,000 and even 10,000 ISOs when askedhow many registered ISOs exist in the United States.

Visa Inc.put the question to rest in recent weeks when it made its lists ofregistered ISOs publicly available on its Web site. The total,according to Visa, is on the lower end of many observers' estimates.

The44-page document contains more than 1,900 entries, however some entriesare duplicates because some companies registered to accept Visa credit and registered again to accept Interlink, Visa's PIN-based point-of-sale debit brand. The list also contains the names of organizations that offer Visa prepaid products.

Visa'slist is available at Details of each entry aresparse, with only a few containing company Web sites.

"I'vebeen asking for this since as far back as 1995," says Joyce Cook,president and CEO of International CyberTrans, a Brentwood, Tenn.-basedISO.   Cook at that time was president of the ElectronicTransaction Association, a Washington, D.C.-based trade grouprepresenting ISOs and acquirers.

MasterCard Worldwide says itdoes not intend to release its list of registered ISOs because thesponsoring banks actually hold the information and ISOs may not wantMasterCard to disclose it.

List Release A 'Good Thing'
Cook welcomes Visa'srelease of the list. "It's a good thing because there are a lot ofpeople who are not registered and shouldn't be allowed to represent thebrands," she tells ISO&Agent Weekly.

That appears to be part of the reason why Visa released the list.

Continue Reading

CyberSource and Debenhams Direct Connect

Debenhams Direct using CyberSource for online payment, fraud management

Reading, England and Mountain View, Calif., July 16 /PRNewswire-FirstCall/ -- CyberSource Ltd., the U.K.-based CyberSource (Nasdaq: CYBS - News) subsidiary, today announced that it is working with Debenhams Direct to assist that company with the secure processing and management of its online transactions. Debenhams Direct is the eCommerce arm of one of the leading retail groups in the U.K. and Ireland, visited by over 3 million online customers each month. The site processes over 2,500 orders on an average day and offers products and services that are available in Debenhams' stores.

CyberSource's payment management services allow Debenhams to securely and reliably process multiple payment types through a global payment processing network that has been certified as compliant with the Payment Card Industry Data Security Standard. Through a single connection to CyberSource, Debenhams can also utilise additional cardholder verification programs such as Verified by Visa and MasterCard SecureCode, providing Debenhams' customers with greater protection from fraud and reducing chargeback risk for Debenhams.

Debenhams turned to CyberSource's flexible risk management solutions as part of the retailer's overall eCommerce focus. CyberSource's Decision Manager accesses over 150 global validation tests to screen for fraud, enabling Debenhams to determine in real-time whether transactions should be accepted, rejected, or marked for further review. This has allowed Debenhams greater flexibility in the management of its fraud screening rules, allowing it to evolve and develop, in real-time, the strategies it deploys against fraudsters.

Anthony Leach, Senior Operations Manager, Debenhams Direct, said: "We are keen to stay ahead of the curve and selected CyberSource based on its functionality and the partnership we have already developed. The intelligence to which we have access will help us identify and manage higher risk orders appropriately whilst supporting legitimate customers within our secure website. Our continued focus is on providing a secure platform for our online customers whilst managing commercial risks and having clear and flexible processes."

Simon Stokes, Managing Director, CyberSource Ltd., commented: "Debenhams is a great example of a traditional high street retailer that has embraced the online environment and increased its investment in this area. By consolidating and streamlining its multi-channel operations, Debenhams is better able to provide its customers with a secure and convenient online shopping experience."

For more information on CyberSource risk management solutions, see: .

About CyberSource

CyberSource Ltd. is the U.K.-based wholly-owned subsidiary of CyberSource Corporation (NASDAQ: CYBS - News). CyberSource solutions enable electronic payment processing for web, call centre, and POS environments. CyberSource also offers industry leading risk management solutions for merchants accepting card-not-present transactions. CyberSource Professional Services designs, integrates, and optimizes commerce transaction processing systems. Approximately 262,000 businesses use CyberSource solutions, including half the companies comprising the Dow Jones Industrial Average. The company is headquartered in Mountain View, California, and has sales and service offices in Japan, the United Kingdom, and other locations in the United States including Bellevue, Washington and American Fork, Utah. For more information on CyberSource Ltd. please visit or email

About Debenhams

Debenhams is a leading department store group with a strong presence in key product categories, including womenswear, menswear, childrenswear, homeware and health and beauty. The group trades through over 150 department stores in the U.K. and the Republic of Ireland and .

Source: Company press release. 

Reblog this post [with Zemanta]

Canadians' Call for Regulation of Interchange Fees Rejected - GreenSheet

Canadians' call for regulation rejected

In June 2009, the Canadian Senate Standing Committee on Banking, Tradeand Commerce rejected its own merchant lobbyists' call for priceregulation on fees charged to merchants for credit card transactions.MasterCard Canada officials welcomed the decision and said theyappreciated the opportunity provided by the committee to participate ina comprehensive examination of Canada's payment systems.

"TheSenate Committee clearly recognized that price controls areinappropriate and would harm consumers," said Kevin Stanton, President,MasterCard Canada, in a press release. "Australia continues to providean excellent example of how such price controls reduce credit cardprogram benefits and result in no appreciable decrease in the price ofgoods and services."

New York Times - Card Fees Pit Retailers vs. Banks

Merchants across the nation, from powerhouses like Wal-Mart and Home Depot, to gas stations, mom-and-pop restaurants and 7-Eleven, have spent years unsuccessfully fighting the biggest of these costs, known as an interchange fee, which generates an estimated $40 billion to $50 billion in income annually for banks that issue credit cards.

But after Congress passed a law last month to protect consumers from excessive fees and interest on credit cards, merchants are mounting a fresh offensive.

This time, they believe the momentum in Washington has turned in their favor. Legislation is winding its way through Congress, a government audit has been ordered and petitions are surfacing in hundreds of convenience stores, including Ms. Orzano’s 7-Eleven, encouraging customers to voice their opposition to the fees. “Congress sort of already illustrated the willingness to take on the credit card companies and the big banks,” said Keith Jones, a lobbyist for 7-Eleven. “We just feel like the job is half done.”

And while large and small banks often clash on political agendas, they have formed a united front, joined by payment networks like Visa and MasterCard, to prepare for a furious battle on Capitol Hill. With profit from credit cards likely to diminish because of the new laws, they are determined not to absorb another major hit.

“It’s a big deal to them, and they would be fully engaged in it,” said Kenneth J. Clayton, senior vice president for card policy at the American Bankers Association.

Every time a consumer uses plastic, about 2 percent to 3 percent of the charge goes to banks and payment networks, which price the fee differently in different countries. Of that, the interchange fee is paid to the cardholder’s bank, and at roughly 1.8 percent of each purchase in the United States, according to June report by J.P. Morgan, it is the largest and most controversial of these costs.

But retailers may have a tough time convincing Congress that consumers would benefit if the effective interchange rate, which has increased slightly in recent years, is dialed back. Many other countries, including Israel and Australia, have required banks that issue cards to reduce the fee. Yet there is little evidence that the savings were passed along.

Continue Reading

Reblog this post [with Zemanta]

Paradigm Shifting - Web Sales Trump Store Sales at Macy's

The Paradigm Shift is occurring as I type this.

1. MasterCard has "shifted" it's focus to debit cards

2. Two months ago, for the first time in the history, debit card "volume" surpassed credit card volume, and

3. Macy's web sales have trumped it's store sales. (see story below)

It now looks more and more like a certainty eCommerce will one-day take over the brick and mortar space, But it is wrought with fraud. Therefore PIN Debit (with it's built-in two factor authentication True Zone 1-5 End-to-End-Encryption ) is the obvious payment method for this space. Did it ever occur to you that there is a reason signature debit is called off-line debit" and PIN Debit is referred to as "online debit?" I ask you...which one makes the most sense for "online" shopping? See: Chase Paymentech Predits PIN Debit Ubiquitous on Web by 2012

Here's why HomeATM is uniquely positioned:

1. There is "only one" PCI 2.0 certified PIN Debit solution for the Internet, and that one and only is HomeATM.

2. HomeATM also owns the "global" patent for any Debit or Credit Card Payment transaction conducted via the Internet, be it hardware or software based. (US Patent and Trademark Office has issued patent No. 6,834,271 (see related articles below) to HomeATM's wholly owned subsidiary Kryptosima/Patent for Internet ATM/Debit and Credit Card Transactions Granted In Europe -HomeATM announced that it hasreceived notification that the European Patent Office isgranting Kryptosima's patent application No. 00957801.4 for "ApparatusFor and Method of Secure ATM Debit Card and Credit Card PaymentTransactions Via The Internet."...)

3. HomeATM also recently went through a CTGA ANSI TG-3 Audit (The
American National Standards Institute(ANSI) has developed a set of best practice security standards known asTechnical Guide 3 (TG-3) to govern Personal Identification Number (PIN)Security. Interbank networks that route Automated Teller Machine (ATM)and Point of Sale (POS) transactions such as STAR, Pulse, and NYCErequire their members to achieve compliance with TG-3 standards.Organizations held to these control standards are subject to periodicaudits by CTGA (Certified TG-3 Auditor) licensed professionals) and based on what we've heard certification is imminent. To our knowledge, we would be the "first and only" company in the world with a eCommerce PIN solution to be TG-3 certified. We know were' the only one who is PCI 2.x certified.

4. Based on the aforementioned, specifically 1 & 3, HomeATM is the most secure (tested and documented) online payment in two hemispheres...

As such, we are uniquely positioned as the next step of the Paradigm Shift takes place... thanks to the perfect storm we know as "the economy," "the debit card," "cybercrime" and the "world wide web."

At mid-year, web sales trump store sales at Macy’s

For the sixth month in a row, web sales outpaced store sales at Macy’s Inc.

In its June sales numbers, Macy’s, No. 23 in the Internet Retailer Top 500 Guide, reported a gain in web sales of 8.2% while comparable-store sales declined 8.9% and total sales decreased 8.9% to $2.04 billion from $2.24 billion in June 2008.

For the first six months of the year, e-commerce sales also easily outpaced comparable-store sales.

From January through June, Macy’s, which doesn’t break out specific numbers for its e-commerce business, posted a gain in online sales of 13.6%. Comparable-store sales for the same period declined 9% and total sales decreased 9.4% to $8.99 billion from $9.92 billion in January through June of 2008.

While store sales languish, one retail analyst says Macy’s web sales are growing because the retailer is making an effort to build up a sales channel that its customers clearly prefer shopping.

Continue Reading at

Reblog this post [with Zemanta]

Disqus for ePayment News