Friday, November 13, 2009

EMV Chip Cards Expected for Upscale U.S. Cardholders

According to The Nilson Report[1], most top U.S. issuers will have EMV[2]-compliant chip cards available to select customers by the end of 2010. These cards will be used for purchases made outside the U.S., particularly in Europe where most point-of-sale (POS) terminals and automated teller machines (ATMs) are EMV-compliant. The cards may be marketed to upscale frequent international travelers, who spend six times more than the average cardholder and comprise nearly 4% of overall credit card spending[3]. The number of international travelers needing EMV-compliant cards will grow as Canada and Latin America continue their rollout of EMV.

Increasingly, U.S. cardholders are inconvenienced when using their credit and debit cards while traveling, and are falling back on ATM cash withdrawals[4]. Travelers are finding they are unable to use magnetic stripe cards at unattended chip-based terminals for train tickets, parking, tolls or gasoline. Since seven of the top ten countries visited by Americans are converting to EMV chip and PIN cards[5], the problem may get worse. Some smaller merchants are refusing magnetic stripe cards from fear of fraud or confusion on the part of the store clerk. The European Payments Council, the governing body responsible for achieving a single payments market throughout Europe, recently announced it is considering a ban on magnetic stripe cards within the next couple of years[6].

In a bid to maintain “top of wallet” status with their best customers, U.S. issuers are expected to offer select customers an EMV compliant chip card as part of a newly redesigned upscale card product. U.S. issuers are following in the footsteps of the Royal Bank of Canada, which took a similar approach in 2003 with the Avion Platinum microchip card, issued to upscale international travelers. Chip cards will be more readily accepted internationally and increase convenience for travelers. The chip’s secure authentication mechanism reassures the issuer that the card is genuine, so issuing banks can reduce authorization errors and authorize more international transactions that were previously considered too risky.

To implement an EMV program, issuers will need to: 

  • Educate their customers on using the cards

  • Modify authorization processing to accommodate EMV-compliant authorization requests or use a stand-in service from a payment brand

  • Determine if offline authorization will be allowed

  • Decide how to handle emergency card replacement

  • Decide if their programs will be implemented using PIN, signature or both for cardholder verification; both are accepted by the EMV specification. However, PIN verification would be needed to support offline transactions, which are more common in Europe.

Implementation could be simplified by offering EMV signature cards without offline authorization (“online only”). The business case for issuing EMV-enabled cards to the affluent customer segment should be fairly easy to justify, since it leverages the existing EMV-enabled POS infrastructure in Europe and Canada.

The Smart Card Alliance endorses these efforts as part of a new course for the U.S. market. Using chip card technology is the best way for the payments industry to ensure global interoperability and acceptance and to effectively reduce fraud in the long term. The Smart Card Alliance recommends that U.S. issuers consider issuing dual-interface contact/contactless EMV compliant chip cards, so that the dynamic cryptogram feature can also protect contactless transactions made in the U.S. For more information about the use of contactless for fraud protection, see “End-to-End Encryption and Chip Cards in the U.S. Payment Industry,” a Smart Card Alliance position paper, at and "Fraud in the U.S. Payments Industry: Fraud Mitigation and Prevention Measures in Use and Chip Card Technology Impact on Fraud," a Smart Card Alliance white paper at

About the Smart Card Alliance Contactless and Mobile Payments Council

The Contactless and Mobile Payments Council is one of several Smart Card Alliance technology and industry councils. The Council was formed to focus on facilitating the adoption of contactless and mobile payments in the U.S. through education programs for consumers, merchants and issuers. The group is bringing together financial payments industry leaders, merchants and suppliers. The Council’s primary goal is to inform and educate the market about the value of contactless and mobile payment and work to address misconceptions about the capabilities and security of contactless technology. Council participation is open to any Smart Card Alliance member who wishes to contribute to the Council projects.

About the Smart Card Alliance

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.

Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit

[1] “Chip Cards in the U.S.,” The Nilson Report, #930, July, 2009

[2] Europay MasterCard Visa. Specifications developed by Europay, MasterCard and Visa that define a set of requirements to ensure interoperability between payment chip cards and terminals.

[3] According to the Nilson Report, 5 million upscale cardholders generate 19% of all U.S. credit card spending among U.S. cardholders. Approximately one million of them travel enough to use a chip-and-PIN card in Western Europe.

[4] “For Americans, Plastic Buys Less Abroad,” New York Times, October 4, 2009,

[5] Mexico, Canada, UK, Italy, France, Germany and Spain all converting to EMV. “U.S. credit cards becoming outdated, less usable abroad,”, October, 2008

[6] “U.S. magnetic stripe credit cards on brink of extinction?”, August, 2009

MoneyGram International Expands Customer Loyalty Program to Canada

Program provides members with faster transactions, lower fees and a text message when funds are collected

MINNEAPOLIS----MoneyGram International (NYSE:MGI), a leading global payments company, today announced the expansion into Canada of MoneyGram Rewards, a loyalty program that offers members fee discounts, receive notices, and fast and convenient money transfers.

MoneyGram Rewards was introduced in the United States in 2008, and expanded earlier this year into Germany, Spain and France. The program now has more than 3.5 million customers who enjoy the benefits of membership, which include discounted transactions, a personalized card for expediting money transfers, quarterly statements and the ability to manage their account and profile online. In addition, MoneyGram in September added a feature to the program that allows rewards program members to be notified via SMS text message when their money transfer transaction has been picked up by the receiver.

“The MoneyGram Rewards program was created to attract new customers and keep them coming back by offering benefits that make their MoneyGram experience as easy as possible,” said Andrew Johnsen, marketing manager for MoneyGram International in Canada. “We believe this will be an especially welcome program for customers who frequently send money to South Asia, Latin America, the Caribbean, Africa and the Philippines.”

In Canada and Europe, MoneyGram Rewards provides consumers a 5 percent discount on all transactions, a personalized membership card that reduces paper forms for faster transactions, and immediate notification when funds are collected by the recipient via e-mail or SMS text message. The launch of the rewards program is a continuation of MoneyGram’s growth and expanding reach in Canada. In July, the company announced the rollout of thousands of additional Canada Post locations resulting in MoneyGram money transfer services available today at more than 5,000 Canada Post outlets coast to coast.

Reblog this post [with Zemanta]


Did you know that the fear of Friday the 13th is called "paraskavedekatriaphobia?" 

A word derived from the concatenation of the Greek words Paraskeví (Παρασκευή) (meaning Friday), and dekatreís (δεκατρείς) (meaning thirteen), attached to phobía (φοβία) (meaning fear)? 

Now you do.
  Did you know that 17 million are affected?  Neither did I.

This fear is a specialized form of triskaidekaphobia, a simple phobia (fear) of the number thirteen, and is also known as friggatriskaidekaphobia.

The term triskaidekaphobia was derived in 1911 and first appeared in a mainstream source in 1953.

Here some more fun facts:

1. It’s been estimated that $800 or $900 million (U.S.) is lost in business on this day because people will not fly or do business they would normally do.

2. No historical date has been verifiably identified as the origin of the superstition. Before the 20th century, although there is evidence that the number 13 was considered unlucky, and Friday was considered unlucky; there was no link between them.

3. The first documented mention of a “Friday the 13th” is generally listed as occurring in the early 1900’s

4. A Friday occurring on the 13th day of any month is considered to be a day of bad luck in English, German, Polish and Portuguese-speaking cultures around the globe.

5. Many people are so paralyzed by fear that they are simply unable to get out of bed when Friday the 13th rolls around. The Stress Management Center and Phobia Institute estimates that more than 17 million people are affected by a fear of this day.

6. The fear of Friday the 13th is called paraskavedekatriaphobia.

7. Every year has at least one, and at most three Fridays the 13th, with 48 occurrences in 28 years an average of 1.7 times per year. The reason, this is the evidence: twenty-eight years have 336 months and 336 also equals seven times forty-eight.

8. A study published in The British Medical Journal (1993) has shown that there is a significant increase in traffic-related accidents on Friday the 13ths.

9. Friday the 13th is also known as “Dooms day” all around the world.

Reblog this post [with Zemanta]

Cartes & IDentification Blog Covers Event Live

The Cartes & IDentification Blog

Welcome to the CARTES & IDentification BLOG which will go live on the evening of 16th November with the Sesames Awards ceremony. The 10 SESAMES winners will then be revealed for the first time on this blog.

The aim of this temporary blog, which will be updated over the three days of the event, is to help enhance the visitors’ experience. It is intended to be a dynamic information source to complement our website. We will therefore provide information in real time throughout the days and also showcase trade show highlights with a selection of events not to be missed. Photographs and videos will also be available to illustrate the written content. This will give visitors, delegates and journalists a glimpse into the prevailing atmosphere of the exhibition.

What you can expect to find

  • focuses on trade show highlights such as the Sesames Awards and the World Card Summit,

  • reports on major events,

  • news updates,

  • key market information and forecasts,

  • innovation guides,

  • focuses on use of smart cards, identification and the Internet of Things, etc.

Regularly updated during the day, this blog will relay exhibitors’ major announcements and news.



17-19 November 2009, Paris Nord, Villepinte Exhibition Centre, Paris

Bell ID will again be exhibiting at the prestigious Cartes show in Paris in November at booth 4N028. The number 1 professional event in the world for smart card and contactless technologies.


At this year's edition, Bell ID will be demonstrating its I-PIN solution, which offers PIN changes of EMV cards over the Internet. Furthermore, solutions for instant issuance will be showcased as well as our solutions for mobile application management.

For more information about the event, please visit the Cartes 2009 website.

If you would like to make an appointment to meet a member of the Bell ID team at this conference please contact Andre Stoorvogel at  +31 (0) 10 885 1010 or e-mail info@bellid.comThis email address is being protected from spam bots, you need Javascript enabled to view it

If you would like to attend Cartes as a guest of Bell ID, please click here to register for a free invitation card and enter Privilege Code 155320 to be registered as one of Bell ID's guests.

Reblog this post [with Zemanta]

NACHA Phishing Alert: E-mail Claiming to be from NACHA

NACHA Phishing Alert (11/12/2009) E-mail Claiming to be from NACHA

The Electronic Payments Association has received reports that individuals and/or companies have received a fraudulent e-mail that has the appearance of having been sent from NACHA. See sample below.

The subject line of the e-mail states: “Rejected ACH Transaction.” The e-mail includes a link which redirects the individual to a fake web page which appears like the NACHA Web site and contains a link which is almost certainly executable virus with malware. Do not click on the link. Both the e-mail and the related Web site are fraudulent.

Be aware that phishing e-mails frequently have links to Web pages that host malicious code and software. Do not follow Web links in unsolicited e-mails from unknown parties or from parties with whom you do not normally communicate, or that appear to be known but are suspicious or otherwise unusual.

NACHA itself does not process nor touch the ACH transactions that flow to and from organizations and financial institutions. NACHA does not send communications to individuals or organizations about individual ACH transactions that they originate or receive.

If malicious code is detected or suspected on a computer, consult with a computer security or anti-virus specialist to remove malicious code or re-install a clean image of the computer system. Always use anti-virus software and ensure that the virus signatures are automatically updated. Ensure that the computer operating systems and common software applications security patches are installed and current.

Be alert for different variations of fraudulent e-mails.

= = = = = Sample E-mail = = = = = =

From: []

Sent: Thursday, November 12, 2009 10:25 AM

To: Doe, John

Subject: Rejected ACH transaction, please review the transaction report

Dear bank account holder,

The ACH transaction, recently initiated from your bank account, was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report  (this is the how the link is presented)

Reblog this post [with Zemanta]

64% of Websites Have Critical Vulnerabilities - WhiteHat Security

New research from WhiteHat Security paints a bleak picture for Web site security.

WhiteHat Security released a report assembled from real-world website security data and found a tremendously high percentage of Web sites have at least one critical vulnerability. 

The most common flaws -
cross-site scripting and SQL Injection.

The report contains data collected between January 1, 2006 and October 1, 2009, and finds that the percentage of high, critical or urgent issues continue to slowly increase.

In its latest iteration of its annual Website Security Statistics report, WhiteHat found 64 percent of the 1,364 sites the company analyzed have at least one serious vulnerability.

But the news isn’t all bad - according to the company, 17 percent of the sites have never had a serious vulnerability.

83 percent of websites have had a high, critical or urgent issue over their lifetime and 64 percent of websites currently have a high, critical or urgent issue.  This proves to be significant in that no website can be deemed immune – all websites have an opportunity to be compromised.

Here is the Press Release:

WhiteHat Security Unveils Biggest Website Security Weaknesses in Latest Statistics Report

SANTA CLARA, Calif. – November 12, 2009 – WhiteHat Security, the leading provider of website risk management solutions, today released the eighth installment of the WhiteHat Security Website Security Statistics Report, a high-level perspective on major website security issues that continue to compromise corporate data across all industries. WhiteHat’s report, assembled from real-world website security data, cites the Top 10 website vulnerabilities and provides insight into the evolving challenges facing organizations today.

WhiteHat’s Statistics Report provides an opportunity for businesses to understand the most prevalent vulnerabilities so they can develop and implement an effective website risk management program, reduce exposure and improve their overall security posture. WhiteHat created the report to educate the business community and general public about the most prevalent vulnerabilities that can lead to website compromises.

Unsurprisingly, only 36 percent of websites in the report currently do not have any serious vulnerabilities. From a historical perspective, this percentage drops to 17. Through its research, WhiteHat found that the characteristics of websites currently without any serious issues were nearly identical to those with them, with the exception that they had about half as many from the start. This proves to be significant in that no website can be deemed immune – all websites have an opportunity to be compromised. These odds are reduced when the business decides to proactively identify and remediate their vulnerabilities.

“It is extremely interesting to see that all the websites that are no longer vulnerable are so similar characteristically in technology and site format to those that have vulnerabilities,” said Jeremiah Grossman, founder and chief technology officer, WhiteHat Security. “The big difference right now seems to be that these organizations set an internal mandate to actively fix their flaws and reduce the potential for damage to their website, reputation and customers.”

Recent attacks on thousands of Web properties including Twitter, Facebook and MySpace also validate WhiteHat’s findings that these platforms have what hackers are eager to steal – user supplied data. With 86 percent of these sites hosting urgent, critical or high severity vulnerabilities, social networks lead all verticals. A close second, education websites are also highly vulnerable, with 83 percent having at least one serious vulnerability. This is not surprising, as educational institutions have many public-facing applications and often do not have significant resources dedicated to website security.

WhiteHat’s latest report contains data collected between January 1, 2006 and October 1, 2009, and finds that the percentage of high, critical or urgent issues continue to slowly increase. WhiteHat also finds that 83 percent of websites have had a high, critical or urgent issue over their lifetime and 64 percent of websites currently have a high, critical or urgent issue. Of the 22,000 vulnerabilities identified, almost 9,000 remain open, which means encouragingly that the majority – over 13,000 – have been closed.

As in previous reports, Cross-Site Scripting and SQL Injection continue to be fixtures in the Top 10 list along with many other common classes of attack. The report also shows that fix percentages are climbing for some and decreasing for others. In particular, more organizations are repairing technical issues such as SQL Injection and Cross-Site Scripting in larger volumes, an indication that awareness is building regarding the prevalence of easy exploitations of these specific vulnerabilities.

The report statistics were gathered through the deployment of WhiteHat Sentinel, a Software-as-a-Service (SaaS) based website risk management solution, providing the most accurate vulnerability information in the industry. WhiteHat Sentinel executes rigorous and ongoing website security assessments on more than 1,500 websites that helps companies protect their brands, comply with PCI Compliance and avoid costly and damaging breaches.

WhiteHat founder Jeremiah Grossman will host a webinar to reveal and analyze more of the report findings on Thursday, November 12, 2009 at 11:00 a.m. PT / 2:00 p.m. ET. For more information, visit WhiteHat’s site at and see the upcoming events section. You can also register at

About WhiteHat Security, Inc.

Headquartered in Santa Clara, California, WhiteHat Security is the leading provider of website risk management solutions that protect critical data, ensure compliance and narrow the window of risk. WhiteHat Sentinel, the company’s flagship product family, is the most accurate, complete and cost-effective website vulnerability management solution available. It delivers the visibility, flexibility, and control that organizations need to prevent Web attacks. Furthermore, WhiteHat Sentinel enables automated mitigation of website vulnerabilities via integration with Web application firewalls. To learn more about WhiteHat Security, please visit our website at

Reblog this post [with Zemanta]

RBI Plans Payment System to Rival Visa/MasterCard

There seems to be a developing worldwide trend towards creating a country's own payment system.  The goal?  Cash in on the future of electronic transactions and/or eliminate the duopoly enjoyed by Visa and MasterCard. 

RBI plans to play own card against Visa, MasterCard

ENS Economic Bureau

Mumbai : If things work out as planned, India may soon have a domestic payment card system — a rival to multinational card associations like Visa, Mastercard and American Express. The Reserve Bank of India (RBI) is looking into the possibility of a domestic payment card which can handle credit/debit card transactions inside the country.

In its report on ‘Payment Systems in India: Vision 2009-12’, the RBI said it would look into the concept of a domestic payment card (India Card) and a PoS (point of sale) switch network for issuance and acceptance of payment cards. “The need for such a system arises from two major considerations — the high cost borne by the Indian banks for affiliation with international card associations (like Visa and Mastercard) in the absence of a domestic price setter and the connection with international card associations resulting in the need for routing even domestic transactions, which account for more than 90 per cent of the total, through a switch located outside the country,” it said.

As per the RBI Annual Report, the value of credit card transactions were Rs 65,356 crore in 2008-09, a 100 per cent jump in the last three years. This means almost Rs 60,000 crore was settled outside India through Visa and Mastercard — which act as the payment link on behalf of the bank, merchant and card holder — last year. Debit card transactions amounted to Rs 18,547 crore in 2008-09. The Indian Banks Association is also in favour of setting up a payment card.

The RBI is also planning to implement a 24-hour fund transfer system. The bank would pursue the suggestion to consider the need to extend NEFT (National Electronic Fund Transfer) to function on a 24x7 basis — seamless fund transfer without any break — or to develop a new system akin to the Faster Payments Service in the UK which operates on a 24x7 basis. The existing NEFT system operates during weekdays from 9 am to 5 pm and on Saturdays from 9 am to 12 noon. This will enable stock exchanges to extend trading hours and align their operations with other countries.

The central bank said mobile phones are expected to emerge as an important channel for transmission of payment instructions. "Efficient mobile payments would require real time transfer of funds with adequate security. Currently all inter-bank mobile transfers are payment instructions for settling funds through existing payment systems. This would require building a national infrastructure for facilitating real time mobile payments," it said.

Further, the RBI said it plans to bring all payment systems in operation in the country under its regulatory purview. Notification of the Payment and Settlement Systems Act, 2007 empowers the RBI to regulate and oversee all payment systems. The existing and proposed payment systems will need to obtain authorisation from the bank to continue or commence operations. The central bank is expected to lay down operational and technical standards for the functioning of these systems, empowered to issue directions, call for information or returns, revoke authorisation and impose penalties, initiate prosecution proceedings for violations of the Act, the regulations, the directions issued by it and the terms and conditions of authorisation, it said.

The RBI indicated it would authorize new payment systems and operators of payment systems only if they add efficiency, increase customer convenience and bring in improvements to the payment system scope and activities in the country.

Reblog this post [with Zemanta]

Federal Reserve's Press Release on Overdraft Fees

From Mercury News

WASHINGTON — Banks will have to secure their customers' consent before charging large overdraft fees on ATM and debit card transactions, according to a new rule announced Thursday by the Federal Reserve.

The rule responds to complaints from consumer groups, members of Congress and other regulators that the overdraft fees are unfair because many people assume they can't spend more on a debit card than is available in their account. Instead, many banks allow the transactions to go through, then charge fees of up to $25 to $35.

For small purchases, such as a cup of coffee, the penalty can far exceed the cost of the transaction.

Under the Fed's new rule, which will take effect July 1, banks will be required to notify new and existing customers of their overdraft services and give customers the option of being covered. If customers don't "opt in," any debit or ATM transactions that overdraw their accounts will be denied, Fed officials said.

Many consumers do want checks and regular electronic bill payments to be covered in the event of an overdraft, Fed officials said. As a result, those transactions aren't covered by the rule.  Banks earn as much as $25 billion to $38 billion annually from overdraft fees, Fed officials said, but that total includes check overdrafts.

Continue Reading

Here's the Press Release:

Federal Reserve Press Release

Release Date: November 12, 2009

For immediate release

The Federal Reserve Board on Thursday announced final rules that prohibit financial institutions from charging consumers fees for paying overdrafts on automated teller machine (ATM) and one-time debit card transactions, unless a consumer consents, or opts in, to the overdraft service for those types of transactions.

Before opting in, the consumer must be provided a notice that explains the financial institution's overdraft services, including the fees associated with the service, and the consumer's choices. The final rules, along with a model opt-in notice, are issued under Regulation E, which implements the Electronic Fund Transfer Act.

"The final overdraft rules represent an important step forward in consumer protection," said Federal Reserve Chairman Ben S. Bernanke. "Both new and existing account holders will be able to make informed decisions about whether to sign up for an overdraft service."

The Board's consumer testing shows that most consumers prefer not to be enrolled in overdraft services for ATM and one-time debit card transactions unless they affirmatively consent, or opt in. At the same time, testing shows that most consumers want overdraft services to cover important bills, such as checks they use to pay rent, utilities, and telephone bills.

To ensure that consumers have a meaningful choice, the final rules prohibit financial institutions from discriminating against consumers who do not opt in. The final rules require institutions to provide consumers who do not opt in with the same account terms, conditions, and features (including pricing) that they provide to consumers who do opt in. For consumers who do not opt in, the institution would be prohibited from charging overdraft fees for any overdrafts it pays on ATM and one-time debit card transactions.

"Overdraft fees can be costly," said Governor Elizabeth A. Duke, the chair of the Board's Committee on Consumer and Community Affairs. "Our rule will help consumers better understand the terms and conditions of overdraft services and will give them an opportunity to avoid fees when these services do not meet their needs."

The Federal Register notice is attached. The final rules are effective July 1, 2010.

Federal Register notice: Regulation E final rule (322 KB PDF)

Regulation E Highlights document (17 KB PDF)

Model Form A-9 (37 KB PDF)

Design and Testing of Overdraft Disclosures: Phase Two (811 KB PDF)

Reblog this post [with Zemanta]

Disqus for ePayment News