Friday, December 4, 2009

PIN Debit Grows Faster than Credit/Signature Debit COMBINED - American Banker

PIN Debit Leads Holiday Sales

American Banker  |  Friday, December 4, 2009

Though Black Friday spending was up this year for all card types, PIN debit transactions grew faster than credit and signature debit combined, and ...

Continue Reading at American Banker (subscription required)

Editor's Note: That's promising news...but...Guess What? Here's more (promising news that is...) Ready? I "promise you" that the results from "Cyber Monday" won't be anywhere near the same. They should/would be but....and this is a big butt...

Even though HomeATM was PCI 2.x PED Certified (the only company in the world with that designation) genuine PIN Debit is not available for eCommerce transactions. Why you ask?

Because...Visa and MasterCard must give their approval. Until then, how on earth would PIN Debit transactions grow faster than credit and signature debit combined...on the web? Oh...and apparently, even though they provided HomeATM with PCI 2.x PED Certification, apparently that doesn't (in their eyes) count as approval.  (making us the first and only device with PCI 2.x PED approval that apparently has to go through an extra step)

There is some good news though. Based on the fact that a "Card Present" transaction is about 25 times more secure than a "Card Not Present" transaction, and PIN Debit is about TEN times more secure than Signature Debit, Visa and MasterCard are extremely excited about bringing PIN Debit to the web!

We just have to get around one major stickler. The less secure the transaction, the more money V/MC and the Banks make. Shouldn't be too tough of a hurdle. Ya think? After all, at the end of the day, V/MC doesn't want to lose the faith of both the eCommerce consumer and internet retailers alike. They will protect both, right? So, until we get the gohead from V/MC we are in limbo.

Of course, there IS a PINmaginative way to get around that hurdle. You can come up with a fake/alternative less secure PIN Debit application, charge higher Interchange than the more secure/genuine PIN Debit then "make" consumers and internet retailers "believe" they are using Internet PIN Debit.

Just takes a little PIN-magination.
You just gotta make ('em) believe...

Let me "illustrate!" (pun intended)  Let's PIN-magine that someone came up with fake PIN Debit and simply call it Internet PIN Debit.

All you have to do is "type" your debit card number into a box on a website (Card Not Present) and then a Pop-Up Graphical User Interface will appear (make sure you have your Java Script enabled) then your computer will be "taken over" (I thought Hijacked might be too strong of a term) by a program which controls (couldn't think of a less harsh word) your PC by locking down your keyboard (because, apparently it's safe to TYPE your card number into a box, but not your PIN) and forces you to use your "mouse" to "man" up your PIN.

I call it the Mighty Mouse approach. (here I come to save the day!) by luring the EFT networks with cash/money.

But it's not the real deal.  The real deal "requires" the card to be swiped (not typed) in order for the data contained on the magnetic stripe to be read.  (the magstripe contains "key" information, such as the PIN Verification Value and the PIN Verification Key Index)   Otherwise, you would be able to go to MasterCard or Visa's website and look up Internet PIN Debit Interchange Rates.  (which you can do, but you won't find it...because, like a Unicorn, it doesn't exist)   More bad news about using the "mighty mouse" approach.  A new trojan can do the same thing to a mouse it does to the keyboard.  (See:
Limbo 2 Trojan Bad News for Floating PIN Pads (and Meeses)

Hence...the ONLY way to conduct a GENUINE PIN Debit Transaction (securely) is to Swipe the Card and Enter the PIN.

So I ask you the following question based on these FACTS...

WHY on Earth would Visa and MasterCard "not be" ecstatic about a patented solution that would eliminate Card Not Present fraud, that "Doesn't use the Browser," 3DES DUKPT Encrypts the PIN

(AND the Track 2 data) and's my favorite part: ..... "CERTIFIED BY THEM?" (V/MC)

Anybody? Hint: "not be"

If you're stumped like me you'll find the only conclusion I could come up with below.

But first a message about what is sponsored...

You'll see green alligators and long-necked geese
Some humpty backed camels and some chimpanzees
Some cats and rats and elephants, but sure as you're born
You're never gonna see no unicorns
- The Unicorn Song

Click Play to Listen to "Never Gonna See No Unicorns"

while you contemplate the question...

Done thinking about why they (V/MC) wouldn't be ecstatic?

Still Stumped? 

Answer: Interchange... V/MC the Banks and the EFT Switches make more money from a Card Not Present transaction, let alone a dually authenticated PIN Debit transaction because they are "less secure" and therefore they can charge higher interchange.  Why on earth would they want to lower interchange unless they were forced to?  Think I'm being cynical?  Then Google "visa mastercard PIN Debit antitrust" and read all about it.... 

Reblog this post [with Zemanta]

PIN Debit News Quote of the Day

From the Wall Street Journal

Credit Transactions Decline 11.55%, PIN Debit up 9%

In the third quarter of 2009, credit transactions for Visa and MasterCard reached $313 billion, an 11.58% decline over the same quarter in 2008, according to TowerGroup. Debit transaction volume for Visa and MasterCard was $303 billion, a 5.21% increase over the third quarter in 2008.

"Consumers are preferring to use their PIN debit card as compared to credit or even cash," according to Silvio Tavares, senior vice president of industry relations for First Data Corp., a transaction processor for merchants.

PIN debit-card transactions, in which the consumer enters a numerical pass code, increased by 9% this Black Friday over last year,
according to First Data, which processes transactions for sellers.
 Editor's Note:  Yeah...but I'll bet that won't be the case when Cyber Monday results kick in... 

Reblog this post [with Zemanta]

Top 10 Data Breaches of 2009 (so far)


Ten Most Damaging Data Breaches of 2009

December 4, 2009 by ADMIN · Comment

By Laton McCartney, Editor at CIOZone

Every week for the past four years the San Diego-based Privacy Rights Clearing House (PRCH), an organization dedicated to empowering consumers and protecting privacy, has been chronicling data breaches on a weekly basis.

These range from small, regional breaches, which may involve a local business or hospital, to national breaches that typically revolve around credit and debit cards.

“These are the mega-breaches that can skew the figures in terms of the number of people victimized,” says Paul Stephens, PRCH’s director of policy and advocacy.

Based on PRCH’s listings, here are the ten biggest, most damaging and most embarrassing breaches to date this year.

Heartland Payment Systems

For Heartland, a Princeton, N.J.-based payment systems company, the initial warnings came from Visa and MasterCard. Their concern: Suspicious processed credit card activity. Turns out that Heartland was the target of one of the biggest cyber-fraud schemes ever, one allegedly carried out by a former Secret Service informant and Russian hackers. Also targeted were Hannaford Brothers, 7-Eleven and two unnamed national retailers. Almost three-dozen separate lawsuits on behalf of consumers, investors, banks and credit unions have been filed against Heartland.

Number of records affected: According to the court document, hackers stole more than 130 million credit and debit card numbers from Heartland and Hannaford.

Date made public: Jan. 20

Metro Nashville School

Guess what? Your Social Security number is on Google. Or at least Metro Nashville students’ SSNs, along with their names, addresses, dates of birth and parents’ demographic information, were available via Google searches. Public Consulting Group, a private contractor, unintentionally put student data on a computer Web server that wasn’t secure, and the data was available online for three months.

Number of records affected: 18,000

Date made public: April 8

Federal Reserve Bank of New York

A former employee of the New York Fed and his brother were arrested on suspicion of obtaining loans using stolen identities. The ex-employee previously worked as an IT analyst at the bank and had access to sensitive employee information, including names, birthdates, Social Security numbers and photographs. A thumb drive attached to his computer was found to have applications for $73,000 in student loans using two stolen identities. Police also found a fake drivers license with the photo of a bank employee who wasn’t the person identified in the license.

Number of records affected: Unknown

Date made public: April 8

Virginia Department of Health Professions

“Give us $10 million, and we’ll return the millions of personal pharmaceutical records we stole from your prescription drug database.” That’s essentially what hackers told the state of Virginia in May. Did they have the goods? A notice posted on the Virginia DHP Web site acknowledged that the site “is currently experiencing technical difficulties which affect computer and e-mail systems.” Some customer identification numbers, which may have been Social Security numbers, were included, but medical histories were not. Subsequently, the state sent out notifications to 530,000 people whose prescription records may have contained SSNs. Also, 1,400 registered users of the database, mostly doctors and pharmacists, who may have provided SSNs when they registered for the program, were alerted.

Number of records affected: Potentially 531,400

Date made public: May 4

University of California, Berkeley

Hackers infiltrated Berkeley’s restricted computer databases, possibly stealing personal information of 160,000 current and former students and alumni. The university said Social Security numbers, health insurance information and non-treatment medical records dating back to 1999 were accessed. The breach was discovered April 21, when administrators performing routine maintenance identified messages left by the hackers and found that restricted electronic databases had been illegally accessed from Oct. 9, 2008 to April 6, 2009. All of the exposed databases were removed from service to prevent further attacks.

Number of records affected: 180,000

Date made public: May 9, 2009

Internal Revenue Service

Guess what the IRS does with your old tax forms? Well, at a dozen disposal facilities, old returns were tossed out in regular waste containers and dumpsters. This work was being conducted by contract employees who, of course, have access to sensitive taxpayer documents but who, the IRS admitted, may or may not have passed background checks. Another problem: the agency wasn’t sure who was supposedly responsible for overseeing the burning or shredding of tax documents at the 12 IRS offices involved.

Number of records affected: unknown

Date made public: May 21


Current and former Aetna employees’ Social Security numbers may have been compromised as the result of a Web site data breach. This was the result of a spam campaign in which intruders obtained email address and possible SSNs from the Aetna Web site. Aetna notified the 65,000 people whose SSNs were on the site and was subsequently sued in a class action suit demanding credit monitoring, punitive damages, cost and other relief for former and potential employees.

Number of records affected: 573,000

Date made public: May 28

Network Solutions

Those damn hackers. Breaking into Web servers provided by e-commerce hosting provider Network Solutions, hackers were able to plant a rogue code that ended up compromising almost 600,000 debit and credit card accounts over a three-month interval. The hackers were able to intercept personal and financial data from customers purchasing goods and services from Network Solutions’ 4,343 clients. Most were SMBs selling online.

Number of records affected: 573,000

Date made public: July 24

National Archives

When a hard drive used for eVetRecs, the system through which veterans request copies of their health records and discharge papers, failed late last year, the National Archives and Records Administration sent it to GMRI, the contractor that sold it to the agency, to be fixed. GMRI decided it was beyond repair and sent it to another vendor to be recycled. The only problem? National Archives didn’t destroy the data on the disk before sending it out to its contractor. The drive held records on 76 million veterans, including Social Security numbers dating to 1972, when the military began using SSNs as service numbers.

Number of records affected: 76 million

Date made public: Oct. 2

Universal American Action Network

Universal Action Network, a subsidiary of Universal American Insurance, sent out postcards to 80,000 Universal clients earlier this month. The problem was that each of the cards included the Social Security numbers of the recipients. Identity theft anyone? Universal blamed the inclusion of the SSNs on a printing error and said it has terminated its contract with the printer.

Number of records affected: 80,000

Date made public: Nov. 18

* * *

Stay Informed With ISR News Alerts:

Email: by FeedBurner
* * *

Laton McCartney is a former editor-in-chief of InformationWeek. He has also been a top editor at several Ziff Davis publications, including Smart Partner. Laton has written for The Washington Post, Fortune and other national publications. He also the author of a number of books, including the best-seller “Friends in High Places: The Bechtel Story.” His latest, “The Teapot Dome Scandal: How Big Oil Bought the Harding White House and Tried to Steal the Country“, will be published in February by Random House. is the first of its kind online meeting place for CIOs. It is built upon the foundation of social networking and combines user generated content and expert editorial together around an open source platform.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to

22nd Annual Card Forum and Expo Call for Speakers

22nd Annual Card Forum & Expo

22nd Annual Card Forum & Expo

Call For Speakers & Session Proposals

Submission Deadline: December 14, 2009

Submit a Speaker & Session Proposal

Speaker and session proposals are being accepted for the 22nd annual Card Forum & Expo 2010, taking place May 16-18 at the Hyatt Regency Grand Cypress, Orlando, FL. We are seeking new topics for consideration to include in the conference program. The proposed topics should fall into one of the following categories:

  • Trends in credit, debit and prepaid markets

  • Emerging payments

  • Regulation of the cards and payments industry

  • Loyalty and rewards programs

  • New product development

  • Consumer data and analysis

  • Global card trends

We are looking for practical, insightful presentations, not sales-oriented presentations. For full session criteria and suggestions, please visit the conference website. Proposals must be submitted using the online form. The deadline for proposal submission is Monday, December 14, 2009.

For additional information please contact Emily Otani at

Will Square Make the Payments World Go Round? Exclusive Industry Reaction to Square’s Launch.

BOSTON--(BUSINESS WIRE)--The newly released payment product, Square by Twitter co-founder Jack Dorsey might be a game changer for the payments world or will it? asked the industry and the reactions have been broad and varied.

As noted from one industry exec, “I think what it [Square] means is that internet payments can now go on any phone for physical transactions…” Square’s innovative approach allows anyone to setup a virtual merchant account instantly and three card networks are on board - AmEx, MasterCard and Visa.

Editor's Note: Another made this keen observation: 

"All this does is encode the magstripe data to audio for pickup by the application. Then the application works exactly as a web based payment application. So the only difference between this and a merchant typing their customers card details into a web browser on their iPhone is that they don't have to type the card number, Nothing to see here."

Or, as I commented at the PYMNTS site:

"The hype over this is amazing considering that HomeATM ePayment Solutions came up with a more advanced/better product (PCI 2.x PED Certified) more than a year ago (which also plugs into an earphone jack of any phone). Especially considering that our device not only accepts Credit and Debit but PIN based Debit and Prepaid cards and allows for real-time money transfer
  There's absolutely no question that if Mr. Dorsey was not the Silicon Valley Rock Star he is,(based on the fact that he's the founder of Twitter) the buzz around the product would be closer to the buzz we've gotten over the last 12 months.

I have yet to see anything written regarding the security of the device (i.e. HomeATM utilizes 3DES DUKPT encryption and encrypts the Track 2 data) but nonetheless, it is refreshing to see to see interest in the device as I am of the position that in an "Apple to Apple" comparison, (yes, pun intended) the HomeATM device (with all due respect) is far superior in most every way.  That said, it might make for an interesting story if PYMNTS was the one to conduct that comparison and publish the results. We would certainly be willing to go head to head with the device in a product comparison.

Another posed this simple comment/question:  What about security? Is the device PCI certified?

The press release continues:

For further reactions and to join the discussion on Square’s recent launch, check out is a joint venture between Business Wire, a Berkshire Hathaway Company, and Market Platform Dynamics. It provides a platform for industry professionals to share content related to their latest company and product developments, to tap into the collective commentary and analysis from experts, bloggers and industry pundits, and to interact with industry thought leaders on topics of critical importance to the future of the sector.

For information on contact You can also follow on Twitter at and join the PYMNTS Linked In group.

About Market Platform Dynamics (MPD):

MPD is a management consulting firm that ignites catalyst businesses by leveraging new technologies, business models and pricing strategies. MPD has a wealth of experience within industries that are characterized by complex platform-centered ecosystems, including payments, mobile/telecoms, digital and advertising-supported media, and software-based businesses.

MPD works with both incumbents and new entrants, offering a unique lens into the dynamics that shape the competitive playing field. In addition to traditional consulting-based services, MPD’s Catalyst Ventures provides intellectual and human capital to new firms. MPD’s experts include economists, econometricians, product development specialists, and strategic marketers who apply cutting-edge business theory and statistical methods to the practical problems of building and growing a profitable catalyst business. MPD is headquartered in Cambridge, MA, and has offices in London and Hong Kong.

For more information visit

About Business Wire

Business Wire, a Berkshire Hathaway company, is utilized by tens of thousands of member companies and organizations worldwide to functionally enhance and communicate investor relations and public relations content to target audiences. As a recognized disclosure service in the United States, Canada and a dozen European countries, Business Wire facilitates the simultaneous flow of market-moving press releases from corporations to financial markets and their audiences, including regulatory authorities, media, investors, financial information systems and consumer news services. Business Wire also handles XBRL tagging, document formatting and regulatory filing into EDGAR, SEDAR, FSA and other systems.

Founded in 1961, Business Wire has dual headquarters in San Francisco and New York, with 30 bureaus in cities including Los Angeles, Chicago, Boston, Miami, Paris, Frankfurt, London, Brussels, Tokyo, Toronto and Sydney and reciprocal offices throughout the world. Business Wire's patented NX data platform supports XML, XHTML and XBRL code that enhances news release interactivity, social media sharing and search engine optimization. More information about Business Wire and its services is located on its website at


Market Platform Dynamics

Jonathan Summey, Senior Editor, 617-374-1336

EVP, New Media


Market Platform Dynamics

Karen Webster, President, 617-374-1330


Business Wire

Laura Sturaitis, SVP, +1-800-770-WIRE (9473)


Reblog this post [with Zemanta]

Hackers are Sophisticated, Smart and Ready to Take Advantage of Your Business, Says Chris Mark, Founder of the Society of Payment Security Professionals

Utah Technology Council Breakfast Event, Sponsored by ProPay, Urges Leaders to “Get Rid of Their Data”

SALT LAKE CITY--(BUSINESS WIRE)--In response to recent billion dollar security breaches, the Utah Technology Council (UTC), ( Utah’s premier professional organization, hosted a startling business discussion with Chris Mark, an international expert in the field of data security to discuss strategies for protecting businesses against hackers.

“Hackers take advantage of mistakes you make in order to get a foot in the door of your company,” stated Mark. We often think a hacker is some 19-year-old kid living in his grandmother’s basement, but in reality, they are very smart and sophisticated people, often some of the brightest people around and the only real way to protect your company’s data from hackers is by removing your sensitive data rather than storing it.

Editor's Note:  Which is why Chris Mark's magazine, Secure Payments, featured HomeATM's SafeTPIN and SLIM in their publication.  Not only do we not store the data, but we go above and beyond the security requirements currently in place by 3DES DUKPT encrypting the Track 2 data as well as the PIN.  (Click the graphic to enlarge and read)

Mark added that hackers want to attach malicious software to servers that allows them to steal sensitive data from companies. Some examples of sensitive data include:

  • Credit card numbers

  • Social Security numbers

  • Bank account numbers

  • Bank routing numbers

Additionally, Mark believes that companies must go the extra mile in keeping themselves protected, yet most people learn this lesson after a breach or hack. “It’s mere child’s play for a hacker to create malicious software that can get past your anti-virus software,” he said. “Increasing your data security makes it more difficult for the hacker to get inside. Many times this is the difference in a breach or security.”

“Today’s discussion was a definite eye-opener,” said Richard R. Nelson, president and CEO of UTC. “Hackers are a living, breathing, ugly entity that most of us know little about, and we must have a reality check to increase awareness and security to protect our businesses and our homes. This was one of our most compelling UTC breakfast events.”

To learn more about future UTC events, visit or call 801-568-3500.

About Utah Technology Council

Utah's premier professional association, the Utah Technology Council has become the essential business resource for life science and high-tech companies seeking to achieve greater success. At its core, UTC exists to foster the Growth of the state's more than 5,000 technology companies, ensure Utah develops the highest Quality Workforce in the nation and attract an ever-increasing array of Funding. Members join UTC to share insights with industry peers, counsel with government and academic leaders and receive help from professional service providers and funding resources. To become a member of this "must-join" organization, visit or call 801-568-3500 today.

About ProPay

Since 1997, ProPay has led the market in providing simple, safe and affordable credit card processing and electronic payment services for businesses ranging from the small, home-based entrepreneur to multi-billion-dollar enterprises.

ProPay understands the unique needs of these businesses and has created merchant services specifically for them. With ProPay, merchants can set up accounts online and begin accepting credit cards without buying special equipment or making long-term commitments or investments. ProPay leads out in educating merchants about how to reduce or eliminate the risk of touching or holding sensitive cardholder data. The company also leads the payments market in the development of secure end-to-end solutions for protecting sensitive data and of alternative payment options that significantly reduce business costs. For further information, visit

Corporate Cards Need Trust and Security Too, says Todos

We couldn't agree more...especially with the recent rash of online banking fraud and wire transfers using money mules that has plagued the business sector.  It makes imminently more sense for a business to swipe their corporate card and enter their PIN in order to access their online banking account.  It makes even more sense to do the same when conducting wire transfers and requiring the recipient of said transfer do the same thing on their end... 


It's not just consumer cards that are at risk from theft and fraud. This is why Nordea has chosen Todos to secure its First Card corporate customers.


GOTHENBURG, SWEDEN - DECEMBER 03, 2009 - Companies increasingly use credit cards for corporate purchasing, employee expenses and cost control. However, they are at risk from identity thieves, man-in-the-middle attacks, breaches in SSL encryption and plain old-fashioned fraud. Because they have higher credit limits than most consumer cards they are particularly prized by online criminals.

This explains why card issuers are showing increasing interest in enhanced security for corporate cards. For example, they can use systems such as Verified by Visa or Mastercard SecureCode to insist on two-factor authentication using smart card readers.

A recent sales success by Todos illustrates the trend. First Card is Nordea’s card division for business customers. They have recently ordered 30,000 Todos C200 card readers for their customers in Denmark and Norway. They already have 150,000 devices for their Swedish clients.

Using card readers is more secure than using a static password alone because it makes it much harder for online criminals to impersonate real bank customers. Thanks to advanced Todos features including Dynamic Signatures and Secure Domain Separation, Nordea gains additional security compared to other devices from other vendors.

“Although there is a lot of attention on consumer card fraud, and rightly so, but banks should not overlook the security of their corporate customers,” says Ulf Dahlberg, Sales Director Nordic Region at Todos. “With Todos, banks can reassure their most important customers and offer them devices that are easy to use, trustworthy and flexible.”


Todos AB helps banks and other businesses create trusted, secure relationships with their customers online. Founded in 1987, Todos designs, develops, delivers and supports strong authentication and transaction verification for eBanking and eCommerce. We have delivered over 20m products to 100+ financial institutions in more than 30 countries. When trust matters, trust Todos.

For further information please contact:

John Ahlberg, Communications Director

Todos AB

+46 31 775 88 00

Disqus for ePayment News