Friday, January 23, 2009

Heartland CEO Talks

It took a couple day's but somehow Heartland's CEO was able to spin the breach into a positive for his company.  After all, they've added 400 merchants in the last few days, "because of our record of "candor" (first words in since Tueday) "fair dealing" (no free consumer credit reports like RBS Worldpay?) "transparency," (Oh, you must mean that "transparent" inaugural day hidden press release) and so...on...wait, make that, so fact, way off. 

Remember Tylenol?  People still buy it right?  Yeah, they do, because it doesn't "remind them of the headache, it cure's it." 

Tylenol?  Please, accepting that analogy's a little tough to swallow (pun intented) considering that the Tylenol tampering resulted in multiple deaths.  Maybe that's the point...that nobody died?  Oh I guess it's not so bad then.  It could have been worse.   I buy Tylenol (I think), but this?  Maybe if it was less cheerleaderesque and more quarterbackescent.   Then again, maybe the PR did HPS some good.  The stock is up double digits (10.15% or .83 cents right now)  We'll know at the end of the day...and the Bad Ticker will track Heartland until February 14th.

Company Reports Continued Growth of Merchant Base

PRINCETON, N.J., Jan. 23 /PRNewswire-FirstCall/ -- Heartland Payment Systems added more than 400 merchants to its client base in the past few days - exceeding results for the same period from last year.

"Our organization and business model founded on fair dealings, transparency and merchant advocacy have paid off these past few days," stated Robert O. Carr, Heartland's founder, chairman and chief executive officer. "This is demonstrated in the continued organic growth of our merchant base. Despite the headwinds of the economy and attacks by some of our competitors, we have installed new merchants, new payroll clients and new check management clients since our disclosure of the breach on Tuesday morning. Our record of candor, fair dealing, no arbitrary rate increases since our formation almost 12 years ago and superior customer service is highly valued.

"Merchants continue to respect Heartland for the manner in which we do business. They appreciate our ongoing efforts to help them manage the costs and complexities of payments processing," Carr continued. "Our energized organization called on the owners of more than 150,000 business locations these past three days to help them understand the breach and what it means to them. I couldn't be prouder of our entire organization for the way everyone has pulled together to help."

No confidential merchant data, Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were retrieved in what is believed to be a global cyber-fraud operation. Heartland does not yet know how many card numbers were obtained. Many reports in the press are speculative.

Consumers will know if their card account numbers have been used by reviewing their monthly statements. Cardholders should report suspicious activity to their issuing banks (the bank that issued the card, not the card brand). If unauthorized use is confirmed, cardholders are reimbursed for the fraudulent purchases and are not held financially responsible.

Over the past few days, Carr has been talking to many industry leaders about working together to fight the cyber criminals who victimized Heartland and continue to jeopardize companies, consumers and data worldwide.

"I have talked to many payments leaders who are also concerned about the increasing success and frequency of cyber crime attacks," Carr noted. "Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again. I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week."

Heartland's goal is to turn this event into something positive for the public, the financial institutions which issue credit/debit cards and payments processors.

Carr concluded, "Just as the Tylenol(R) crisis engendered a whole new packaging standard, our aspiration is to use this recent breach incident to help the payments industry find ways to protect its data - and therefore businesses and consumers - much more effectively."

For the past year, Carr has been a strong advocate for industry adoption of end-to-end encryption - which protects data at rest as well as data in motion - as an improved and safer standard of payments security. While he believes this technology does not wholly exist on any payments platform today, Heartland has been working to develop this solution and is more committed than ever to deploying it as quickly as possible.

Source: Company Press Release

Reblog this post [with Zemanta]

Alternative Payment Market Report

Image representing Scribd as depicted in Crunc...Image via CrunchBase
Packages Facts Releases Alternative Payments Market Report

Online shopping, peer-to-peer connections and safer, more secure online services are the fundamentals driving the growth of consumer online alternative payments in the United States. In this all-new Packaged Facts report, the current and future market landscape is analyzed, which Packaged Facts estimates at $37.3 billion in 2007, up 33% over 2006.

Packaged Facts presents the market for alternative payments in relation to both the business-to-consumer (B2C) ecommerce market and the total "consumer" payments market. The report presents the size and growth of the market using several key metrics, including paper payments, card payments and electronic payments, as well as trends and factors that affect the industry. Special regard is given to the activity of top players and the varied upstarts, particularly in mobile payments, hoping to steal share and further alter the old school payments paradigm. Major key competitors are profiled, along with a focused analysis of consumer payment demographics and preferences.

Note: Packaged Facts defines alternative payments as entirely electronic and predominantly conducted over the Internet (though not all are conducted through the ACH network). Generally, alternative payments exclude all forms of paper and any debit or credit card where the purchase or remittance is made directly with that medium. The most common alternative payments are consumer-to-business purchases and peer-to-peer, also referred to as person-to-person (P2P) payments.
 Alternative Payment Systems Industry in the U.S., The                                                                                                                    
    Publish at Scribd or explore others:          Academic Work                report            misc. banking & fina         

PIN Debit Payments Blog

Reblog this post [with Zemanta]

Cards Replacement Task Begins...

A significant number of First Commonwealth Bank customers soon will receive new debit cards.

The Indiana, Pa.-based bank recently was notified by the Fraud Management Department of MasterCard International of a data security breach of a U.S.-based merchant which has since been identified as a card processor, Heartland Payment Systems of Princeton, N.J.

Affected customers soon will receive a new debit card but will keep their same PIN number.

"This was a payment processor so this is pretty unusual," Fulgenzio said. "MasterCard and Visa do a good job enforcing their rules and regulations. I think the situation is getting better because Visa and Mastercard are getting stricter with penalties for the compromise of data."

However, when breaches occur, customers are protected. "Any time there is an unauthorized transaction, the customer is protected by the Electronic Fraud Transaction Act," Fulgenzio said. "The customers are covered by these kinds of transactions, but it does create a hassle. They will not lose their money."

Platte Valley Companies and First State Bank have canceled bank cards for nearly 600 customers after learning the records of a third-party credit card processor were compromised.

"Upon notification by the VISA Alert and its high risk level, Platte Valley Bank made the decision and took immediate steps to block the cards affected, to prevent fraud and safeguard its cardholders. Platte Valley Bank began notifying its VISA Debit Card customers of the data breach and status of their cards. New cards will be issued upon receipt of application from those customers affected."

Forcht Bank - Kentucky's Forcht Bank has canceled more than 8,500 debit cards, and it's likely other banks will soon be taking similar steps. Forcht disabled 8,500 debit cards after learning hackers accessed data belonging to a company that processes debit card transactions from merchants. New cards will be sent to those customers in the next week to 10 days.

Editor's Note: So that's 600 + 8500 + "significant.  Assuming  significant is 90,000 cards, then Heartland only has to pay for the remainder of the the 99 million plus cards that need to be replaced...

Update:  Heartland has no plans of closing its doors, as eventually was the case with payment processor CardSystems Solutions, which itself suffered a devastating breach in 2005. "We're going to be a better company for it," a Heartland spokesman said.   (Yeah, and college cheerleaders still jump up and down with their team down 51-0, let alone 100 million to nothing.)

For those who are interested in reading more...there's a good story on the banks start of their card replacement triggered by the Heartland Breach at:

Reblog this post [with Zemanta]

Tom Ridge at MRC



(Seattle, WA - January 23, 2009) The Merchant Risk Council (MRC) is pleased to announce the addition of former US Congressman, Governor of Pennsylvania and the nation’s first Secretary of Homeland Security, Tom Ridge, as a special keynote speaker for the MRC’s 7th Annual e-Commerce Payments and Risk Conference at the Wynn Las Vegas Resort on March 10-12, 2009.

Ridge will address e-Commerce security, fraud, risk and payments experts on growing cyber security issues that affect both US security and the US and global economies.

We know that there are connections between e-Commerce fraud risk and national and economic security, says Tom Donlea, MRC executive director. The issues that retailers face and the crime groups that target them are often the same threats that Homeland Security is tracking. Governor Ridge's insights on the topics of global risk and emerging threats will prove an invaluable asset for the world leaders in e-Commerce.

The primary themes of the 2009 conference are: Fighting New Patterns of Fraud and Cybercrime; Emerging Risk Management Trends; and Global Online Payment Strategies.

The MRC Annual Conference includes more than 40 speakers and panelists, 30 unique sessions and 40 payment and risk industry exhibitors all delivering valuable insight and information on the growth, diversity and risks associated with e-Commerce.

The Honorable Tom Ridge is currently the president and CEO of Ridge Global LLC. As the company's chief executive, he leads a team of international experts who help businesses and governments address a range of needs throughout their organizations, including risk management and global trade security, strategic business generation, technology integration, event security, crisis management, campus security and other issues that encompass a diverse portfolio.

Governor Ridge's presentation is sponsored by Ethoca, a leader in collaborative fraud management and an MRC Signature Sponsor Member.

We are excited to sponsor Secretary Ridge's presentation at the MRC Annual Conference, states Andre Edelbrock, Ethoca's CEO. The MRC is all about online merchants working together to mitigate risk and stay on top of new and growing threats, and Mr. Ridge's insights into global risk and security issues, dovetails with the MRC’s vision of creating a safer and more profitable e-Commerce environment for all stakeholders. founder Terry Jones will deliver the conference’s official opening keynote speech, focusing on the business of innovation. The conference’s closing keynote will be delivered by Dateline NBC correspondent Chris Hansen, sharing his findings on the rapidly maturing underworld of cybercrime.

For full conference schedule, registration and exhibition information, please visit the MRC website at

About the MRC Annual Conference
The Merchant Risk Council 7th Annual e-Commerce Payments and Risk Conference will be held at the Wynn Las Vegas Resort on March 10-12, 2009. The 7th Annual e-Commerce Payments and Risk Conference unites the world's top Internet merchants, credit card companies, risk management providers, law enforcement agencies and various consultants and educators in discussing how to make shopping on the internet easier, safer and more profitable for all involved.
Conference Sponsors include:

* Chase Paymentech: Primary sponsor of the 2009 General Conference
* Accertify: Co-sponsor of the MRC Platinum Meeting and Platinum Party
* iovation: Co-sponsor of the MRC Platinum Meeting and Platinum Party
* Clear Commerce/Certegy: Sponsor of the Opening Night Welcome Reception
* Ethoca: Sponsor of Speaker Tom Ridge
* Experian: Sponsor of Speaker Terry Jones
* Discover: Sponsor of Closing Speaker Chris Hansen and the Closing Conference

For registration or exhibition information at this conference, please visit the MRC’s website at

About the Merchant Risk Council
The Merchant Risk Council (MRC) is a merchant-led trade association focused on electronic commerce risk and payments globally.╩ The MRC leads industry networking, education and advocacy programs to make electronic commerce more efficient, safe and profitable.

Today, with the power of our member-base, the MRC is the leading trade association for managing payments, preventing online fraud and promoting secure e-Commerce. The MRC is dedicated to working with e-Commerce and multi-channel merchants, credit card issuers, credit card companies, alternative payment providers, risk management experts, and law enforcement to make the Internet a safer and more profitable place to do business.

The MRC Board of Directors and Advisors includes: Expedia, Inc., Adobe Systems, Inc., Neiman Marcus Direct, 41st Parameter, Apple,, Bill Me Later, Blizzard Entertainment, Chase Paymentech, CyberSource Corporation, Dell, Inc., Discover Network, Gap, Inc. Direct, iovation, Microsoft, Trustwave, and Visa, Inc.

The MRC is headquartered in Seattle, Washington.

About Ethoca
Ethoca is making e-commerce safer and more profitable through technology that enables and empowers the Global Fraud-Fighting Community ╨ a partnership of e-commerce businesses, law enforcement organizations, fraud solution vendors, credit issuers and payment processors.

By providing a global platform for cross-industry collaboration, Ethoca enables businesses that operate in customer-not-present environments (Internet, phone, fax or mail) to make more informed decisions about their customer transactions, by pooling transaction experience data from the community in a way that is secure, automated, effective and ethical. Community members see reduced fraud, lower fraud-related costs, increased revenue from fewer wrongly rejected orders and improved customer satisfaction rates.

Source: Company Press Release

Data Isn't but V/MC's Protected

In my last post, I ended it by saying that Heartland's only chance for survial is getting the dynamic duopoly, a.k.a. V/MC, to cover the costs incurred by the banks having to replace consumer cards.  I thought they had a decent argument, given the fact that they were PCI compliant.

Well, I just got done reading an article  which contained a statement from Visa regarding PCI seems to thwart any legal argument Heartland may have.  

You see, apparently the data might not be protected, but V/MC has certainly made sure that they are.

Information Week's Andrew Conry-Murray, in an article titled, "PCI is Meaningless, But We Still Need It", points out:

Assessments "do not guarantee that those security controls remain in place after the review is complete."  In other words, a company is only compliant with PCI's security standards during the time of review. Once the assessors leave the building, all bets are off.

He goes on to say: "I believe PCI was constructed this way for two reasons.

First, it absolves the assessors and the card brands of any liability should a compliant company get breached.  The issue of liability is critical, because breaches attract lawsuits the way roadkill attracts crows."

Yes, and it looks like Heartland gets to play the part of roadkill...
the banks/V/MC get to pick their part,  scratch that, pick-a-part  in their role as a "murder of crows."

Heartland's tough battle just got tougher...and the prognosis isn't good.  Lizbith...dis is da big one!

PIN Debit Payments Blog

Reblog this post [with Zemanta]

Questions About PCI Effectiveness - Network World

I saw an interesting article in Network World, which basically questions PCI's effectiveness in the wake of the RBS and Heartland breaches. In a post I wrote earlier this week, "In God We Trust, Visa/MC is Another Issue(r).  I wrote:

The "Mother of All Hacks" will never be Heartland  Payment Systems.  It will be the electronic payment system at it's very core.  Whether it's Visa, MasterCard or NACHA, if any of these system are breached, it's the end of e-payments as we know it.  Do they know it?"

I'm aware of someone else who knows this article, Avivah Litan points out some very interesting facts, some of which I've included below.   To read the entire article, click the Network World link below:

Heartland breach raises questions about PCI standard's effectiveness - Network World

It's not yet known if Heartland Payment Systems' newly disclosed data breach will count as the largest card heist ever. But some analysts say what is clear is that the Payment Card Industry data security standard that Visa and MasterCard require isn't sufficient to ensure cardholder data is safeguarded.

"Billions is being spent on PCI compliance, but it isn't really working," says Gartner analyst Avivah Litan.  "PCI's dirty little secret is that it doesn't mandate encryption inside a private network because then all the processors would have to encrypt."

Encryption of data would make it much harder for attackers to benefit from the kind of network break-in that Heartland suffered, in which cyber-criminals tapped into a monthly stream of 100 million debit and credit cards for several months using malware installed on processing computers.

"The processors are definitely being targeted," Litan says, noting that once a breach occurs, it can have a terrible impact on business. CardSystems, which suffered a data breach in 2005, was basically put out of business as a result of it.

Editor's Note:  Speaking of impact, will Heartland ever recover from this nightmare?  There's definitely a black cloud hanging over it.  Yesterday their stock went into a free fall, ending 42% lower than it started out.  I expect a significant merchant attrition impact, so even if they do come out of it, it won't be as the nations 6th largest acquirer.  At the end of the day, I believe what determines Heartland's survival, is whether they (or their lawyers) can get Visa/MC to cover the banks cost of replacing all the debit/credit cards. 

You might think that the fact that they were PCI certified and that the data was encrypted when it left the building, but unencrypted at the V/MC level would provide fodder for a good argument.  I have the sneaky feeling that the "dynamic duopoly"  will hold that Heartland is liable.   It's going to messier before it gets prettier, no doubt.

Reblog this post [with Zemanta]

Disqus for ePayment News