Tuesday, March 17, 2009

Tomorrow - The 2009 Data Security Summit

Earlier this afternoon I arrived in Park City, Utah and, along with HomeATM Chairman and CEO, Ken Mages, met the good folks at ProPay.   

Tomorrow morning I will be attending the 2009 Data Security Summit, hosted by ProPay. 

Look for periodic posts during the day, bringing you highlights from the event.

Speakers include:

Bob Russo, General Manager of the PCI Security Standards Council

Chris Mark, Founder and CEO of Aegenis and founder of the Society of Secure Payments Professionals, and others.

Other speakers include John Verdeschi - MasterCard, Michael Dortch and Dr. Heather Mark.

Also, HomeATM expects to announce tomorrow that our SafeTPIN device has been officially designated as a PCI PED 2.0 certified hardware device. 

HomeATM is proud and honored to forever own the distinction as being the very first Online PIN Debit Solution to be PCI 2.0 certified.    

Kudo's to the engineerinig department at HomeATM.  Quite an achievement. 

Reblog this post [with Zemanta]

HomeATM PCI PED 2.0 Certification Imminent

Just received notification from Witham Labs that HomeATM's "Safe"T"PIN (the "T" stands for "Transaction") should officially receive PCI 2.0 PED certification from PCI. 

Here's the notification from Witham Labs. 

Hello Ben, Susan, and Kenneth,

We've been tracking the approval status of the report, and recieved this from PCI this morning in response to our request about the status:

"Barring any last minute holdups by the PED group, HomeATM should clear the report cycle tomorrow."

I will continue to keep you informed of the status.

Best regards,


Andrew Jamieson
Technical Manager
Witham Laboratories
1/842 High Street
Kew East
Victoria 3102

*Download the Q4 2008 Witham newsletter from* http://www.withamlabs.com/component/content/article/224.html

 More about PED Evaluations from Witham Labs

Security & Compliance - PIN Entry Device Evaluations

Witham Laboratories specialises in the independent security evaluation of all security aspects of payment devices - particularly PIN Entry Devices and those providing cryptographic services. 

We are accredited to evaluate devices against international standards such as those of the Payment Card Industry (PCI), as well as local standards of varying regions, such as those of the Australian Payments Clearing Association (APCA).

Our clients actively seek us from around the world for our flexibility, innovation and expertise:
  • Our evaluations cover both physical and logical security
  • Evaluations can be performed to a customer specified level or against industry standards
  • Many of our clients take advantage of our ability to produce reports for multiple payment schemes, minimising the cost and time involved
  • We are at the leading edge for knowledge of current best practice and evolving industry requirements

PCI PIN Entry Device requirements

A presentation detaiing the PCI PED testing and evaluation process can be downloaded here
Alldevices that accept MasterCard, Visa, JCB, Discover, or AmericanExpress PINs must be evaluated by a PCI approved laboratory. WithamLaboratories is the only organisation in the Asia-Pacific region accredited by the PCI to test PIN Entry Devices (PEDs), among only eight in the world.

WithamLaboratories can perform full evaluations on any device, and provideguidance to assist in the understanding of the PCI criteria, which canoften be daunting. PCI currently have standards for the evaluation of POS PIN Entry Devices (POS PED), and Encrypting PIN Pads (EPP). New standards for Unattended Payment Terminals (UPT) and Hardware Security Modules (HSM) are under consideration.

Our clients find our knowledge on how the PCI criteria apply to their individual products invaluable. As an independent laboratory, we are not permitted to assist in the design of a product, but we offer a pre-evaluation service to begin assisting clients as early as possible in their projects.

Experience has shown that a pre-evaluation helps to avoid problems early in the design of a product, saving time and money further down the track. Many devices are not compliant with the PCI standard when submitted for the first evaluation.

Westrongly recommend that additional time is factored into projects toallow for additional evaluations, and that the cost of a secondevaluation is considered when comparing prices.

APCA requirements for PIN Entry Devices

All PIN Entry Devices for the Australian market must be evaluated by an APCA approved laboratory. Witham Laboratories is the only APCA accredited laboratory in the Asia-Pacific region.

As we are Australian based, we have close ties to APCA and can provide important insightinto the requirements and processes involved in gaining accreditation.The APCA requirements are provided in Standards Australia's AS 2805.14, which is similar to ISO13491, from the International Organization of Standardization.
Currently,APCA recognises the evaluation of POS PIN Entry Devices (POS PED),Automatic Teller Machines (ATM), Hardware Security Modules (HSM), andEncrypting PIN Pads. We are the only laboratory with experience inevaluating all of these devices to APCA requirements.

Witham Laboratories is the premium provider of evaluations in the Asia-Pacific region:
  • We can conduct multiple evaluations at a discounted price for clients who want to gain both PCI and APCAapproval, saving both time and money. Devices that will acceptMasterCard, Visa, or JCB PINs in Australia will need APCA and PCIcertification
  • The APCA requirements contain several subtle differences to those of PCI, and our clients have found that our detailed understanding of these differences has greatly assisted them when bringing products into the Australian market

The evaluation process

Once supplied with a minimum level of samples and supporting documentation, our evaluations are conducted as quickly and efficientlyas possible - typically 4 weeks for a full report. A full APCAevaluation will take about 4 weeks as well. Once the report iscompleted, we seek client's approval before sending it to APCA foraccreditation. This can take 2-4 weeks.

We happily provide valuable feedbackto our clients throughout evaluations, maintaining close contact andoffering as much advice and guidance as possible. Our advice hasassisted a number of manufacturers to quickly bring their products intocompliance with the new PCI requirements.

Man Tries to Needle ATM User into Giving up PIN

Woman Attacked By Man With Needle At ATM

The Bank of America ATM in Salem, New Hampshire where the woman was attacked March 12.

Police are looking for a man who terrified a woman by trying to rob her at an ATM while armed with a hypodermic needle.

It happened Thursday night at a Bank of America kiosk on Route 28 in Salem, New Hampshire near the Methuen border.   A 35-year-old woman went to the ATM around 7:30 p.m. and a man snuck up and grabbed her from behind.

She told police he held the needle to her neck and demanded money.
  When she told him she had nothing he ran off.

Officers from Salem and Methuen and search dogs were called in, but they found nothing.  Police are having a difficult time in their investigation because the video surveillance system at the ATM was broken at the time of the attack.

The woman was not seriously hurt.  She described her attacker as a young white man in his mid 20's, about six-feet tall, with freckles and facial hair.  He was wearing an olive pullover sweatshirt and black gloves.

Anyone with information should call Salem Police at (603) 893-1911.

Reblog this post [with Zemanta]

Airlines Tackle $1.4 Billion Online Fraud Challenge

Profit protection is key in tough economic environment; Business airlines see lowest fraud losses

MOUNTAIN VIEW, Calif. - March 16, 2009

New survey findings released today show airlines worldwide lost over $1.4 billion to online fraudsters in 2008, about 1.3% of worldwide airlines' online revenue. The data comes from a new independent Airline Online Fraud Survey commissioned by CyberSource Corporation [NASDAQ: CYBS] in association with Airline Information LLC and completed January, 2009.

Airlines are on the front line of the battle against online fraud--33% of the industry's revenues derive from eCommerce, three times the proportion of sales transacted online by non-travel companies--so efficient management of the problem is of critical concern to the airlines.

Editor's Note:  HomeATM is in discussions with all the major airlines, as a PIN Debit solution would provide not only a more secure dually authenticated e-transaction, but would also reduce their Interchange Fees.  Remember, by SwipePIN your card, it becomes a "card present" transaction.  In addition our device provides a true PIN Debit solution, therefore, chargebacks are virtually eliminated and Interchange is reduced further.

According to survey data, the ways airlines manage fraud vary significantly by airline category. In 2008, business-class airlines, with higher-priced tickets to protect, typically embraced profit protection measures, whereas low-cost carriers tended to focus on revenue capture. On average, business airlines used the most fraud detection tools (6.5 tools per business-class airline), had the highest rate of manual review (47%), and rejected more bookings due to suspicion of fraud (3.6%). Conversely, low-cost carriers used the least number of automated screening tools (4.9 tools per low-cost carrier), were less likely to manually review bookings (13%), and rejected fewer bookings due to suspicion of fraud (2%). The result of these differing strategies is that in 2008 business airlines lost 1.1% of their revenues to fraud and low-cost carriers, by contrast, lost 1.6%.

"The good news is that solutions exist," said Christopher Staab, Managing Partner of Airline Information, an airline industry organization. "Improving the efficiency of fraud management is one of the quickest cost-cutting moves airlines have at their disposal." Fraud management tactics vary widely by region.

North American-based companies relied far more heavily on detection tools, employing an average of 7.5 tools vs. a European average of 5.4--the overall world average is 5.8. North American airlines manually reviewed only 3% of their bookings whereas Middle Eastern-based airlines manually reviewed 81%.

European and Asia Pacific-based airlines manually reviewed 22% and 49% of their bookings respectively.
According to Dr. Akif Khan, CyberSource Head of Client and Technical Services in the UK, "These findings highlight the need for airlines to adopt a more automated, holistic approach to fraud management--from initial screening through booking review and disposition. Improving the accuracy of automated screening is key. In doing so, they can reduce overhead costs associated with manual review, as well as improve revenue capture and lower fraud loss. With the right tools, airlines can realize these benefits in a matter of weeks--not years." To see the full survey -- for journalists: please call or email any of the contacts listed below. For all others: please visit http://forms.cybersource.com/forms/airlinefraudpr

The Airline Online Fraud Survey was commissioned by CyberSource Corporation. The data was compiled in an online survey conducted by Mindwave Research in the U.S., and additional phone follow-ups were conducted by Vanson Bourne Ltd. in the U.K. The surveys were fielded December 1, 2008 through January 16, 2009 and yielded 99 qualified and complete responses. Incentive to respondents included a summary of the research.

About CyberSource

CyberSource Corporation is a leading provider of electronic payment and risk management solutions. CyberSource solutions enable electronic payment processing for Web, call center, and POS environments. CyberSource also offers industry leading risk management solutions for merchants accepting card-not-present transactions. CyberSource Professional Services designs, integrates, and optimizes commerce transaction processing systems.

Approximately 253,000 businesses use CyberSource solutions, including half the companies comprising the Dow Jones Industrial Average. The company is headquartered in Mountain View, California, and has sales and service offices in Japan, the United Kingdom, and other locations in the United States including Bellevue, Washington and American Fork, Utah.

For more information on CyberSource please visit www.cybersource.com or email info@cybersource.com. For more information on Authorize.Net small business solutions, please visit www.authorize.net or email sales@authorize.net.

Editorial Contact:

Bruce Frymire
CyberSource Corporation

Reblog this post [with Zemanta]

TMG Rolls Out Fraud and Risk Analysis Service for Credit Unions

Des Moines, Iowa, Mar. 17, 2009 -- In an effort to help creditunions better manage credit and debit card fraud, TMG (The MembersGroup) is today rolling out its customizable Fraud & Risk Analysisprogram.

Using a custom process developed by TMG’sfraud department, TMG fraud experts analyze 12 months of a creditunion’s fraud cases to pinpoint exactly where fraud is originating.After the analysis is complete, TMG’s fraud experts recommend and helpimplement new fraud strategies to minimize future risk.

Betatesting the analysis program with Vermont State Employees Credit Unionin 2008, TMG’s newly implemented strategies stopped an estimated$20,000 in potential fraud loss for the Montpelier-based credit union.

“Thesavings potential of TMG’s new program is enormous,” said VictoriaBoudreault, Vermont State Employees’ Deposit Operations Manager.“Losses from fraud are only one area of savings, as this program alsoprotects interchange income, customer service demands, and mostimportantly, our reputation among cardholders.

Accordingto TMG Cards Risk Senior Manager Karen Postma, ideal clients of theFraud & Risk Analysis program are credit unions with a card basegreater than 15,000 that also have the flexibility to modify theirfraud strategies.

“It’s important to TMG that ourcredit union clients be able to modify their existing strategies in away that is completely transparent to members,” said Postma. “We areskilled in our ability to carve out exactly the strategies that willdecrease fraud without sacrificing interchange income or disruptingmember cardholder experience.”

TMG predicts atypical program will take between six and seven weeks to complete andrecommends an annual analysis to stay on top of trends and minimizeexposure to risk.

As an added bonus, clients ofTMG’s Fraud & Risk Analysis program receive a TMG-developeddecision matrix that guides credit unions through the decision makingprocess while experiencing a compromise.

About Vermont State Employees Credit Union
TheVermont State Employees Credit Union is a not-for-profit financialcooperative that offers a full range of affordable financial productsand services to its member-owners. People eligible to join the creditunion include anyone who lives or works in Vermont’s Addison,Caledonia, Chittenden, Lamoille, Orange, Rutland or Washingtoncounties, along with Vermont's state employees and their families. Formore information about VSECU, visit www.vsecu.com .

About TMG
Ownedby the Iowa Credit Union League, TMG is a financial servicesorganization dedicated to providing innovative customized solutions tocredit unions and financial institutions across North America. TMG’score products include credit, debit, ATM and prepaid solutions, as wellas online reporting, item processing, ACH, ALM and printing services.TMG’s prepaid card products are branded ATIRA. For more information,visit www.TheMembersGroup.com .

Source: Company press release. 

Reblog this post [with Zemanta]

Pay(Me Later)Pal

EBay Set to Merge PayPal and Bill Me Later Systems

American Banker | By Daniel Wolfe

EBay Inc. hopes that combining the risk management strengths of its PayPal Inc. unit with new features designed to attract new types of users will help it become a global leader in online payments.

The San Jose e-commerce company shared its plans for PayPal during an analyst presentation Wednesday, including details on how it will incorporate Bill Me Later Inc., the instant credit provider it purchased in November, and an open development platform it expects to roll out this year.

John Donahoe, eBay's president and chief executive, described online payments as a winner-take-all market and said he expects PayPal to become one of the top global brands, in contrast to the online retail market, where he expects his company's auction service to be one merchant among many.

Continue Reading at:

Bank Technology News

Reblog this post [with Zemanta]

Disqus for ePayment News