Monday, May 11, 2009

Heartland NOT PCI Compliant When Breached!

Both Visa and MasterCard have officially gone on the record saying the Heartland Payment Systems was NOT PCI compliant at the time of the breach. 

When you take that into account and add the following 9 items, things don't look so good for Heartland Payment Systems:
  1. MasterCard has levied a $6 million dollar fine against the company
  2. Visa has not yet announced the amount of their fine.
  3. The breach (so far) has cost Heartland $12.6 million dollars
  4. HPY has seen a $100+ million drop in their market cap
  5. Shareholders have filed a class-action lawsuit
  6. Consumers have filed class-action lawsuit
  7. Banks have filed a class-action lawsuit
  8. Robert O. Carr is being investigated by the SEC for possible stock trading improprieties
  9. The last processor (CardSystems) to be breached went belly-up

    Heartland wants to talk about "end-to-end-encryption" (E2EE) but it's too late.  If they were NOT PCI compliant, the end-to-end is over...what begins now is the "beginning of their end.  Any guesses as to how they'll end up?  Hint: This does not get categorized as "Tales from Encrypt."  Back to plain ol'

    Here's why they are dead in the water.  Attorneys fees and potential for treble damages on not one, not two, but THREE class-action lawsuits will "definitely" take their toll.  But, of more immediate concern is the cost to reimburse the banks for having to reissue all those new bank cards.  Some have estimated that cost is upwards of $200 per replacement.  Some have estimated that 100 million accounts were breached.  One-million reissued cards would cost Heartland $200 million.     

    But is Robert O. Carr done?  At least Bobby O. made millions from the sale of his shares between the time the breach occurred and the time it was announced.  (To refresh your memory, Heartland displayed the utmost in transparency when deciding to announce the "biggest breach" in the history of the United States during Barrack Obama's inauguration. 

    Gee, what a coincidence, eh?  As coincidental as selling hundreds of thousands of shares of stock after the breach occurred. 

    Some of you might be wondering why I'm so hard on poor poor Robert (Bob) O. Carr.  I know it's noticeable to those who read my Heartland posts, but I'm not quite sure if  I ever did explain my sarcastic disdain.

    Let me tell you about the time I met Bob Carr face to face.  It was down in St. Louis, in 1997 I believe, the weekend he was recruiting his initial influx of ISO's for Heartland Payment Systems. I talked with him about 15-20 minutes and stood around for another 25 or so listening to him talk to others and...suffice it to say that he was one of the most brutally arrogant SOB's I've had the displeasure to meet in my life.  Now let me be clear.  I don't mind the "self-confident" arrogance.  I'm talking the
    condescending, "I'm better than everybody" arrogance.  You know, the kind of arrogance that permeates the room with my shit don't stinkedness?  The kind of arrogance that screams"rules don't apply to me?"  Speaking of which, I  for one, won't be surprised in the least if the SEC investigation turns up evidence of "rules don't apply to me" behavior.

    He may have changed since 1997 however...Press Releasing the breach on Inauguration Day says differently.   Where was the end-to-end-encryption before the breach?  Too late now.  You've lost millions Bobo...and in my humble opinion, it couldn't have happened to a better (than everybody) guy! 

Heartland Data Breach: Is End-to-End Encryption the Answer?The announcement by Heartland Payment Systems (HPY) that it will offer its merchants end-to-end encryption capabilities is seen as a positive step by industry experts. Yet, these same experts also warn that this measure will not solve all of the security issues that Heartland and other payment processors face from hackers.

In Heartland's first-quarter earnings call last Thursday, company officials said so far last year's well-publicized data breach has them $12.6 million. The amount includes legal costs and fines from Visa and MasterCard, both of which have stated the payment processor wasn't compliant with PCI standards at the time of the breach.

Read Entire Article

Reblog this post [with Zemanta]

Twitter This...Twitter That... is all the rage, and many banks have taken note.  But is there a business case behind Twittering? 

Twitter now ranks as the third most trafficked social networking site, behind Facebook and Myspace, and has achieved a certain cultural stature. With that said, FaceBook and Myspace still don't really have a business model either. 

American Banker reports than more than a dozen banks have set themselves up on Twitter.  Right now it's a hot commodity.  Think about it.   It's very name, like Google, is now a verb!  I have to admit.  I don't get it.  Sure I "tweet" these blog posts, and have watched in amazement as people start "following," but I still don't get it. 

Next thing you know Twitter will be everywhere.  I can see it now...

Twitter me This!

Is is true that the script for the new Batman Forever movie calls for plans to introduce a new character called "The Twitterer"

Scary!  Speaking of which, come next October are kid's going to come to our door and say Trick or Tweet? 

Will people then develop a Tweet Tooth?   

God I hope not.  Nobody asked, but here's my opinion: "If I was the "King Tweety Bird" I'd take $700 million for that business in a "heartbeat"  

I heard from a little birdy  that's what they were offered.  If so, it's not worth it to place a $700 million bet on whether or not this is a passing fad.  Banking $700 million is all the rage.  Speaking of Facebook, does anybody know their business model?  How about myspace?  YouTube's business model is apparently to lose 2 million per month.    

If you're "bent" on following breaking payments industry news, sign up for our newsletter...or visit often.  If you are hell bent on Twitter and want to follow the PIN Payments News Blog (even if it's just for the pictures)  click the graphic above right! 

Getting back to business models:  If you're King Tweety Bird, (a.k.a. Jack Dorsey) either sell it for $700 million...or call HomeATM to discuss your payments idea...which you aptly code-named "Squirrel."  It's a good idea.  It can make Twitter a ton of cash.  So call us...we can help!

But be aware...we had previously code-named that very same idea "patent pending".  Let's compare notes!

Reblog this post [with Zemanta]

Heartland Starts It's Slow Climb Off the Canvas

Bank Technology News contributor, John Adams, writes that Heartland is still reeling from the left hook thrown by Hackers:

Heartland Starts its Slow Climb
off the Canvas

Bank Technology News | May 2009
By John Adams

Heartland Payments Systems is still taking its standing eight count after one of the worst data breaches in history, but with its Visa PCI DDS validation restored, the firm hopes to emerge with a sober lesson it can share with other firms to prevent future breaches.

“We now we have a greater appreciation for how brazen some of these organized cybercriminals are,” says Jason Maloni, a spokesman for Heartland in Princeton, NJ.

Count that as at least $12.5 million in appreciation—the amount the breach has cost the company thus far, including legal costs and fines from MasterCard and Visa. Heartland successfully completed its annual Payment Card Industry Data Security Standard (PCI DSS) assessment and has returned to Visa’s list of validated service providers. Visa had suspended Heartland, placing it on probation, though the firm was still allowed to process credit card transactions. Heartland, which reported a $2.5 million first quarter loss last week compared to net income of nearly $9 million in 2008, also faces a handful of class action suits connected to the breach.

Continue Reading at Bank Technology News via American Banker

Reblog this post [with Zemanta]

Hackers on Campus

Who’s doing it and what’s being done to prevent it

by Zack Martin, Editor, Avisian Publications

Hacking can mean many things. The image it conjures for most is that of a young man in a dark room lit by nothing more than the glow of a computer monitor, trying to break into some top-secret government system or steal credit card numbers.

On college campuses hacking can mean a number of different things and threats can come from students as well as outsiders. Hackers attack university databases and systems but they also are targeting the student ID card.

Several high-profile incidents have hit close to home with the campus card community, but securing cards isn’t enough. Universities need to secure payment and IT networks as well or risk data falling into the hands of hackers.

What happened at Harvard is just about a campus card director’s worst nightmare. In July 2008 a Harvard undergraduate student was caught making fake Harvard University ID cards. Not just any cards, but duplicate cards of those belonging to the University President Drew G. Faust, Assistant Dean of the College Paul J. McLoughlin II, and Dunster House Superintendent H. Joseph O’Connor, according to the Harvard Crimson.

The student was able to replicate the magnetic stripe on the back of the card and gain access to buildings and gates across campus with only knowledge of the individual’s university ID numbers and a $200 card reader purchased on eBay. He was also able to make purchases using the individual’s Crimson Cash accounts, which are used to pay for items on and off campus.

The hack was the impetus for Harvard to launch new IDs for the students, faculty and staff in the Faculty of Arts and Science. The university rolled out iClass contactless smart cards from HID Global for physical access to facilities. The new card has two magnetic stripes on the back that are used for payments and other functions, according to the Harvard Crimson.

Mag stripe has its uses

At George Washington University in Washington DC, Ken Pimentel’s biggest fear is someone copying the mag stripe on the card and using it to gain access to a dorm or somewhere else they should not go. “There’s nothing wrong with mag stripe at the point of sale,” says Pimentel, director of the university’s GWorld Card Program.

Continue Reading at
Editor's Note:  In a developing and related story 160,000 University of California-Berkeley students and alumni have had their university records stolen by Hackers:  (See below)

160,000 University Records Stolen
Hackers have stolen the personal information of 160,000 current and former University of California-Berkeley students, reports the San Jose Mercury News. Health center records from as far back as 1999 were breached over several months, exposing names, Social Security numbers, immunization histories and other information. Associate Vice Chancellor for Information Technology Shelton Waggener said the thieves got in through the university's Web site. "You should think of it as a public building," he said. "They got into the building properly, but then they broke into secure areas." One law student said: "We're all young people and we don't have a lot of credit established. That's really frightening..."
Full Story

Reblog this post [with Zemanta]

Payments News with Legal Ramifications

Week of May 4th - May 8th

Anti-Money Laundering (AML) Compliance — United States

The Financial Action Task Force (FATF) recently released a white paper on the vulnerabilities of casinos and the gaming industry.  (click graphic on left to enlarge)

This APG/FATF report considers casinos with a physical presence and discusses related money laundering and terrorist financing methods, vulnerabilities, indicators to aid detection and deterrence and international information exchange. The report considers vulnerabilities from gaps in domestic implementation of anti-money laundering/ combating the financing of terrorism measures. Online gaming and illegal gambling are beyond the scope of the linked study. The report is 1.20 MB pdf and requires Adobe Acrobat to view. There is a special section that covers credit and debit card usage.  I will follow up with a post regarding that section later today...

Anti-Money Laundering Compliance — International
Canadian regulators have stated that financial services firms should maintain their efforts to fight money laundering despite the global recession and intense pressure to reduce expenses, according to an linked article on Investment Executive.

An article at ThisDay reports that the Bank of Tanzania lacks adequate strategies to combat terrorist funding and money laundering activities despite the existence of laws expressly prohibiting such activities in the country.

A French magistrate has recently opened an investigation against the leaders of Gabon, the Republic of Congo and Equatorial Guinea, in relation to a complaint filed by Transparency International, an international watchdog group, regarding investment derived from embezzled funds in property and other goods located in France. Apparently this has given Transparency the legitimacy it needs in order to press other claims against corrupt leaders, wherever they may be in the world.

Asset Forfeiture Watch
reports that the U.S. Department of State has released its Country Reports on Terrorism for the year 2008. The overview which was made public last week praised Mexico’s President Felipe Calderón Hinojosa and his administration for demonstrating “an unprecedented commitment to address national security concerns” but criticized Mexico’s recent terrorist financing law for its lack of asset forfeiture provisions.

Identity Theft and Data Security

A feature article on Dark Reading demonstrates how researchers were able to hijack a notorious botnet in January for about 10 days, only to discover that it was even more dangerous than previously thought.

On May 5, 2009, the U.S. Government Accountability Office released a report on cyber threats and vulnerabilities that place federal systems at risk. This was in response to testimony before the Subcommittee on Government Management,
Organization and Procurement of the House Committee on Oversight and Government Reform.

MX Logic has released a new report that alleges the probability that Waledac and Conficker are working together to create a megabotnet, one that will contain tens or hundreds of millions of infected computers worldwide.

An organization that develops technical standards for the financial industry is working to develop a standard for protecting sensitive payment card data in transit as it moves from the point of sale terminal to the payment processor, according to this article on The organization in question, Accredited Standards Committee X9 Inc. is based in Annapolis, Maryland and is accredited by the American National Standards Institute. It has developed industry security standards for ATMs and other financial systems.

Digital Transactions Magazine

The May 2009 issue of Digital Transactions magazine is now available online. The magazine is 6.46 MB and requires Adobe Acrobat to view. Some articles that may be of interest include: (1) a field guide to alternative payments systems, (2) how health care payments could be more like retail payments, (3) how financial institutions are prioritizing payments management more cost-efficiently and (4) an in-depth look at how electronic payments are being integrated in mass transit systems across the United States.

Credit Cards

MasterCard Inc. is getting a big boost from The Travelex Group, a multinational distributor of travel-related prepaid cards. Under a recently announced deal, Travelex will convert its payment card network brand to MasterCard and process card transactions on MC’s year-old debit processing platform called Integrated Processing Solutions, or IPS.


Spencer Bachus (R-AL), the ranking Republican member on the House Committee on Financial Services released a statement on May 6, 2009 on illegal Internet gambling legislation currently being considered by the House of Representatives.

The following articles and presentations may also be of interest:

* Here is a video presentation by 60 Minutes on the prevalence of such sites;
* Here are two reports each containing writeups that detail investigation on illegal offshore gaming websites.

Supreme Court Cases

By now you may have heard of the Court’s ruling in Flores-Figueroa v. United States (08-108) wherein the issue being argued before the Court was whether an individual who used a false means of identification without knowing it belonged to another person can be convicted of “aggravated identity theft” under 18 USC 1028A(a)(1). You can read the 8th Circ. opinion here, the petition for certiorari here, the brief for the United States here and the petitioner’s reply here. A New York Times article published on October 21, 2008 on this case can be read here.

On Monday, May 4, 2009, the Court issued its opinion in Flores.

The case called upon the Court to resolve a circuit split over the scope of the mens rea requirement in the federal aggravated identity theft statute, 18 U.S.C. A§ 1028A(a)(1), which imposes a mandatory two-year sentence on anyone who, during and in relation to certain predicate offenses, “knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person.” The Court unanimously agreed with Flores-Figueroa that, to obtain a conviction under A§ 1028A(a)(1), the Government must show that the defendant knew that the “means of identification” he unlawfully transferred, possessed, or used, belonged to a real person.

FDIC Hearing

Here is a formerly live account of the hearing that took place on the morning of May 6, 2009 in front of the Senate Banking Committee.

Witnesses included: FDIC chairperson Sheila Bair, Federal Reserve Bank of Minneapolis President Gary Stern, American Enterprise Institute’s Peter Wallison, University of Chicago Finance Professor Raghuram G. Rajan and The Brookings Institution’s Martin Baily.

You can read Part 1 here and Part 2 here.

Upcoming Legislation

Rep. Barney Frank (D-MA) released a statement on Thursday, May 7, 2009 relating to passage of HR 1728, the Mortgage Reform and Anti-Predatory Lending Act of 2009. The bill was approved by a vote of 300 to 114. A summary of the bill can be viewed here.

In addition, Rep. Frank issued a press release in relation to consideration of HR 2267, the Internet Gambling Regulation, Consumer Protection and Enforcement Act and HR 2266, the Reasonable Prudence in Regulation Act.

The first bill regulates Internet gambling while the second bill delays implementation of regulations pursuant to Unlawful Internet Gambling Enforcement Act of 2006 for one year.

Congressional Hearings/Reports

The Congressional Oversight Panel issued a report entitled “Reviving Lending to Small Businesses and Families and the Impact of TALF” on Thursday, May 7, 2009. This report looks at the state of lending for small businesses and then examines the Term Asset-Backed Securities Loan Facility (TALF), which Treasury and the Federal Reserve established to improve access to credit for families and small businesses by supporting the issuance of asset-backed securities collateralized by credit card loans, student loans, auto loans and loans guaranteed by the Small Business Administration.

Compiled by Stan Santos
Reblog this post [with Zemanta]

After Data Breach Heartland Comes Out Swinging

Heartland Comes Out Swinging After Data Breach - Business Center - PC World
"In the months following the disclosure of what may be the largest data breach in US history, Robert O. Carr, chairman and CEO of Heartland, has come out swinging. Instead of going into a near-death spiral of damage control mitigating the revelation that 100 million customer records leaked during 2008, Carr has been pointing the finger at the payment industry itself for not going far enough with best practices. Heartland has taken advantage of several merchant associations to promote new initiatives that could revolutionize the payment card industry beyond PCI DSS compliance.

Carr has been quite frank when talking about the breach itself, as opposed to the relative silence from TJX after its data breach back in 2007. Heartland said early on that they believed someone placed a listener program in the stream where data in motion was not encrypted. When the Payments Processing Information Sharing Council (PPISC) met for the fist time this week in St. Pete Beach, Florida, Carr took the unusual step of handing out USBs with the malware code found on the Heartland system at the time of their breach as well as malware discovered through other data breach investigations in 2008 and 2009 so other payment processors could look for malware on their own systems. Carr said in his Q1 2009 Earnings Call on Thursday that other industries share security information like this, why can't the card processors?

Additionally, Heartland is in the process of developing a true end-to-end (E2E) encryption solution for its merchants. What's different is that Heartland wants to be the first payment processor to ensure that data remains encrypted all the way from the point of sale through the processing by the card company.

Continue Reading at PC World

The only way for TRUE end-to-end encryption to occur is for Visa and MasterCard to change the way they process transactions entirely.  This is probably just a legal maneuver on Heartland's part (MasterCard recently hit them with a multi-million dollar fine) and certainly a PR move.

For example.  On Telephone-Order transactions the consumer provides their credit card number and expiration date to the operator.  Where's the encryption?  For e-commerce the consumer "types" their credit card number, expiration data AND CVV into boxes and presses submit.  Where's the encryption?  And don't tell me the HTTTPS BS.     

The only 3DES End-to-End Encrypted Transaction protected by DUKPT and PCI 2.0 certified solution for eCommerce in the world comes from the engineers at HomeATM.   How's that for some PR?

Disqus for ePayment News