Monday, June 8, 2009

NYCE Says PIN Debit Encryption Must Be Hardware Based

I was looking for more e-vidence that a software application for PIN Debit is unsafe and I happened to stumble upon the website which published a white paper called: "PIN Debit Security Awareness."

In it they explain how encryption works (see charts on left and below and click to enlarge)

The most interesting (and striking) piece of e-vidence supporting hardware (HomeATM) vs. a software (whomever) approach were two "key" statements regarding PIN Encryption.

Here they are...

1. "NEVER USE SOFTWARE" followed by another simple statement:

2. "ALWAYS EMPLOY SECURE HARDWARE" (see graphic below to enlarge) 

I think those two statements sum it up rather NYCELY!

However, lest there be an ambivalence regarding whether hardware is the way to go...they go...on to say:

3. Secure encryption practices also depend on using secure hardware.

Financial institutions must ensure that all PINs and encryption keys never appear in the clear.

This control objective is most often accomplished by using secure hardware (also known as firmware) which masks PIN generation, encryption and decryption from human sight and, more importantly, from disclosure.

You (banks) should review the functionality of your secure hardware by assessing the vendor documentation and by asking your vendor to confirm that their devices meet the ANSI definition of tamper resistance(Editor's Note: Tamper Resistance is part of the certification process as a PCI 2.0 PIN Entry Device) 

It's NYCE to know they stand "firm" in their belief that Hardware is essential! 

To Read "Best Practices for PIN Encryption" Download the white paper

This paper is intended to help you:
  • Learn about the "dos" and "don'ts," associated with American National Standards Institute (ANSI) standards and NYCE Network Operating Rules, for sound key management procedures and security.
  • Understand your responsibility for safeguarding encryption keys, even if you outsource some tasks to third parties.
  • Anticipate what you might expect from an audit or security review of your encryption key management procedures.
  • Align your encryption key processes with bank regulatory requirements

Reblog this post [with Zemanta]

Hold On...Why Are You Using Signature Debit vs. PIN Debit?

Using a debit card at a hotel? Beware the hold

Editors Note:  When you use a signature debit card you are not paying with cash, and you are not paying with credit.  You are paying with a hold.  But hold on.  There is a way around it.   When you use your debit card with a PIN, it is a "cash" transaction.  Funds are set aside for the real amount in real time. 

Here's an example:  If you use your signature debit card at a gas station for a $20 gas purchase, and the station could put a hold on up to $150 on your checking account.  The hold could last for as long as 72 hours. 

On the flip-side, if you use your PIN Debit card at the same gas station for the same $20 purchase, there is NO HOLD and the $20 is immediately deducted from your checking account.  Here's an article talking about Debit Holds put on by Hotels from's Herb Weisbaum...

Debit cards are now more popular than credit cards. But youmay want to think twice before you use that debit card when you checkinto a hotel.  Hotels normally put a hold on your account for room and tax and something to cover incidentals -- that could be $50 day.

With a credit card, unless you're maxed out, you probably won't even notice the hold.

But with a signature debit card, that hold locks up your money.

"Soin other words, it could freeze up part of your checking accountbalance and it could make it impossible for you to make other purchasesthat you want to make if you don't have enough money in your account.,"said Gerri Detweiler with

Detweiler says that hold can stay in place for up to 72 hours after you pay the bill.

"Youcould be tying up that credit line and then you could go to make otherpurchases in a restaurant or somewhere else and find your carddeclined. Or you could go over your limit," she said.

If youplan to use your debit card when you travel, find out about the hotel'shold policy -- and then be sure to have a little bit of pad in yourchecking account before you hit the road.

More information:

Swipe that debit card carefully: Hotel holds can tie up your money

Reblog this post [with Zemanta]

Is V/MC Biting the Hand that Feeds Them?

Big banks have relied increasingly on fees to pad their revenues — as much as 40 percent of their annual revenues in some cases. Late fees, bounced check fees, near-usurious interest rates … and a little known credit card fee on merchants often called the interchange fee, or swipe fee.

American consumers pay among the highest swipe fees in the industrialized world — up to $2 of every $100 spent by credit cards goes to banks in the form of these interchange fees.  Merchants hate them. That’s why some convenience stores require a $5 minimum purchase to use a credit card.

Here’s what the Merchants Payments Coalition says about swipe fees: “This is about fairness, plain and simple,” said Lyle Beckwith, vice president at the National Association of Convenience Stores.  “For years, Visa, MasterCard and the big banks have forced higher prices on small businesses and our customers by setting swipe fees behind closed doors with no transparency and no negotiation.”

For many businesses, swipe fees are now their highest non-labor cost, outpacing even health care, the coalition says.

As other countries have reined in excessive swipe fees in recent years, and the actual cost of processing a transaction has gone down, Americans are now paying triple the amount in swipe fees they paid in 2001, reaching $48 billion last year alone.

Now a bill has been introduced in the U.S. House to enable retailers to negotiate with banks to reduce those fees.  The measure, called the Credit Card Fair Fee Act, would help ensure fair negotiations over swipe fees.

Under the bill, merchants and retailers would be allowed greater access to negotiations with banks to establish rates and terms, while an antitrust attorney from the Department of Justice would be present at the talks.

This bill should become law because it’s good policy. The Merchants Payments Association says only 13 percent of the money generated from swipe fees is used to cover the cost of the transactions — the original purpose of the fee.  (Editor's Note: The VAST majority covers Rewards programs, click chart on right to enlarge)

Banks need to take a hard look at their business model and realize that revenues based on fees are unsustainable and simply bad business practice.

You can only bite the hand that feeds you so many times before the hand slaps back.

Reblog this post [with Zemanta]

More On Electronic Payments Coalition Campaign Against HR 2695

EPC Press Room Member Login
The Issue
In The News
Contact the EPC
About the EPC
Legislative Alert!
Learn more about the bill in Congress that would shift one of merchants' costs of doing business to YOU.
Small Business Alert!
Will small businesses really benefit from giant retailers' "sweetheart deal" from Congress?
Convenience. Security. Increased Sales. Peace of mind.
What is Interchange?
Video »
How Interchange Helps YOUR Community Banks and Credit Unions
Letters to Congress: Important Voices Speak Out about Interchange
Learn how damaging interchange legislation will hurt consumers and small businesses

Disqus for ePayment News