Thursday, June 18, 2009

Voltage Security to Assist Heartland with E2EE

Heartland, Voltage Security partner for end-to-end

Princeton, N.J., June 18, 2009 -- Heartland Payment Systems (NYSE: HPY - News), one of the nation’s largest payments processors, has selected Voltage Security as a partner to develop end-to-end encryption (E3) software specifically suited to payments processing. Voltage is a global leader in information encryption.

“Heartland is developing a complete end-to-end encryption solution designed to protect cardholder data at all stages of a transaction – from card swipe through delivery to the card brands,” said Bob Carr, Heartland’s chairman and chief executive officer. “Together with Voltage, we are developing a comprehensive solution that currently does not exist.”

Heartland’s new E3 solution will significantly enhance the security of payment card information throughout the processing lifecycle. The Voltage SecureData™ product line, based on its Format-Preserving Encryption™ and Identity-Based Encryption™ approaches, will power the software component of Heartland’s E3 solution. Heartland also employs Voltage SecureMail™ and Voltage SecureFile™ to protect personal information throughout its corporate and extended business network.

“Heartland’s vision for E3 sets a new security standard for the payments industry,” said Sathvik Krishnamurthy, president and chief executive officer of Voltage. “With Heartland E3, merchants will be able to significantly reduce their PCI audit scope and compliance costs, and because data is not flowing in the clear, they will be able to dramatically reduce their risks of data breaches.”

Heartland will launch its E3 pilot in Q3 and will continue to roll out additional features and products through 2010.

About Heartland Payment Systems

Heartland Payment Systems® (NYSE: HPY - News), the fifth largest payments processor in the United States, delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide. Heartland is the founding supporter of The Merchant Bill of Rights, a public advocacy initiative that educates merchants about fair credit and debit card processing practices. For more information, please visit and .

About Voltage Security

Voltage Security, Inc., an enterprise security company, is the global leader in information encryption. Voltage solutions, based on next generation cryptography, provide encryption that just works for protecting valuable, regulated and sensitive information based on policy. Voltage delivers end-to-end encryption with rapid implementation and the lowest total cost of ownership in the industry through the use of award-winning Voltage Identity-Based Encryption™ (IBE) and a new breakthrough innovation: Format-Preserving Encryption™ (FPE). Voltage Security offerings include Voltage SecureMail™, Voltage SecureData™ and the Voltage Security Network™ (VSN), an on-demand managed service for the extended business network. The Company has been issued several patents based upon breakthrough research in mathematics and cryptographic systems. Customers include Global 1000 companies in banking, retail, insurance, energy, healthcare and government, such as the American Board of Family Medicine, Diebold, Integro Insurance Brokers, NTT Communications, SafeAuto Insurance, Winterthur Life UK Ltd. and XL Global Services. For more information please visit .

Source: Company press release.

56,000 More Victims of Heartland Breach

About 56,000 members of Suncoast Schools Federal Credit Union have been notified that their debit card accounts were exposed to fraud.

It is the latest casualty of last year's breach of Heartland Payment Systems, one of the country's largest credit card processors, where information from more than 100 million credit and debit card transactions was exposed.

Not until the end of May did Suncoast discover that some of its customers who use Visa Check Cards could be in danger. The Tampa credit union is issuing new cards to all members whose accounts were compromised.

"It was not a Suncoast exclusive event nor was it through any fault of our own," said Melva McKay-Bass, senior vice president of member service operations for Suncoast. "It was not anything that we had done wrong."

Suncoast, which has more than 450,000 members, has determined that less than 1,000 members were actually affected by fraud as of Wednesday, McKay-Bass said.

Only encrypted card data was compromised, not personal information such as names, addresses and Social Security numbers. The credit union began notifying affected members by letter in the first week of June, McKay-Bass said. Suncoast released a statement explaining the breach Friday in response to what it said was an inaccurate Fox News report that, McKay-Bass said, panicked some of its members...

Continue Reading at the St. Petersburg Times

Reblog this post [with Zemanta]

PayPal Prez Says No Spinoff

In an article written by Douglas MacMillan for and published in BusinessWeek's TechBeat, he reports that PayPal's president, Scott Thompson is dispelling any notions that PayPal (and recently acquired BillMeLater) will be spun-off.  Skype, maybe, PayPal, no.

PayPal President: No Spinoff - BusinessWeek

PayPal President: No Spinoff
Posted by: Douglas MacMillan on June 17

After eBay said in April that it planned to spin off its Skype business, some investors and analysts started wondering about the e-commerce company’s other major subsidiary: What about PayPal? In the past two weeks, a number of sources have said they have heard talk that eBay is exploring different options for realizing more value from the lucrative payments business.

One source said he had heard the company was considering selling PayPal to a consortium of private equity investors while keeping an equity stake. Another heard a rumor that eBay would issue a tracking stock for PayPal.

But during a visit to BusinessWeek, PayPal president Scott Thompson dispelled these notions. Thompson says that although even he has heard the speculation about spinning off PayPal, he and eBay CEO John Donahoe have not discussed any such options. “We have not talked about that,” he says. “I think we’re going to be part of the eBay Inc. family for a long time to come.”

Thompson admits that he “understands the logic” of wanting to unlock value in PayPal, but he argues that eBay’s strong balance sheet is an important asset to have while his business is growing. The parent’s deep pockets helped with the $945 million acquisition of Bill Me Later in October, Thompson says. “If we were a separate company, would we have done it? I’m sure we would have tried because it was the right thing to do for the business. But it was fundamentally easier having that very strong balance sheet.”

Continue Reading at BusinessWeek

Reblog this post [with Zemanta]

Heartland CEO Calls Breach "Devastating"

Heartland Payment Systems CEO Robert Carr calls the data breach that rocked the payment processor "
devastating." Since the incident, the company has been working overtime to repair the damage.

According to Computerworld, Heartland expects an end-to-end encryption program for protecting card data to be complete in the third quarter. The company also is pushing for an industry-wide standard for encrypting data white it's moving through networks. Heartland has co-founded the Payment Processor Information Sharing Council, which gives organizations in the industry a forum for sharing information about security threats, vulnerabilities and fraud.

Gartner analyst Avivah Litan praised Carr's efforts, saying the

"the bottom line [is that] he is doing some good work. He is elevating the debate around card security and even got the card companies to speak about end-to-end encryption,"

Reblog this post [with Zemanta]

Level 2 Merchants Now Need QSA On-Site Assessments

Branden Williams, on his VeriSign Security Convergence Blog posted that MasterCard is now going to require that all Level 2 merchants use a QSA to perform an onsite assement of their Site Data Security.  This is a HUGE departure from the previous requirement of an in-house "self-assessment" of their Site Data Protection programs.  So, with that, all I have to say is:

Attention:  All Level 2 eMerchants! (greater than 1 Million, but less than 6 Million transactions annually)  Based on the fact that HomeATM is already PCI 2.0 PED certified, should you incorporate our "swipe vs type" payment methodology, you would be effectively removed from the scope of PCI.  Problem solved, money saved, security improved. 
(also provides additional significant benefits such as replicating "card present" environment and "true" PIN Debit Interchange rates,)

Here's an excerpt from Branden's blog post: 

Branden Williams' Security Convergence Blog: NEWS FLASH: MasterCard Requires On-Site QSA for Level 2 Merchants
NEWS FLASH: MasterCard Requires On-Site QSA for Level 2 Merchants
Thanks to Smiley for the tip!

MasterCard has posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and an on-site assessment. This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually.

While this is definitely going to put a dent in Level 2 merchant budgets from this point on, I truly believe that this is a smart move by MasterCard. Level 2 merchants are extremely significant in size, many of which being household names. Unfortunately, PCI self-assessments are typically poorly handled simply due to the complexity of the standard and lack of training provided to those individuals performing the assessment. When our folks are contracted to review these, we typically find that a previously fully in-place Self Assessment Questionnaire is only about 70% accurate. Meaning, that 30% of the items answered "Yes" or "N/A" are actually "No."

Continue Reading 

, , , , ,

Kasperky Lab Announces Malicious Software Detection Patent

Kaspersky Lab, a leading developer of secure content management solutions, announces the successful patenting of information security technology in the US. The technology in question effectively detects and deletes malicious software and removes any trace of its effects by running automatically generated scripts.

Today's computers are exposed to a growing number of increasingly complex and rapidly changing malicious programs. Greater emphasis is now being placed on automatic protection methods that ensure fast data processing and prompt responses to threats. However, such technologies often generate false positives or suffer from low levels of new threat detection.

The recently patented technology from Kaspersky Lab is a combination of existing and newly developed methods to combat malicious software. Its automated methods are effective at processing large volumes of data. Moreover, processing and storing large volumes of information is advantageous in that it helps optimize and train the protection system, while security experts have the option of adjusting and fine-tuning the protection system as it operates.

This combination produces a synergy effect that saves resources and provides a high level of malware detection. Use of empirical data and the system's learning capabilities enables a gradual specialization and perfection of its functions.

The cutting-edge technology was invented by Oleg Zaytsev, a senior technical specialist at Kaspersky Lab. The patent for the new technology and its implementation was registered as No. 7 540 030 by the US Patent Bureau on 26 May, 2009.

The patented system automatically aggregates statistics on programs and their activities. Information is collected from event logs, system scan results and user records about quarantined files. The data are used to identify malware, automatically generate scripts to remove detected threats and carry out an in-depth analysis of the system.

The scripts generated by the system can be improved by computer security specialists, which may be beneficial in cases where the system does not have sufficient knowledge to develop and take decisions in complex situations. This allows subsequent problems of a similar nature to be resolved automatically. In other words, as the amount of statistical data collected increases with time, the system operates more effectively.

Kaspersky Lab currently has more than 30 patent applications pending in the US and Russia related to a range of innovative technologies developed by company personnel.

Source: Company Press Release

Reblog this post [with Zemanta]

PDG Software: Industry First PCI PA-DSS Certification for Shopping Carts

PDG Software Announces PCI PA-DSS Certification for PDG Commerce Version 5
Certification & validation helps ensure the highest degree of security and privacy for merchants operating and consumers shopping at PDG Commerce enabled eCommerce storefronts.

Atlanta, GA (PRWEB) For Immediate Release -- PDG Software, Inc., a leading provider of internet storefront and eCommerce shopping cart solutions, announced today the certification of PDG Commerce Version 5 as a PCI PA-DSS certified payment application.

PDG Commerce now becomes the first internet shopping cart and storefront solution currently recommended for new deployments to achieve validation and certification with the Payment Card Industry Standard Security Council's (PCI SSC) Payment Application Data Security Standards (PA-DSS) program.
(Editor's Common Denominator Note:  HomeATM is the "first and only" company to achieve validation and certification for the Payment Card Industry's 2.0 PED program.) 

The PCI PA-DSS program, previously known as the Visa Payment Application Best Practice (PABP) Program, was created to help software vendors develop secure payment applications that do not store prohibited data and to support compliance with the PCI Data Security Standard (PCI DSS).

With current mandates from Visa and other major card brands requiring that acquiring banks only approve new merchant accounts for organizations utilizing a PA-DSS certified solution or merchants who have demonstrated their own overall PCI DSS compliance, PDG Commerce provides a simple and affordable option for merchants wanting to accept credit cards through their eCommerce storefronts who do not have the technical skills or funds required to build their own PCI DSS compliant systems. Cardholder data, once collected through a merchant's secured website, is immediately transmitted to PCI approved payment gateways for processing, without the data ever being stored or transmitted within the merchant's back-office systems.

"We're very happy to be in a position to facilitate the process for new merchants looking to establish an eCommerce presence. With the high-risk of unscrupulous hackers intent on taking advantage of small to mid-size merchants that do not have the technical staffing or know-how to build and manage their own secure networks, the peace of mind that comes from knowing that you are working with a PCI certified shopping cart is invaluable," said Karen Snyder, President of PDG Software. "Merchants utilizing PDG Commerce can sleep well knowing that their customer's cardholder data is never stored within their storefront and cannot lead to costly and embarrassing security breaches."

About PDG Software, Inc. and PDG Commerce

PDG Commerce, the culmination of over 12-years of research and development, provides an all-in-one eCommerce storefront software solution for internet merchants. Utlilized by thousands of merchants worldwide, PDG Commerce can be used to build highly customized eCommerce Web Stores that integrate directly with major shipping carriers, payment services and existing accounting, POS and other software commonly used to internet retailers. PDG Software is an Intuit Gold Developer and offers the highest rated QuickBooks compatible shopping cart storefront solution. Real-time synchronizations between a merchant's local QuickBooks company file and their PDG Commerce enabled store front allows the merchant to manage virtually all aspects of the day-to-day operation of their eCommerce business from directly within QuickBooks. For additional informtion, please visit

, , ,

Only 4 of 1000+ eShopping Carts will Make PA-DSS Cut

This article, from Jamie Estep at Practical eCommerce states that out of 1000's of shopping cart providers, there it appears that only 4 will make the cut-off date (July 2010) for PCI Compliance.   Wow. 

To date, there is only ONE, PDG Commerce. 

Here's an excerpt from his article...
"A few weeks ago I blogged about the PA-DSS regulations which are going to be taking effect over the next year.
PA-DSS (Payment Application Data Security Standard)is an additional security policy that addresses applications that storeor transmit credit card data. The current regulation is ambiguousenough that many ecommerce shopping carts fall under the PA-DSSenvelope. If you use an API method of integrating with your paymentgateway, your shopping cart may need to be PA-DSS certified.
The current timeline for PA-DSS adoption is as follows:
  1. New PCI Level 4 merchants (including new locations of existingrelationships) may not use vulnerable payment application versions –those that store prohibited cardholder data. January 1, 2008
  2. New PCI Level 4 merchants using third-party payment software mustbe either PCI DSS-compliant or use PA-DSS validated compliant paymentapplications. October 1, 2008
  3. ALL PCI Level 4 merchants (new and existing) using third-party software must use validated applications. July 1, 2010
Here's the problem:

There is currently only one shopping cart that is PA-DSS certified: PDG Commerce. Additionally, Magento Enterprise, Miva Merchant, and X Cartare scheduled to become PA-DSS certified.

Other than that, no othercarts have announced that they will be, or are planning on becomingPA-DSS certified before the deadline of July 2010. There's still timeto get certified, but 4 of the thousands of shopping cart providers isnot a promising number."

It's unclear how hard-line of a stance the card companies aregoing to take on non PA-DSS or PCI compliant websites. If they go thefull mile, they could shut down any website's credit card processingthat isn't compliant. They could also hand down some major fines fornon-compliance.

Read Article in Full at Practical eCommerce

Reblog this post [with Zemanta]

Facebook Get's in MySpace Face

Top 20 Social Networking Sites Among US Internet Users, May 2008 & May 2009 (thousands of unique visitors and % change)Facebook Overtakes MySpace

JUNE 18, 2009

YourSpace is shrinking.

In May 2009, Facebook became the most popular US social networking site.

But it was close.

According to comScore,Facebook totaled 70,278,000 unique visitors, up 97% from May 2008 toMay 2009. MySpace hits shrank 5% over the same timeframe, fading to70,255,000 unique visitors.

Possibly in response to the trend, MySpace downsized around 400 employees.

“Simply put, our staffing levels were bloated and hindered ourability to be an efficient and nimble team-oriented company,” saidMySpace CEO Owen Van Natta in a statement.

MySpace still dominates Facebook in one importantrespect—advertising. MySpace visitors viewed 31.8 million ads in April2009, accounting for almost 47% of the total social network advertisingspace. Facebook was second, serving nearly 25 million ads and making upabout 37% of the sector.

Continue Reading at eMarketer

Reblog this post [with Zemanta]

UK Online Sales Enjoy 8% Growth in May

Editor's Note:  You'll notice that the title of the article below is signifcantly more negative than mine, but my thoughts were: 8% growth is still "growth," and since I'd be willing to bet that the majority (if not all) of companies,  businesses, in fact, industries as a whole, would have welcomed half of that (4%) with wide open arms, I went with "Enjoy 8% Growth" vs. "Stumble During May."  

Online sales stumble during May - Computer Business Review : News
Published:18-June-2009 By Steve Evans

Recession and hot weather stop (slow down) shoppers

Latest figures for online retail sales have revealed growth of just 8% for May 2009, the lowest since records began. The figures, from IMRG Capgemini e-Retail Sales Index, suggested the warmer weather during the month contributed to the slower growth.

Online sales for May 2009 totalled over £3.7bn.

Growth of 8.2% for May 2009 represented a 3.5% dip compared to April 2009 as people abandoned their computers to enjoy the Bank Holiday sunshine. This did have one positive impact - sales in the health and beauty sector shot up by 14.9% month on month as Brits stocked up on sun cream and moisturiser during the hot weather.  Online sales of beers, wines and spirits fell 17.4% during May, probably as a result of shoppers stocking up on supplies before April’s Budget. Online alcohol sales were also down 6.5% year on year. Sales of electrical goods slipped 5.7% during April but that sector seems to be holding up well during the recession as year on year sales were up 27.9%.

Mike Petevinos, head of consulting for retail for Capgemini UK, said: “Although online sales remain healthier than on the high street, UK shoppers are clearly changing their behaviour as a result of the recession – even those heading online to economise are now beginning to trim spending habits. So, whilst the underlying trend is still one of growth for online retail, the market conditions are placing all retailers under intense pressure to ensure their offerings remain competitive.”

Continue Reading at

, ,

Discover Announces 2Q Net Income

Discover Financial Services Inc. on Thursday reported second-quarter net income of $225.8 million, or 43 cents a share, compared with $234.1 million, or 48 cents a share, in the year-ago period. 

PIN Debit Payments Blog did the math and that constitutes about a 3.6% drop.  I assume analysts thought it would be worse, because their stock is up.  According to MarketWatch,  Discover Financial Services jumped 7.2% to $9.55 after it reported second-quarter net income.  What makes Discover unique, is that unlike most of its peers, which either issue plastic or process thetransactions, Discover does both

Discover also pointed out that net income in the latest quarter included about $295 million related to the Visa/MasterCard antitrust litigation settlement.
Reblog this post [with Zemanta]
Heartland aims to improve campus safety with Alert Notification

According to CR80 News, Heartland Payment Systems’ Campus Solutions division is integratingits Campus OneCard with Alert Notification, a nationwide membershipservice that provides a 24-hour-a-day call center to alert family whenan accident or medical emergency occurs. Students who sign up for the Alert Notification system will havetheir Alert Notification numbers on their OneCards. If an incidentoccurs, emergency personnel report it to the call center and give thestudent’s Alert Notification number. The call center in turn notifiesthat person’s “in case of emergency” contacts.

Heartland’sCampus OneCard is a multi-functional campus ID card as well as aprepaid card that can pay for books, laundry, vending and off-campuspurchases. In addition, the card can provide access control toresidence halls and campus buildings and has campus-wide notificationabilities–enabling administrators to reach an entire campus or selectgroups with emergency messaging.

“This new offering enables us to bring the best aspects of campussecurity and personal safety to our campus clients. Not only do weprovide access control and mass notification, but we now have theenhancement of emergency notification to alert contacts if an accidenthappens,” said Fred Emery, vice president and general manager,Heartland Campus Solutions.

40,000 Websites Behind the "Nineball"

New Injection Attack Compromises More Than 40,000 Websites

"Nineball" exploit is distinct from Gumblar, Beladen, researchers say
By Tim Wilson | DarkReading

A new injection attack that redirects users' Web search queries is in the wild, and researchers at Websense believe it may have already affected more than 40,000 sites.

In a blog posted yesterday, Websense researchers indicated that more than 40,000 legitimate sites have been compromised with "obfuscated code that leads to a multilevel redirection attack, ending in a series of drive-by exploits which, if successful, install a Trojan downloader on the user's machine."

When users visit one of the infected sites, they are redirected through a series of different sites owned by the attacker and brought to the final landing page containing the exploit code, the researchers say. The final landing page records the visitor's IP address.

When the site is visited for the first time, the user is directed to the exploit payload site. But if the user returns from the same IP address, he is simply directed to the benign site of, the researchers report...

Continue Dark Reading

Disqus for ePayment News