Friday, July 3, 2009

HomeATM's SafeTPIN Could Cut E2EE Upgrade Costs in Half

End-to-End Encryption Would Cost $4.8 Billion - Mercator

Could HomeATM's PCI 2.0 Certified SafeTPIN cut costs by $3.0 Billion (60%) or More! You betcha!

Digital Transactions published a story on the cost of end-to-end encryption. Here is an excerpt:

Demand is booming for better payment card security as a result of the many data breaches of recent years, and the solution being touted more than any other is “end-to-end encryption.” But a new report from Mercator Advisory Group Inc. asserts that the term is imprecise and implementing the technology will take incentives, collaboration, and a lot of salesmanship. Meanwhile, the final tab for the solution is no small matter.

"A point-of-sale terminal with end-to-end encryption starts at $500 for a mom-and-pop merchant and goes up for multi-lane retailers, the report notes. Author George Peabody, director of the emerging technologies advisory service at Maynard, Massachusetts based Mercator, estimates the total cost to upgrade all U.S. terminals at $4.8 billion.

Editor's Note: HomeATM's PCI 2.0 Certified "Safe-T-PIN" point of sale terminal provides end-to-end-encryption and can be purchased by "mom-and-pop" merchants for less than half the price quoted above. Translation: HomeATM reduces Mercator's estimates by $3.0 or more billion dollars!

In addition, the HomeATM SafeTPIN incorporates an integrated PCI 2.x Certified PIN Pad which provides full "Zone 1 through Zone 5" (see illustration below) end-to-end encryption. Based on the fact that small merchants are the source of most data breaches, there is a need for them to improve the security of their cardholder data tranmissions by upgrading to a POS terminal that instantaneously encrypts the Track 2 data (including the Primary Account Number) as soon as the card is swiped.

Kenneth Mages, CEO at HomeATM stated, “PCI 2.0 specifications are much more demanding than the previous versions when it comes to protecting a POS system. The choice of Atmel’s AT91SO25 Secure System-On-Chip has been really helpful to speed up and achieve our product certification and to ensure our unique E2EE (end to end encryption).”

MasterCard recently mandated that Level 2 merchants use a QSA to perform an onsite assement of their Site Data Security. This is a HUGE departure from the previous requirement of an in-house "self-assessment" of their Site Data Protection programs. Another HUGE departure from previous requirements of spending $500 for an E2EE point-of-sale terminal is the availability of HomeATM's SafeTPIN with integrated PCI 2.0 Certified PIN Entry Device. Says one analyst: "While this is definitely going to put a dent in Level 2 merchant budgets from this point on, I truly believe that this is a smart move by MasterCard."

Editor's Note: I agree it's a smart move, but putting a "dent" in Level 2 merchant budgets in these trying times, may not be perceived by Level 2 merchants as an "image-enhancer" for MasterCard. Then again, there's more than one way to skin a cat. How about devising an incentivizing program for (at least Level 3 and Level 4) merchants to increase their security.

An incentive program (such as lowering interchange fees) to entice Level 3 and 4 merchants to upgrade and use an E2EE PCI 2.0 device would make perfect sense. Why? Because it would significantly increase security, thus reduce fraud, thus save MasterCard money. It could also save the Level 3 and 4 merchants significant money (remove the dent) if it was able to remove them from the scope of PCI compliance...which in turn would enhance MasterCard's image.

Let's review...
  • HomeATM could cut the costs of providing an E2EE Point of Sale Terminal by 60% saving upwards of $3 billion,
  • The SafeTPIN Terminal "includes" a PCI 2.0 Certified PED, (which comes encrypted and provides full Zone 1-5 protection)
  • The SafeTPIN Terminal would potentially remove Level 3 and 4 merchants (who are the source of most data breaches) from the scope of PCI compliance (because the data is never in the clear with our E2EE PCI compliant device)
  • In order to create a "win-win-win" environment, Visa or MasterCard could incentivize them to make the upgrade by dangling the lower interchange carrot in front of them.
Think this sounds (lower Interchange Fees) far fetched? The author of the Mercator Report doesn't. Here's another excerpt from Digital Transaction News...

Small, so-called Level 4, merchants, meanwhile, are the source of most data breaches but often have little awareness of card-related security problems and balk at spending money to fix them. One way to spur the technology: interchange incentives for merchants. In the past two decades, Visa Inc. and MasterCard Inc. have offered price breaks to encourage merchants to use electronic terminals and to bring entire check- and cash-oriented merchant segments, including grocery stores and recurring billers, into the card-acceptor tent. “There’s no evidence that that’s in the offing, but there’s precedence for it,” says Peabody (the author of the Mercator Report).

Here's a graphic of the Zones required for complete 100% end-to-end-encryption. Only PIN transactions can be encrypted from Zone 1 - Zone 5. HomeATM provides Zone 1 through Zone 4 encryption for credit and debit transactions as it is currently not possible to proviide Zone 5 coverage. Visa and MasterCard would have to overhaul their internal systems to emulate a PIN transaction to make that possible...

End-to-End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance
New Research Provides Guidance on End-to-End Encryption for Merchants and Processors

Boston, MA. - With the US payments system under continuous cyberattack and data breaches endemic, merchants and processors are scrambling to protect their data assets and cardholder data in particular. Card data encryption turns valuable data into worthless bits and bytes, eliminating the economic incentive for a cyberattack.

In a new report, End-to-End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance, Mercator Advisory Group explores end-to-end encryption (E2EE) in the hands of merchants, payment service providers and processors. In the face of the three bogies of PCI DSS compliance and penalties, reputational risk and direct financial loss, the acquiring half of the payments process is evaluating options for eliminating cleartext cardholder data from their systems. Tokenization (the subject of a recent Mercator report) and end-to-end encryption are the leading candidates. This report examines the complexity of E2EE within payments and enterprise security."End-to-end encryption's beauty is very much in the beholder's eye. If you're a Tier one merchant in no mood to risk the reputational crisis of a data breach, using E2EE to rid your network of card data is a good move," George Peabody, Director of Mercator Advisory Group's Emerging Technologies Advisory Service and principal analyst on the report comments. "E2EE also reduces the scope of PCI compliance audits and remediation costs but the beauty of encryption and card security will likely be lost on millions of Tier 4 merchants. Strong sales incentives and messaging will be required to have them join in the data protection fight."

Highlights of the report include:
  • End to end encryption (E2EE) is a long forestalled rational reaction to data breaches and PCI DSS audit costs.
  • The advantages to merchants of getting out from under a large set of PCI compliance burdens may make E2EE worthwhile.
  • Defining the "ends" in E2EE is a key step for every deployment.
  • The encryption zones under a processor's control - from the merchant's magstripe reader to the interconnection point with card brand or issuer - appear to be a manageable domain where the burdens of key management and new POS gear equal the benefits.
  • Standards development is in early days. A new working group under ASC X9 has brought together the key stakeholders, some of whom have sharply diverging goals.

Reblog this post [with Zemanta]

Europe: Magnetic Stripe's Time is Up?

Europe to Eye Mag-Stripe Ban

Cardline Global

European banks may consider banning the use of magnetic stripe credit and debit cards, according to Gerard Hartsink, the chairman of the European Payments Council.

Hartsink, who is also a senior executive vice president at ABN Amro in Holland, said that European financial companies will have largely completed the transition to the EMV Integrated Circuit Card Specification by 2011, and the council, which is driving the transition to the Single Euro Payments Area, could then advise its members to stop accepting magnetic stripe cards, which are considered less secure than those that use EMV.

"My feeling is, although it has not yet been decided, the [council] will take a decision in 2011, maybe 2010, to only use chip cards," he said in comments during a presentation this week at the Contactless Cards and Payments conference in London.

The council has no enforcement power, but if banks in Europe went along with such a decision, it could leave U.S. cardholders in the lurch when they traveled to Europe and tried to use cards for purchases or ATM withdrawals.

"If [Americans] visit Europe, it's not such a problem; their institution could issue an EMV card," Hartsink said.

Payments council members will probably debate the issue in 2010 or 2011, he said.

Hartsink is not the only person suggesting a ban on magnetic stripe cards, according to Dave Birch, a director at the U.K. research company Consult Hyperion. In a recent blog post, he cited comments from a financial regulator in Singapore pressing for a "concerted, global effort to phase out magnetic stripe technology entirely."

Reblog this post [with Zemanta]

TransCard Adds PULSE to Mix

TransCard Extending Their Cardholders’ Reach with PULSE Network

CHATTANOOGA, Tenn.--(BUSINESS WIRE)--TransCard (—a leading provider of prepaid debit card solutions branded with MasterCard®, Discover® Network and STAR associations—has launched the PULSE network, providing all cardholders with more places to use their cards.

The PULSE ATM/debit network is comprised of more than 289,000 ATMs and point-of-sale terminals, and is used by more than 4,500 financial institutions—including banks and credit unions—across the United States.

“Adding a new PIN POS network will increase the scope of card acceptance and cardholder use,” says Jerry Uffner, TransCard’s President. “We are always working to improve our products, give cardholders more ways to use their cards and, ultimately, provide more cardholder value.”

PULSE is owned by Discover Financial Services—offering a comprehensive suite of payment solutions, including PIN-less bill payment, PIN and signature debit products, credit products, stored-value card programs and, of course, ATM network services.

“Our relationship with Discover Network continues to provide benefits for all of our cardholders—with PULSE being the most recent manifestation of those benefits,” says Craig Fuller, CEO of TransCard. “We look forward to continued product enhancements that make our cardholders’ lives easier and less stressful.”

About TransCard

TransCard ( is a top ten, stored-value processor and a global provider of transaction-based processing services. TransCard has provided stored-value processing services since 1993 and pay card products beginning in 1996. TransCard differentiates itself in the prepaid card industry by offering compliant solutions, real value, proprietary technology, mobile card management and stability. Its products include pay cards, financial institution stored-value processing, gift reward cards, fleet services and retail program management. TransCard handles nearly $2 billion in electronic transactions annually and was featured as a “10 to Watch” by Intele-Card News. The company was recently named as a 2009 Paybefore Awards Best-in-Category Winner for the Best Corporate-Funded Prepaid Card.

Western Union Introduces Additional Features to WU Gold Card

Western Union Launches Consumer Loyalty Prepaid Card
Eight million Western Union Gold Card loyalty members in US Targeted

According to the Banking Business Review,

"Western Union Company, a global money transfer services firm, is planning to add features to The Western Union Gold Card, the company's global consumer loyalty program, with the addition of a reloadable Visa prepaid card. However, it will selectively offer the program in July targeting eight million Western Union Gold Card loyalty members in the US.

The company said that the card members need not to fill out money-transfer forms when sending money-transfers; members can earn points to redeem for rewards that include merchandise or money-transfer discounts; every transaction with a Gold Card earns free phone time and the card also serves as a calling card, allowing the user to recharge phone time."

The company has reported that they have recently launched ‘Overnight Home Delivery’ service pilot featuring the new Western Union MoneyWise Visa prepaid debit card, designed to meet the needs of money-transfer receive consumers. The MoneyWise card is sent overnight via FedEx to be delivered at recipient's door the next day and it can be activated by the receiver with the Western Union Money Transfer Control Number. The card also is protected by the Visa zero liability policy.

Continue Reading

"Who Killed Michael Jackson?" The Answer at a Malicious Website

According to TrendMicro's blog, there is an email spam which is playing on the "inquiring minds want to know" crowd by asking: "Who killed Michael Jackson?" 

The answer of course is located on a malicious website. 

From TrendMicro:

"Michael Jackson has been dead for a week already, but there are still a lot of speculations regarding his death. The spam runs are plenty as well — a Michael Jackson-related spam was seen bearing the subject  "Who killed Michael Jackson?", coming from a sender named x-files.

The spam message suggests that the icon was killed, and that information on who murdered him can be seen on the given URL.

Clicking the said link leads to a website, where the user is asked to execute a file, which supposedly contains secret information, in order to find out who killed Michael Jackson.  (and inquiring minds should know better than to do that)

But of course, the executable is not at all related to Michael Jackson’s murderer, or to Michael Jackson at all, as the file is really an data-stealer detected by Trend Micro as TROJ_ZBOT.AXY.

The Trojan TROJ_ZBOT.AXY connects to a certain URL where it downloads a configuration file containing a list of banking-related websites. Once the user attempts to visit any of the listed sites, a spoofed site is displayed instead of the real one, thus any critical information entered on the spoofed site will be sent to a remote user.

This threat however, doesn’t stand a chance against the Smart Protection Network as of its all components — spam, URL and file — are already either blocked or detected.
Reblog this post [with Zemanta]

Nigeria Hit Hard by Onliine Scams

In late June I posted about the problems Nigeria was having with their ATM systems.  Now, ComputerWorld Kenya is reporting that banks have not done enough to protect consumers when it comes to online banking and online transactions.  Here's a blurb from the June 23rd post on the problem with Nigerian ATM's followed by ComputerWorlds story regarding online scams. 

Pictured on the left is corporate offices of the Central Bank of Nigeria (CBN)

Nigerians call for scrapping of ATM System

The current upsurge and nefarious activities of Automated TellerMachine (ATM) fraudsters is threatening electronic payment system inthe nation's banking sector with users threatening massive dumping ofthe cards if the unwholesome act is not checked.

An investigation carried out revealed that two of every five ATM card users, have become victims of fraud and the sector's regulator, (CBN), their service provider, (Interswitch) along with  law enforcement agents and banks are helpless as they have not been able to provide/offer any solution.
Onlyrecently, the CBN admitted that hundreds of millions of naira was lostto ATM-related theft last year alone. Every week, hundreds of bankcustomers across major cities are finding their deposits or asubstantial part of it stolen by faceless crooks. The Special FraudUnit (SFU) also confirmed recently that ATM fraud is on the increase inNigeria.

It was also revealed that the activities of the fraudsters cut across all the banks having ATM facilities. Consequently,  some of the users have said the technology should be scrapped if theactivities of the scammers cannot be curtailed.

Online scams up as more Africans use the Internet...Attackers are targeting the financial sector in particular

By Rebecca Wanjiku | Computerworld Kenya

Online scams targeting the financial sector are on the rise in Africa as more people access online banking services and mobile banking.

Phishing attacks are mainly occurring in South Africa where online banking is common, while mobile money theft is common in other parts of Africa where Internet penetration is still low. As a result of the increase, South Africa's Absa bank, the largest in Sub Saharan Africa announced Tuesday that its Internet banking customers can download security software to curb cybersecurity attacks.

A phishing attack aimed at Absa customers features a plain, yet clever unsolicited message instructing them to follow a link and confirm their account information as a way for criminals to obtain passwords and user IDs.

Absa's online customers can download Trend Micro's Internet Security Pro 2009 for free, said Christo Vrey, managing executive of Absa Digital Channels.

The software is expected to protect home or office computers against viruses, spyware and other malicious threats. The phishing attacks have risen since 2005 when Barclays Bank bought Absa.

South African consumers are exposed to more phishing attacks because it is the only Sub Saharan country with a developed online banking service. Other countries do not offer full-fledged online banking services and most of the population lacks bank accounts, but cybercriminals have not spared them either.

The Communications Commission of Kenya has set out on an exercise to educate consumers on cybercrime and other threats posed by the expected increase in Internet usage as a result of cheaper bandwidth. The East Africa Marine System and SEACOM cables are expected to start testing service in a month as the region prepares for cheaper connectivity. Expensive connectivity has limited the region's Internet penetration and electronic commerce is nonexistent, so cybercriminals have not targeted that area as much as South Africa.

However, cybercriminals in East Africa have used mobile phone-based tricks in which subscribers receive fake messages informing them that they have won money and are asked to transfer a certain amount via the phone as a "processing fee."

"The criminals normally they use Tanzanian or Ugandan telephone numbers, which work across the region. It's interesting how mobile phone operators and authorities have not arrested the criminals," said Tyrus Kamau, online security consultant based in Nairobi.

In Nigeria, the scams started with the infamous "419" e-mails that promised millions of dollars left behind by Africa's former dictators such as Sani Abacha and later evolved to promises of lucrative oil contracts. After officials cracked down, 419 e-mails slowed, but criminals shifted to mobile technology, which makes it hard to trace them.

"Nigeria is the most populous country in Africa and the crime has evolved just like other countries, but the problem is the inability of most GSM operators to create unique profiles for their customers. In many countries, the 98 percent of GSM users are prepaid and unidentifiable," said Fola Odufuwa, senior partner at Praxis Partners LLC

Greed and ignorance have been cited as the reasons many people in Africa fall prey to the scams as the criminals' Web sites are built to entice and make people fill out even the most intimate details.

Although Kenyan banks offering elementary online transactions have been keen on security, Kamau says that the banks have not done enough to protect consumers.

Reblog this post [with Zemanta]

Overstock Drops Affiliates 4 States Over Internet Taxes then Rein"states" 2's  marketing affiliates in two states must have been in a total "state of confusion" as Overstock first "stated" that they were being dropped (so Overstock wouldn't have to collect sales tax) before shortly thereafter, rein"stating" them. Hawaii made a "statement" by vetoing the internet tax bill and California Gov. Arnold Schwarzenegger stated it made "absolutely no sense."  I wonder if he said that from his estate? 

Wall Street Journal Inc. informed its marketing affiliates in four states — California*, Hawaii**, North Carolina and Rhode Island — that it is ending its business with them to avoid collecting sales tax.

Lawmakers in the states have passed or are preparing to pass legislation that would require companies to collect sales tax if they have marketing affiliates in the state. Affiliate marketers run blogs or Web sites and get a sales commission by featuring links to outside e-commerce sites.

Rival Inc. has taken similar steps in the past few days, ending ties with affiliates in three of the same states and warning about California.

The decision highlights mounting tensions between online retailers and cash-strapped states. Other states are considering similar laws that would use affiliates as a way to force companies to collect sales taxes for online purchases.

Chief Executive Patrick Byrne said Overstock plans to sever its affiliate relationships in each state that appears close to passage of similar laws, but will reinstate its businesses if the laws are found unconstitutional, vetoed or repealed.

Forcing e-commerce sites to collect tax upfront would strip a key advantage they have over traditional retailers, though consumers are technically supposed to pay a so-called use tax for online purchases on their own...
Continue reading at Wall Street Journal

*Update 1:  Overstock.comInc. reinstated Hawaii-based Internet affiliate advertisers today,after Hawaii's governor vetoed legislation that would have forcedOverstock to collect taxes on sales in that state.Overstock shutdown affiliate programs in several states where lawmakers wanted theWeb retailer to collect taxes, even though it has no physical presencethere.

*Update Inc. reinstated California-based Internet Retailers afterGov. Arnold Schwarzenegger said it made "absolutely no sense" to goback to taxpayers to solve the state's budget deficit, following theirrecent tax hike, and California should be doing everything it can tokeep and create jobs in the state. "We couldn't be more pleased to havebeen directly told that thegovernor is going to focus on balancing the budget via cost cutting,and not by jamming consumers and small businesses with new taxes,"Overstock Chairman and Chief Executive Patrick Byrne said. 

Reblog this post [with Zemanta]

Disqus for ePayment News