Thursday, July 9, 2009

Magstripe 101

What Is The Stripe On the Credit Card?
What Is The Stripe On the Credit Card?

Each day we use our bank issued credit card. Swiping our cards on stores card readers to buy our purchases. Now, how it is that something so small can keep all your bank information. What allows the card reader to see that information? And what is that dark strip on the back of our cards.
The stripe on the back of a credit card is a magnetic stripe, or also called “MagStripe”. The magnetic strip is made up of tiny iron-based magnetic particles in a plastic-like film. Each particle is really a tiny magnet bar about 20-millionths of an inch long.

The magnetic stripe can have data written because the tiny magnet bar can be magnetized in either a north or South Pole direction. The magnetic strip very similar to a cassette tape.
A magnetic stripe card reader can then understand the information that has been written on the three-track stripe.
If the credit card isn’t being accepted, your problem is probably either:

* A dirty or scratched MagStripe
* An erased magnetic stripe
o The most common causes for erased MagStripe are exposure to magnets, like the ones that hold notes &pictures on your refrigerator, or exposure to a store’s EAS (Electronic Article Surveillance) tag demagnetizer.
* Or you are just out of money.

These Three Tracks Stripes on the magnetic stripe each have tracks that are about 1/10th of an inch wide. The ISO/IEC standard 7811, which is used by some banks, specifies:

* Track one – 210 bpi (bits per inch), and holds 79 6-bit plus parity bit read-only characters.
* Track two – 75 bpi, and holds 40 4-bit plus parity bit characters.
* Track three – 210 bpi, and holds 107 4-bit plus parity bit characters.

Credit Card typically uses only tracks-1 & 2. Track-3 is a read/write track (which includes your encrypted PIN, country codes, currency units and amount on your account); this is not standardized among all banks.
The information on track-1 is contained in two formats: A, which is reserved for proprietary use of the card issuer, and B, which includes the following:

* Start sentinel – one character
* Format code=”B” – one character (alpha only)
* Primary account number – up to 19 characters
* Separator – one character
* Country code – three characters
* Name – two to 26 characters
* Separator – one character
* Expiration date or separator – four characters or one character
* Discretionary data – enough characters to fill out maximum record length (79 characters total)
* End sentinel – one character
* Longitudinal redundancy check (LRC) – one character LRC is a form of computed check character.

The format for track two, developed by the banking industry, is as follows:

* Start sentinel – one character
* Primary account number – up to 19 characters
* Separator – one character
* Country code – three characters
* Expiration date or separator – four characters or one character
* Discretionary data – enough characters to fill out maximum record length (40 characters total)
* LRC – one character

There are three basic methods for determining whether your credit card will pay for what you’re charging:

* Voice authentication – Small Merchants do using a touch-tone phone.
* Electronic data capture – (EDC) MagStripe-card swipe terminals
* Virtual terminals on the Internet

How all of this works:
After the credit card is swipes through a reader, the EDC software at the point-of-sale (POS) terminal dials a stored phone number (using a modem) to call an acquirer. An acquirer is an organization that collects credit card authentication requests from merchants and provides the merchants with a guarantee payment.
When the acquirer company gets the credit-card authentication request, it checks the transaction for validity and the record on the MagStripe for:

* Merchant ID
* Valid card number
* Expiration date
* Credit-card limit
* Card usage

With Single dial-up transactions, they are processed at 1,200 to 2,400 bits per second (bps), while direct Internet attachment uses much higher speeds via this protocol. Using Internet protocol, the cardholder enters their personal identification number (PIN) using a pin pad.
The PIN is not on the card — it is encrypted in the database. Creation of your PIN can be interred in on the bank’s computers in an encrypted form.
Also, the communications between the ATM and the bank’s central computer are encrypted to prevent would-be thieves from tapping into the phone lines, recording the signals sent to the ATM to authorize the dispensing of cash and then feeding the same signals to the ATM to trick it into unauthorized dispensing of cash.
If all of this isn’t enough protection, there are now cards that utilize even more security measures than your conventional credit card: Smart Cards.

, , ,

Consumers’ fears about online fraud 

New Consumer Research from the Secure POS Vendor Alliance Underscores Need for Greater Payment Security Measures

Global survey results are call to action for industry players to increase consumer trust

Seventy-three percent of consumers surveyed in the United States, France and Great Britain say that more stringent standards are required before they will trust the security of their credit card transactions.

And almost half (46 percent) are concerned about the potential for a security breach when paying with their credit or PIN-based cards, according to an international survey released today by the Secure POS Vendor Alliance (SPVA), a non-profit business organization created by Hypercom (NYSE: HYC), Ingenico S.A. (EURONEXT: ING) and VeriFone (NYSE: PAY).

SPVA focuses on standardized implementation of existing security standards, security of the payment device lifecycle and security threat analysis and intelligence.

“Security is clearly a pivotal issue for the industry and consumers,” said Christophe Dolique, SPVA Chairman and EVP, Global Marketing & Transaction Services at Ingenico. “These findings confirm the strong correlation between the strength and quality of security and consumers’ views and behaviors toward using card payment systems presenting the payments industry with a unique opportunity to come together and achieve positive change.”

When paying for goods, consumers are entering their PIN number when making purchases using their cards 74% of the time.
Figures vary in the UK (84%), USA (56%) and France (74%

 Growing awareness of data breaches that industry experts have been working to combat for years, leads 62 percent of consumers to feel particularly worried about using their card and PIN to make a purchase if the outlet had suffered a data breach.

Eighty-four percent say that companies that suffer a data breach should be required to make the incident public, reinforcing the idea that vendors and retailers run the risk of devastating their brand if a breach occurs.

Sixty-five percent of respondents report that they are often or always concerned about Internet fraud.

Download this press release (PDF)
Download the SPVA Global Consumer Survey Key Findings (PDF)
Download the SPVA Global Consumer Survey Data (XLS)


The SPVA survey results represent 1,030 consumers: 407 UK, 303 USA, 320 France (51 percent male, 49 percent female, average age 40). It has a three percent margin of error and was conducted by Loudhouse Research, a London-based research consultancy firm. Complete survey data can be found at

About SPVA (
The Secure POS Vendor Alliance (SPVA) is a non-profit organization that works with the multiple stakeholders of the payment value chain. Its aim is to develop an end-to-end security framework and to enhance security elements of payment solutions which protect cardholder information and defend merchants and acquirers against security breaches, while helping reducing fraud and lowering risk for all electronic payment stakeholders.

About Hypercom (
Global payment technology leader Hypercom Corporation delivers a full suite of high security, end-to-end electronic payment products and services. The Company's solutions address the high security electronic transaction needs of banks and other financial institutions, processors, large scale retailers, smaller merchants, quick service restaurants, and users in the transportation, petroleum, healthcare, prepaid, unattended and many other markets. Hypercom solutions enable businesses in more than 100 countries to securely expand their revenues and profits. With its acquisition of Thales e-Transactions in 2008, Hypercom became the second largest provider of electronic payment solutions and services in Western Europe, and solidified its position as the third largest provider globally.

About Ingenico (
Throughout the world, banks and retailers rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico solutions leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them.

About VeriFone Holdings, Inc. (
VeriFone Holdings, Inc. (“VeriFone”) (NYSE: PAY), a global leader in secure electronic payment technologies, provides expertise, solutions and services for today with a migration strategy for tomorrow. VeriFone delivers solutions that add value to the point of sale, resulting in improved merchant retention and the generation of new sources of revenue for its partners and customers. VeriFone solutions are specifically designed to meet the needs of vertical markets including financial, retail, petroleum, government and healthcare.


Reblog this post [with Zemanta]

UATP Addes Virgin America as New Merchant

UATP adds Virgin America as new merchant

Washington, July 9, 2009 -- Universal Air Travel Plan, Inc. (UATP) continues its expansion adding Virgin America as its newest merchant effective immediately. To meet customer demand, Virgin America adds UATP as a form of payment to help expand its market share in the airline industry.

"As a new airline, we've quickly recognized the demand for UATP acceptance and want to expand our corporate client base while lowering distribution costs," said Diana Walke, Vice President of Planning and Sales at Virgin America. "Virgin America is injecting some healthy competition into the airline industry with our award-winning service, low fares and upscale amenities - and corporate travelers are responding."

Launched in August 2007, Virgin America is a new California-based airline on a mission to make flying good again - with brand new planes, attractive fares, topnotch service, and a host of innovative amenities that are reinventing domestic air travel. UATP will enhance Virgin America's strategic plan through UATP's mission of helping airlines lower distribution costs with low merchant service fees and a global network available to all corporate travelers. Ticket purchases are available to the UATP Network through traditional channels and Virgin America will continue to enhance availability for all UATP cardholders.

"Focusing on the key drivers for success, a strong business strategy and expanding services, Virgin America has positioned itself for rapid growth," Ralph Kaiser, president and CEO, UATP stated. "The Virgin brand is a leader in the airline industry and Virgin America will be able to increase its market share in the corporate travel arena."

The airline's base of operations is San Francisco International Airport's ultra-modern International Terminal. Virgin America flies to San Francisco, Los Angeles, New York, Washington D.C., Seattle, Las Vegas, San Diego, Boston and Orange County.

For more information, visit or .

About UATP

UATP accounts are accepted as a form of payment for corporate business travel by Amtrak(R), airlines and travel agencies worldwide. UATP accounts are issued by: Air New Zealand (ANZFF.PK), American Airlines (NYSE: AMR), Austrian Airlines (AUALF.PK), Continental Airlines (NYSE: CAL), Delta Air Lines (NYSE: DAL), Japan Airlines (JALSY.PK), Northwest Airlines, Qantas Airways, Ltd. (QUBSF.PK), United Airlines (Nasdaq: UAUA), and US Airways (NYSE: LCC). AirPlus International issues the UATP-based Company Account for: British Airways (LSE: BAY.L), Continental Airlines (NYSE: CAL), and Lufthansa German Airlines.

Source: Company press release.

Alipay Knocks Out Paypal as World's Largest eCommerce Payment Platform

Alipay Punches in as #1 Contender for First Time...

Editor's Note:  Could not resist using the picture on the right.  The first thing that came to mind when I read the Alipay article below was Ali "delisting" Liston as champion. Speaking of List-on PayPal is now List-ed as #2 as Alipay registered it's 200 millionth user.  (PayPal had 180 million at last count)

No worries PayPal...China is kicking our butt in everything, internet users, video games, etc. so I would take it with a grain of (smelling) salt. 

Here's the story:

From China Tech News

Chinese online payment platform Alipay has announced that the company has gained over 200 million users, exceeding the world's largest e-commerce payment platform Paypal.

According to news on, at the end of August 2008, the number of Alipay users reached 100 million. It took five years for Alipay to accumulate the 100 million users since it first appeared on in October 2003. During the past ten months, the number of Alipay's users further increased from 100 million to 200 million.

Prior to this, the world's largest third-party payment platform PayPal said it had about 180 million users in 190 countries and regions around the world. With the 200 million users, Alipay exceeds PayPal for the first time to become the world's largest third-party online payment platform by user scale, and its users are mainly from the Chinese market.

Shao Xiaofeng, president of Alipay, told local media that though Alipay's current trading value is still lower than that of Paypal, the company is expected to exceed the latter within three years.

Alipay's rapid development has close relationship with the fast growth of the number of Chinese netizens and the development of the Internet economy of the country. Statistics released by China Internet Network Information Center show that by May 2009, China had 320 million netizens and about 62.5% of these netizens are users of Alipay. In addition, the number of Chinese netizens is expected to reach over 600 million in the next two years.

Reblog this post [with Zemanta]

eBillMe Introduces CashBack Loyalty Program

First Rewards Program for Online Cash Checkout Announced by eBillme

Online shoppers who pay using eBillme will now receive cash back for every purchase
This is truly a landmark offering for online cash payments

Rye Brook, NY (PRWEB) July 9, 2009 --Cash back rewards, a loyalty program traditionally associated with expensive credit cards, has now entered the cash world.

Starting today, eBillme(TM), the payment option that enables consumers and small businesses to shop debt free and pay securely with cash, will give consumers 1% cash back for every purchase made using the cash checkout option. All consumers are eligible for the eBillme Rewards Program.

"This is truly a landmark offering for online cash payments," says Marwan Forzley, President and CEO of eBillme. "More consumers are shifting away from credit and making better financial decisions. We want to reward shoppers who pay with cash by offering the perks of shopping online with a credit card but without the interest fees and debt. Not only does eBillme offer a higher level of protection and more safeguards than a credit card with our buyer protection program, but now, every eBillme purchase will earn consumers cash rewards. There could not be a better time for consumers to try secure cash checkout with eBillme."

In order to qualify, online shoppers select eBillme for checkout at one of over 800 online merchant sites offering the credit card alternative payment option. Consumers can then sign-up for eBillme's cash back rewards and immediately start earning 1% cash back for every order. Once $10 in rewards has been earned, the cash can be redeemed on eBillme merchant sites, or shoppers may choose to continue earning before redeeming.

eBillme is the most secure way to pay online. When shoppers choose the option at checkout, their order is confirmed with an eBill sent to their e-mail address. Consumers simply pay the eBill through their online checking or savings account - the same way they pay utilities, loans, insurance, and other bills. The transaction occurs securely, bank to bank, with no personal or financial information required or transmitted over the Internet. And with buyer protection features including a satisfaction guarantee, best price guarantee, in-transit protection, and fraud protection, consumers can shop with confidence knowing their eBillme transaction is guaranteed and protected.

ABOUT eBillme
eBillme(TM) is the only online payment solution that extends the convenience of online banking to the merchant's checkout process. The service enhances security for online shoppers, and enables merchants to increase sales while reducing transaction costs. No financial data is exposed and the payment transaction is securely transferred from the customer's bank to the retailer's bank. Consumers can shop online, by catalog or through call centers, and pay for their purchases at their bank, credit union, or bill pay portal using the security and convenience of online banking. For more information, please visit or eBillme's Online Debt-Free Shopping Mall,


eBillme Website:
eBillme Blog:
Reblog this post [with Zemanta]

Want to Read Something Scary? DDoS Attacks from North Korea?

Report: North Korea May Be Behind DDOS Attacks On U.S., Korean Government Sites
By Tim Wilson | DarkReading

Supporters of North Korea may be behind a series of denial-of-service attacks that have crippled U.S. and South Korean government Websites during the past five days, a news report says.

According to an Associated Press report, an unnamed South Korean lawmaker's aide stated that intelligence agencies believe North Korean sympathizers are behind the distributed denial-of-service attacks, which overwhelmed at least a dozen U.S. government sites and 11 South Korean sites, including the U.S. White House and South Korea's Blue House.

The National Intelligence Service -- South Korea's main spy agency -- told AP it couldn't immediately confirm the report.

Other news reports say the attacks also targeted nongovernment sites, including the New York Stock Exchange, the Nasdaq stock market, and The Washington Post.

, , , ,

Study: Encryption Reduces Risk of Data Breach

Encryption reduces risk of data breach: study - Computer Business Review : News
Well here's a surprising insight.  A new study from the Ponemon Institute found that...are you ready?  "Encryption reduces risk of data breach"  I guess the next study should be whether or not it's safer to type or swipe.  Because swiping your card means the data is encrypted.  I can save them the cost of performing the study.  Swiping Reduces the Risk of Cardholder Data Being Breached!

Published:08-July-2009  By Kevin White

Enterprise encryption technology not fully exploited

Encryption does help reduce the likelihood of an enterprise data loss or data breach incident latest research has confirmed, but organizations are still not doing as much as they could with the technology.

In a study carried out by the reputable Ponemon Institute for PGP Corp, a third of those companies reporting no data loss incident in the last year claimed to have had instigated an enterprise-wide encryption policy.

In contrast, organizations experiencing the highest number of data loss incidents were found to be the least likely to have introduced a consistently enforced, company-wide strategy governing the use of data encryption technologies.

Of firms reporting more than five loss incidents, none had any kind of encryption strategy in place.

The study found that 57% of UK businesses are now using some type of encryption solution in order to protect sensitive information, with around 36% having introduced a partial strategy to protect certain applications, departmental activities or data such as credit card numbers.

“Encryption is most widely used to protect the data held on file servers, Virtual Private Networks (VPN) and databases. VOIP and mainframe encryption are the least deployed applications,” the report noted.

Despite the widespread use of smartphones, only 34% of the study partcipants said they believe it is only sometimes necessary to encrypt the confidential data held on portable devices. Some 13% think it completely unimportant.

As many as 615 IT security professionals at enterprises and public sector organisations were polled for the study, which found that 70% of UK organisations have been hit by at least one data breach incident within the last year. That number is up from 60% in the previous year.

To Read the Full Report Click Here  (requires registration)

In its 2009 Annual Study: UK Enterprise Encryption Trends, Ponemon notes that the public sector experienced the highest number of data loss incidents in the last year.

Phillip Dunkelberger, CEO of PGP said, “This study underlines the critical importance of implementing an encryption strategy that encompasses all aspects of an organisation’s data, not to just meet privacy or data security regulations but to also protect against brand damage and loss of customers."

Yesterday, Kent-based Jubilee Managing Agency Ltd became the latest company to be found in breach of the Data Protection Act, after the insurance company had to report the loss of an unencrypted disk containing the personal details of around 2,100 individual UK policyholders.

It has been instructed by the ICO to sign a 'formal undertaking' to enhance its data protection methods.

The Ponemon Institute has estimated the average UK data breach costs a total of £1.7 million - said to be the equivalent of £60 for every record compromised.

, ,

Suicide Linked to TJX Probe - Hackers 11

Former Teen Hacker’s Suicide Linked to TJX Probe

A Miami man who achieved fame as a teenager for hacking NASA and the Pentagon took his own life last year after Secret Service agents accused him of being part of the conspiracy responsible for the largest identity theft in U.S. history, his family says.

Jonathan James, 24, was found dead of a self-inflicted gunshot wound in his home on May 18, 2008, less than two weeks after agents raided his house in connection with a hacking ring that penetrated TJX, DSW and OfficeMax, among others. In a five page suicide note, James wrote that he was innocent, but was certain federal officials would make him a scapegoat.

“I have no faith in the ‘justice’ system,” he wrote. ” Perhaps my actions today, and this letter, will send a stronger message to the public. Either way, I have lost control over this situation, and this is my only way to regain control.”

The note was provided to this week by James’ father, Robert, who kept the details of his son’s death quiet for over a year because of the ongoing prosecutions over the retail hacks.

James apparently suffered from depression; agents executing the search warrant found another suicide note James had written years earlier, but did not seize his gun. The Secret Service declined to comment on the matter Wednesday, citing the continuing TJX prosecutions.

“Sometimes I thought he was pretty smart,” says his father. “Sometimes I thought, oh my God, I’ve raised an idiot. And the jury is still out.”

Continue Reading at Wired
Reblog this post [with Zemanta]

Guide to Internet Scams, Hacks and Hoaxes

As Internet scams increase in sophistication, Network Box advises users to be more alert, with the publication of a whitepaper regarding common hoaxes, hacks and Internet horrors.  The whitepaper looks at the different kind of common attacks, with examples of each, and simple ways for IT managers and employees alike to avoid falling victim to them.  Editor's Note:  As the graphic on the left depicts, people could avoid getting hit with these by exercising a little common sense. 

The ‘hacks’ section looks at attacks through application vulnerabilities and SQL attacks, and gives a number of examples of high profile recent hacks, including the attack on hosting company,, which had more than 100,000 websites deleted from its systems.

The guide shows an example of the log in page of a hoax site (pretending to be Natwest) next to the real site, to show how sophisticated some of these fraudulent sites can be now. It advises users to look out for the padlock symbol, indicating the authenticity of the site; https, rather than http – always used by real sites for sending secure information over the Internet; and the real URL, as opposed to a bogus URL – commonly (and easily) overlooked by users.

The guide is available in PDF format here.

CFIB Urges Code of Conduct for Card Issuers, MasterCard's Response

Canadian Federation of Independent Business urges credit card issuers, banks to adopt a Code of Conduct

The Canadian Federation of Independent Business is calling on credit card companies and local banks to sign up to a Code of Conduct for small business.

The code includes ten practices which are meant to strengthen the collaboration between credit card companies, card processing companies and banks on the one hand and their small business customers on the other.

According to the proposed Code of Conduct, Credit card companies should not introduce a "percentage of sale" fee in case they become active on the debit card marketplace, premium cards should never be distributed without the request of customer, while merchants should be aware of the total fee associated with a card before accepting it. They also should have the possibility to exit a contract without penalty in case of modified contract terms.

The organization has had this initiative as "small firms across Canada are outraged with the dramatic rise in credit card merchant fees and the introduction of new premium cards by Visa, Mastercard and Canadian banks" according to Dan Kelly, the organization's senior vice-president of legislative affairs, cited by Yahoo! Finance.

Canadian Federation of Independent Business is an alliance of Canadian independent small and medium-sized businesses which has been giving small firms a voice in the public arena.
CNW Group | MASTERCARD CANADA | Statement from MasterCard Canada re: CFIB Proposal

Statement from MasterCard Canada re: CFIB Proposal

TORONTO, /CNW/ - MasterCard Canada agrees with the Canadian Federation of Independent Business that a non-regulated solution to small merchant concerns about credit and debit card acceptance is best.

MasterCard has already been in discussions with the CFIB and made proposals to address issues of concern and has requested and received details of the CFIB proposal today. MasterCard looks forward to continued productive discussions in upcoming meetings.

Canada has a dynamic and well-functioning payments system where merchants and consumers enjoy unparalleled access to numerous payment methods.  "Any consideration of changes to the system needs to look at therealistic impacts on consumers and their ability to make safe, secure and convenient purchases and merchants to conduct business effectively," said Kevin Stanton, President MasterCard Canada. "We applaud the CFIB's proposal as a good start toward reaching a commercial solution that addresses small merchant concerns without harming or disrupting a payments system that flawlessly facilitates over $260 billion in Canadian commerce each year. 

MasterCard continues to work with the retail sector towards practical, meaningful solutions that serve the best interests of both consumers and merchants."

For further information: Jennifer Reed, MasterCard Canada, (416) 365-6664,

Reblog this post [with Zemanta]

Disqus for ePayment News