Wednesday, August 26, 2009

Top 11 eCommerce Paradigm Shifters Put HomeATM in Gear

I read an article at Internet and it got me
going as to why I believe it's a great time to be the only company in the world
with a PCI 2.x certified PIN Entry Device! 
Here's an excerpt,  followed by my Top 11 List...

The web accounts
for a bigger slice of the sales pie at Gap

The web outgrew total
revenue and store sales for Gap Inc. in the second quarter. But the most
telling statistic in Q2 about the overall importance of e-commerce to Gap is the
fact that the Internet now accounts for a significantly larger share of total
sales than it did just one year ago.

In the quarter ended Aug. 1,

Gap, No. 25 in the Internet Retailer Top 500 Guide,

  • Web sales are up
    from $224
    to $191 million in the second quarter of 2008.

  • Comparable-store sales decreased 8%.

  • The web’s percentage of total
    sales for Gap is 25% larger than one year ago

  • Net income declined 0.4% to $228 million from $229 million.

    “Building upon two years of work
    improving our economic model, we’re now putting further emphasis on changing the
    trajectory of our top line performance,” says Gap CEO Glenn Murphy.

    For the first half
    of the year:

    • E-commerce revenue increased
      to $491 million from $427 million.

    • Total sales declined 7.4% to $6.37
      billion from $6.88 billion.

    • The web’s percentage of total
      sales for Gap is 24% larger than one year ago

    • Net income declined 7.3% to $443 million from $478 million. 

    Okay...that is what instigated this post.  There have
    certainly been some interesting developments over the course of the last two
    years.  Let's take a look at my "Top 11 List" as it relates to an eCommerce
    payments platform:

    1. Debit
      has surpassed credit in both the number of transactions and volume.

    2. PIN Debit is the preferred of the two debits, online
      and offline.  (PIN and Signature)

    3. The "GAP" between eCommerce and Bricks and Mortar is

    4. Consumers have the fear of god, (I guess I shouldn't
      give hackers that much credit) instilled in them to the degree that over half
      have serious reservations and one-third won't even risk shopping online. 

    5. Brick and Mortar merchants are clamoring for lower Interchange Fees,

    6. PCI "certification" and "compliance" are at top of
      the news forefront,

    7. End-to-End Encryption, a term not heard prior to the
      Heartland Breach, is fast becoming a buzzword...

    8. Phishing, Keylogging and Malware are at an all-time high

    9. "Card NOT Present" Fraud is at an all-time high ...AND GROWING

    10. Recent reports state that no website is
      ...and, number 11:

    11. Banks are "worried" for the first
      . (The Password is "2FA E2EE Security")

      So when you add it all up what does this all mean?
        It means that the Paradigm Shift...feel free to call it the "perfect
      storm"...has begun to brew and gain momentum.

    Why not make "everybody" happy and solve all 11 problems at once.  The main culprit of CNP Fraud is the Web Browser.   So why not eliminate the CNP environment by eliminating typing and mandating swiping just as they do in the brick and mortar world? 

    Therefore, now is a really
    good time to offer the world the "only" PCI 2.x end-to-end 3DES DUKPT encrypted Pin
    Entry Device in two hemispheres.  By the way, our device, it could be argued,
    removes Internet Retailers from the scope of PCI
    Compliance because the data is neither stored nor handled when the card is

    It's also beneficial for
    HomeATM to own a globally patented PIN Debit platform which not only lowers risk
    and virtually eliminates chargebacks but is preferred by both merchants and
    consumers alike. 

    Imagine the demand if that very same platform were to significantly 
    lower Internet Retailers Interchange Fees...especially if
    the cost of the device was so inconsequential that it provided a return on
    investment as quickly as the first transaction.

    I would be great if that
    same platform eliminated the threat of phishing, cloned cards, cloned bank
    websites, DNS Hijacking and to a large extent malware.  (what would the malware
    steal if there wasn't any card holder/financial information data?)

    Having removed those threats, I guess the only "threat" to HomeATM's
    solution is...the dreaded Software PIN debit :-)  I still don't quite
    understand, especially in light of the recent exposes' on  inherent weaknesses within the browser space, how software PIN debit has
    gained the momentum it has, but I will say that Acculynk has done a wonderful
    job marketing their solution.  (In fairness to HomeATM, they have a lot less
    pushback as they don't have to move molecules. (hardware)  Then again, I don't
    consider that to be an encumbrance...I consider hardware to be an advantage. 

    For the sake of argument, let's give the software approach the benefit
    of the doubt.  Let's assume that hackers are too dumbfounded by mouse clicking
    technology to figure out how to crack a floating PIN Pad, they aren't handicapped when it comes to stealing credit and debit card numbers...

    In my humble opinion, the problem (SNAFU) with software
    PIN Debit is that in order for
    it to work, consumers must still "type" their Primary Account Number (PAN) into
    a box on a merchant checkout
    and...I think that
    have already
    proved beyond a shadow of a doubt that they can easily hack the PAN.

    The only way to prevent
    that from happening is for people stop typing.  So the obvious question is: If
    typing is eliminated...thus the required first step for a software PIN debit
    application is eliminated as well... what initiates the popup...oops,
    floating...PIN Pad at the checkout on a merchants website?  Hmmmm.....

    Let us assume the elimination of typing "isn't in the
    " (contrary to the picture I have envisioned in my mind and pictured
    on the right) for another couple years.  That would mean that Internet Retailers
    would have to choose between a software and a hardware approach to Internet PIN

    Aside from the aforementioned fact that hackers have proven they
    can steal credit and debit card numbers at their whim,
    why do I believe that
    HomeATM has the advantage? 

    One "very big" reason is that we provide the PCI
    compliance by removing the merchant from the scope of said compliance.  That
    fact alone would save Internet Retailers not only a pocketbook of cash, but
    eliminate more headaches than 10 cases of Excedrin. 

    More importantly,
    the fact that Internet Merchants would be PCI compliant would potentially save
    their business from an involuntary insolvency caused by exorbitant fines levied
    by MasterCard or Visa in the event of a non-compliance breach. 

    Considering that 85% of businesses suffered a breach in the last 12
    months (see 2009 Ponemon Report) that
    possibility poses a real threat.

    Another HomeATM advantage is there is
    no arguing the fact that our transaction methodology is immensely more secure. 
    In fact "security" is why we have the only PCI 2.x Certified PED specifically
    designed for eCommerce. (in the world)

    But, maybe our biggest
    advantage is that when you "swipe" the magnetic stripe, the Track2 data is
    captured...which is a requisite for a Card Present environment. 

    takes it one-step further and immediately encrypts the Track2 data providing
    another layer of security.  (the fact that our PED does that is now referred to
    as an "encryption enabled" Point of Sale Device) 

    HomeATM Worst Case Scenario - "Card Present" Internet PIN

    In my humble opinion, the
    "worst" case scenario, is that we
    create  a Card Present "Internet" PIN
    Debit" environment.  (although I would argue that we 100% replicate a brick and
    mortar PIN Debit transaction...for instance, one conducted at the Gas Pump, or
    at a Kiosk.)  But we would encourage MasterCard or Visa
    to create a Win (V/MC) Win (Internet Retailers) Win (consumers) "Card Present Internet PIN Debit"
    classification for Interchange.  Card Not Present Fraud has reached epic levels and shows no signs of letting up.

    Software's Best
    Case Scenario: "Card NOT Present" Internet PIN Debit

    On the other hand, Internet Retailers who
    decide to risk offering a  "type and click" format, which does not capture
    the Track2 data could only hope for a "best case scenario" classification of  "Card
    Not Present" Internet PIN Debit.   By definition, (Visa and MasterCard's) if the
    magnetic stripe data is never captured, then it creates a "Card Not Present"
    environment, thus transaction. 

    The fact that "CNP Fraud is at it's
    all-time high and is expected to continue to grow" bodes well for a Card Present
    Solution.  But, nevermind that...Simply ask "anyone" in the brick and
    mortar space if they prefer "card present" Interchange over "card not present"
    Interchange and you'll learn why HomeATM has a distinct advantage over a
    software, CNP solution.  We replicate a brick and mortar PIN
    Debit transaction whereas "software PIN debit" does not exist. (anywhere in the
    payments ecosystem
    ).  We are simply taking a "conventional approach" to
    securing card holder data for web transactions.  Software PIN debit is just
    another "alternative payment" system.

    Oh...last point.  HomeATM is EMV
    (Smart Card/Chip and PIN) ready.  There's no such thing as a software Chip and
    PIN.  Then again, I guess I could argue that there's no such thing as a software
    PIN Debit solution either as both require swiping vs.  typing.   Add to that fact that our device would also provide secure 2FA 3DES DUKPT E2EE secure online banking log-in and there's a value-added component to the mass distribution of our devices.  Especially considering the inherent flaws in online banking authentication.  (see related story below)

    Reblog this post [with Zemanta]

    SQL Injection (SQLi) Attacks Spread to 84,000 Website (and Counting)

    SQL Injection attack still spreading - 84000 and counting

    by Steve Ragan - Aug 26 2009, 21:10

    The automated SQL Injection (SQLi) attacks that gained attention late
    last week are spreading, and according to the researchers that
    discovered the attack, they are related to similar SQLi attacks in
    China.  ScanSafe, who discovered the attacks, thinks these attacks may
    be regionally targeted.

    The original report from ScanSafe looked only at the domain,
    which is injected via a malicious Iframe into a legitimate site by
    using various automated SQLi methods. At the time of the first report
    on Friday, the count was just under 55,000 sites. On Wednesday, the
    number of sites swelled to just over 84,000. Adding to this is the
    discovery of similar SQLi attacks taking place in China, leading
    ScanSafe to speculate that the attacks may be regional.

    The Malware served in the attacks reported by ScanSafe on Friday are
    a nasty cocktail of code, including backdoor related Malware,
    keylogging Malware, various Trojans and more...

    Continue Reading at The Tech Herald

    Reblog this post [with Zemanta]

    Obopay Teams with Nokia, Enters Crowded Mobile Money Market

    Nokia Enters Increasingly Crowded Mobile Money Market

    Teams with Obopay targets unbanked people in developing countries.

    Nokia is getting ready to launch Nokia Money, which will offer basic financial services on mobile phones, it said on Wednesday.

    It will enable consumers to send money, pay for goods, services and bills, and recharge their prepaid SIM cards, according to Nokia.

    Some Nokia phones will have the necessary client pre-installed, but users will also be able download and install the client on Nokia phones and devices from other vendors, said to Nokia spokesman Mark Durrant.

    It is also building a network of agents, where consumers will be able to deposit or withdraw cash from their accounts.

    Nokia has previously been a proponent of using NFC (Near Field Communication) -- a wireless communication technology with a range of a few inches -- for contactless payments.

    Nokia Money lets users send funds to another person just by using their mobile phone number. It can also be used to buy goods and services from merchants, pay utility bills and top up pre-paid SIM cards.

    Read More at PC World

    Reblog this post [with Zemanta]

    Visa Names Global Head of Strategy

    Visa Hires Oliver Jenkyn as Global Head of Strategy and Corporate Development

    San Francisco, Aug. 26, 2009--Visa Inc. (NYSE:V) today announced the appointment of Oliver Jenkyn as Visa Inc.'s Global Head of Strategy and Corporate Development. In this role, Jenkyn is responsible for developing and managing the company's corporate strategy across the 170 countries where Visa Inc. does business. Jenkyn succeeds Rupert Keeley, following Keeley's recent appointment to Group President of Visa's Asia Pacific and CEMEA regions. Jenkyn reports to Joe Saunders, Chairman and CEO of Visa Inc, and is a member of the company's Operating Committee.

    "Oliver has been a trusted advisor to Visa for several years, including important contributions to our global restructuring and IPO," said Joseph W. Saunders, Chairman and CEO of Visa Inc.

    Jenkyn joins Visa from McKinsey & Company's San Francisco office, where as Partner he was a leader in the firm's North American Payments and Retail Banking practices. While Jenkyn has extensive global experience across the financial services industry, he developed a specialty in payments including all aspects of the card business (issuing, acquiring, processing), ACH, check processing and cash management.

    Prior to McKinsey, Jenkyn worked with Bain & Company's private equity group.

    Jenkyn graduated summa cum laude from McGill University in Montreal with a bachelor's degree in economics. He also earned master's degrees in business and finance from Harvard University and Queens University.

    About Visa Inc.

    Visa Inc. operates the world's largest retail electronic payments network providing processing services and payment product platforms. This includes consumer credit, debit, prepaid and commercial payments, which are offered under the Visa, Visa Electron, Interlink and PLUS brands. Visa enjoys unsurpassed acceptance around the world, and Visa/PLUS is one of the world's largest global ATM networks, offering cash access in local currency in more than 170 countries. For more information, visit .

    Source: Company press release.

    Reblog this post [with Zemanta]

    Ehud Tenebaum (The Analyzer) Pleads Guilty to Hacking $10 Million from Banks

    The Analyzer’ Pleads Guilty in $10 Million Bank-Hacking Case

    By Kim Zetter | Wired

    Ehud Tenenbaum, aka “The Analyzer,” quietly pleaded guilty in New
    York last week to a single count of bank-card fraud for his role in a
    sophisticated computer-hacking scheme that federal officials say scored
    $10 million from U.S. banks.

    Editor's Tongue in Cheek  Note:  Now that both "The Analyzer" and "The Soup Nazi" are in Federal custody, it looks like the threat is over!  Man, those two guys sure wreaked havoc.  Good thing we caught them!  Now I look forward to typing my credit and debit card numbers into boxes on merchant websites and pick and pecking my username: and my 7 digit password: (1 of them is a number to make it harder!)  into boxes at online banks with the peace of mind in knowing that these two bad guys have been caught!   Here's more on E.T. from Wired:

    The Israeli hacker was arrested in Canada last year for allegedly
    stealing about $1.5 million from Canadian banks. But before Canadian
    authorities could prosecute him, U.S. officials filed an extradition
    request to bring him to the States.  (I think they whisked him here)

    Prosecutors alleged in an extradition affidavit that Tenenbaum
    hacked into two U.S. banks, a credit- and debit-card distribution
    company and a payment processor, in what they called a global
    “cash-out” conspiracy. But he was only charged with one count of
    conspiracy to commit access-device fraud and one count of access-device

    Tenenbaum is set to be sentenced Nov. 19, and he faces a maximum of
    15 years in prison. Prosecutors declined to comment on the case or
    describe the details of his plea agreement. The second count in the
    indictment, charging conspiracy, appears to have been dropped.

    Continue Reading at Wired

    Previous Stories about "The Analyzer" on the HomeATM Blog

    PIN Debit Payments Blog: Analyze This...Hack You!

    The Analyzer”,
    is currently in Canadian custody on charges relating to a fraud which
    netted US$1.47 million from Direct Cash Management in Calgary, a firm
    that sells pre-paid debit cards. Editor's Note: "He allegedly used SQL

    Is Heartland Hacker in Custody?

    Jailed international hacker and cyber criminal “The Analyzer,”
    (See Analyze This...More on "Hack You!") who awaits extradition to the
    US from Canada to face charges related to cyber crimes committed in
    2008, is now also a suspect in ...

    Financial Systems Unacceptably Vulnerable!

    “There are also new reports that 'The Analyzer',
    who was arrested last year in Canada for stealing $1.5 million from
    Canadian banks, also allegedly hacked two US banks, a credit card and
    debit card firm, and a payment processor firm. ...

    450K Per Day...Can You Say...SQL (Sequel)

    Tenenbaum, 29, also known as "The Analyzer,"
    gained notoriety 10 years ago when he broke into computer networks of
    NASA, the Pentagon and the Knesset, the legislative branch of the
    Israeli government. At the time, he was celebrated in ...

    Reblog this post [with Zemanta]

    MasterCard's Chip Authentication Program (CAP) Gains Support

    Thales extends support to MasterCard Advanced Authentication for Chip

    New solution secures online transactions executed with new and existing EMV cards

    Thales, leader in information systems and communications security, announces that SafeSign, the company’s identity management and authentication solution, has successfully completed MasterCard evaluation for its Advanced Authentication for Chip. MasterCard Advanced Authentication for Chip is the latest extension to EMV, the international card-based authentication solution. Building on their long-standing relationship, Thales and MasterCard continue to work together to help banks fight online fraud and ensure maximum consumer confidence in online transactions by supporting both newly issued and existing EMV cards.

    MasterCard Advanced Authentication for Chip allows two-factor authentication on EMV cards already issued that do not necessarily have offline PIN capabilities or have not been personalized according to the MasterCard Chip Authentication Program™ (CAP). This allows issuers to provide strong authentication to their cardholders without the need to re-issue their cards. This solution has been driven by regional demand, especially from the Asia Pacific Region and Latin America, where there are hundreds of millions of cardholders who need to be able to use their existing EMV cards to protect their online transactions. Thales has long supported MasterCard CAP with its SafeSign, HSM 8000 and payShield solutions.

    According to Art Kranzley, Chief Emerging Technology Officer at MasterCard, “Today, consumers still don’t feel safe when buying online or using e-banking facilities which is why it is important that we create the conditions needed for banks to be able to allay these fears. Thales and MasterCard have already delivered strong authentication solutions in the past, now with Advanced Authentication we are best placed to support banks in continuing fighting Card Not Present fraud and building confidence for online customers.”

    The new Advanced Authentication for Chip is operated by the cardholder inserting an EMV card into a Personal Card Reader (PCR). Once inserted, the PCR will perform specific card checks. If the card does not support offline PIN, the Advanced Authentication for Chip reader provides the option for a one-time password (OTP), challenge and response (C/R) or transaction data signing (TDS) which can be used for online user authentication and transaction signing. Otherwise the cardholder will first be prompted to introduce the PIN. This also means that Advanced Authentication for Chip is compatible with MasterCard CAP. SafeSign verifies and validates the OTP, C/R and TDS in order to effectively authenticate the user and provide additional security for online transactions.

    “Thales has collaborated extensively with MasterCard to provide user authentication solutions and online transaction signing for CAP. We have now added support for EMV cards that have been issued without CAP personalization or an offline PIN”, says Franck Greverie, Vice President, Managing Director for the information security activities of Thales. “Our support for Advanced Authentication for Chip demonstrates our continued commitment to work with MasterCard to enable our customers to make online and Card Not Present transactions safer for EMV card holders and dramatically reduce fraud.”

    SafeSign is Thales’s identity management and authentication solution that helps protect financial institutions and their customers against online fraud, enabling them to concentrate on delivering new products and services. Unlike other solutions, SafeSign supports a wide range of authentication technology including EMV/CAP, OATH tokens, mobile phones, smartcards and digital signature technologies. This approach allows SafeSign customers to maintain maximum flexibility in the selection of authentication that they deploy to meet their current and future needs.

    About MasterCard Worldwide
    MasterCard Worldwide advances global commerce by providing a critical economic link among financial institutions, businesses, cardholders and merchants worldwide. As a franchisor, processor and advisor, MasterCard develops and markets payment solutions, processes approximately 21 billion transactions each year, and provides industry-leading analysis and consulting services to financial-institution customers and merchants. Powered by the MasterCard Worldwide Network and through its family of brands, including MasterCard®, Maestro® and Cirrus®, MasterCard serves consumers and businesses in more than 210 countries and territories.

    Notes to editor
    Thales is one of the world leaders in the provision of Information and Communication Systems Security solutions for government, defence, critical infrastructure operators, enterprises and the finance industry. Thales’s unique position in the market is due to its end-to-end security offering spanning the entire value chain in the security domain. The comprehensive offering includes architecture design, security and encryption product development, evaluation and certification preparation and through-life management services.

    Thales has forty years of unrivalled track record in protecting information from Sensitive But Unclassified up to Top Secret and a comprehensive portfolio of security products and services, which includes network security products, application security products and secured telephony products.

    About Thales
    Thales is a global technology leader for the Aerospace, Space, Defence, Security and Transportation markets. In 2008, the company generated revenues of 12.7 billion euros with 68,000 employees in 50 countries. With its 25,000 engineers and researchers, Thales has a unique capability to design, develop and deploy equipment, systems and services that meet the most complex security requirements. Thales has an exceptional international footprint, with operations around the world working with customers as local partners.

    Press Contacts:
    Alexia Ward/Sole Chirco
    +44 (0) 20 7608 4687/4673

    Reblog this post [with Zemanta]

    Skimming Prevention: Best Practices for Merchantsl

    PCI Council Releases Recommendations For Preventing Card-Skimming Attacks

    New best practices are aimed at helping retailers -- especially small
    merchants -- but security experts say skimming risk runs deeper   
    By Kelly Jackson Higgins  | DarkReading

    The PCI Security Standards Council (PCI SSC) today unveiled best
    practices for retailers to defend themselves against the growing number
    of credit- and debit-card skimming scams. 
    To skim through it, click  Skimming Prevention: Best Practices for Merchants  (Word Document)

    Skimming credit- and debit-card data is becoming a popular way
    for cybercriminals to steal credit and debit card account numbers and
    execute financial fraud against grocery stores, gas stations, convenience stores, and other retailers and their customers,
    who are increasingly falling victim to hijacked card readers and ATM
    machines. Skimming occurs either by a malicious insider at the retail
    point-of-sale capturing the customer's card data, or more commonly by
    someone physically rigging a reader with a sniffer-type device to
    capture the data, which is then transmitted to the bad guys remotely. 

    "Skimming is becoming a widespread problem. These are guidelines for
    what retailers should be looking at" with their reader devices, says
    Bob Russo, general manager of the PCI SSC. "We discuss different
    techniques for protecting those point-of-sale devices."  But security experts say the council's skimmer protection
    guidelines are more a symptom of the already-broken system of credit
    and debit cards.

    "The concept of a 'credit card' as it exists today is
    the problem: If credit cards were cryptographic devices rather than
    just numbers, then none of these threats would be a problem," says
    Chris Paget, a security researcher.

    "The technology exists to implement
    this today and to completely eliminate credit card fraud, but it seems
    there's too much money being made from fraud for the card issuers to

    Editor's Note:  C'mon...really?  I don't think that's fair.  They care or they wouldn't be running advertisements and attaching rewards programs to signature debit.  The fact that signature debit is 15 times more likely to be fraudulent is only a coincidence isn't it?   In the Visa ad below, they are advertising their Debit card down under by saying... Just Remembah to Poosh the Credit Button"  (talk about skimming...)

    Continue Dark Reading

    Walmart Offers Customers Walk In Bill Payment Service from Fiserv

    Fiserv has announced that "Walmart has implemented the CheckFreePay service from
    Fiserv, enabling customers to pay bills in person at all Walmart locations in
    the United States. Using the CheckFreePay service, customers can pay household
    bills, such as their utility, mobile phone, auto loan, insurance and credit card
    bills, at any one of the retailer?s 3,755 domestic locations, including Walmart
    SuperCenters and Neighborhood Markets."

    CheckFreePay service from Fiserv gives customers the ability to pay bills from
    more than 2,500 companies. Payments can be made at the Walmart MoneyCenter or
    customer service desk using cash or a pin-based debit card. Standard payments
    are delivered to the biller within three business days, and NextDay payments are
    delivered to the biller on the next business day. A receipt is provided as
    assurance of payment.

    is continually searching for new ways to save our customers money and improve
    their daily lives," said Jane Thompson, president of Walmart Financial Services.
    "Already, customers look to our stores as a place to make everyday purchases at
    low prices. Offering our customers the convenience of walk-in bill payments at
    Walmart helps them simplify the management of their day-to-day finances."

    made using the CheckFreePay service are delivered electronically, which ensures
    a fast and secure transaction for Walmart customers. Payments flow quickly and
    seamlessly to the billing company via Fiserv's secure electronic payment
    network, which processes more than one billion transactions each year.

    CheckFreePay service enables retailers to offer their customers an affordable
    walk-in bill payment option," said Paul Harrison, senior vice president and
    general manager, Walk-In Solutions, Fiserv. "It is our goal to provide a variety
    of convenient locations for consumers to pay their bills in person, and we are
    excited that Walmart is now part of our nationwide network of CheckFreePay

    is a leader in the walk-in bill payment market, enabling consumers to pay more
    than 2,500 bills at more than 16,000 retail agent sites nationwide. CheckFreePay
    agents include supermarkets, drugstores and convenience stores, along with
    hundreds of independent and chain store retailers. CheckFreePay is a part of
    Fiserv, which is also a leading provider of Internet banking and bill payment
    and presentment services.

    For more information, visit

    Reblog this post [with Zemanta]

    Disqus for ePayment News