Thursday, June 24, 2010

Airline & Travel Payments Summit Co-Hosted by UATP Discount Ends June 25th

ATPS 2010 San Francisco


Friday, June 25 2010, is the last day to register at a discount for the 4th Airline & Travel Payments Summit, Co-Hosted by UATP.

ATPS is the only event to bring together the Payments Industry with the Airline/Travel Industry to discuss how to best cut payment and fraud-related costs and improve the bottom-line profits of travel & hospitality providers.

With payment & fraud costs accounting for as much as 4 to 5% of a travel merchant's total revenues, payment costs often exceed the travel industry's profit margins. So, learn about the latest alternative payment & fraud solutions to reduce payment costs, discuss the impact of credit card fees on the bottom-line and network with the widest variety of travel payments professionals at the only payments event for the airline & travel industry- ATPS!   

Find out more details and register for a discount on/before Friday, 25 June 2010, at:

Visa's Days of Dominating the Debit Card Market May Be Numbered

Constantine and Cannon's Antitrust Today Blog posted an article on the Debit Legislation which leaves them to conclude that "Visa's days of dominating the debit card market may be numbered."

That's not good news since debit will continue to "dominate" the payments space for years to come.

While you're here, take a look at this piece:  Can Innovation Break Up the Visa/MasterCard Duopoly?

June 23, 2010

House-Senate Conferees Take Aim At Debit Cards

The House-Senate Conference Committee considering financial services reform legislation is on the verge of adopting provisions that could shake up the world of debit cards.

After much controversy and intense lobbying by merchants and banks, key conferees have announced an agreement that preserves most of the Durbin Amendment and, remarkably, adds a critical and potentially groundbreaking new prohibition aimed at the networks and debit issuing banks.

While the situation remains fluid and things could change, if this agreement holds the merchants have won a huge victory.

In discussing where things currently stand, let’s start with the key provisions regarding debit interchange.

While the Federal Reserve still will be given the power to pass rules regarding debit interchange, those rules will not apply to federal, state and local government program prepaid debit cards. Reloadable prepaid cards, such as the cards increasingly used by the unbanked, are also exempted.

In another change the definition of “interchange transaction fee” has been changed to prevent the Fed from regulating the fees that banks pay to Visa and other debit networks for membership except to the extent that such fees are used to undermine the interchange regulations.

Lastly, in a potentially significant change, the Fed can now take fraud prevention costs into account in configuring rules aimed at capping the amount that merchants will pay for debit interchange but such costs can only be considered if a bank demonstrates that they are complying with standards established by the Fed to reduce fraud.

That brings us to the most significant change that came out of the conference. The initial legislation included a provision that prohibited the card networks from passing rules against merchants from offering discounts to favor one card network over another. That provision has been removed.

Instead, the agreement includes a provision that directs the Fed to adopt rules that preclude debit network exclusivity that comes about by “contract, requirement, condition, penalty, or otherwise.” This provision could effectively nullify the partnership agreements between numerous banks – particularly some of the largest banks in the country – and Visa, as those agreements have resulted in an increasing number of debit cards bearing on the Visa and Interlink.

Indeed, the bill’s specific language would appear to permit the Federal Reserve to invalidate (by rule) many existing Visa agreements that effectively require banks to issue either Interlink-only PIN-debit cards or Visa/Interlink only signature/PIN debit cards. In this respect, the new language in the bill specifically states that “an issuer or payment card network shall not directly or through any agent, processor or licensed member . . . restrict the number of payment card networks on which an electronic debit transaction may be process to (i) 1 such network; or (ii) 2 or more such networks which are owned, controlled or otherwise operated by (I) affiliated persons; or (II) networks affiliated with such issuer.” One could certainly argue that Interlink is “affiliated” with Visa, as it is, in fact, owned by Visa.

If this provision is signed into law it could have a groundbreaking impact on the debit market – perhaps even a greater impact than the “interchange rate caps” portion of the bill. Visa has dominated that market for decades and it has perpetuated that dominance in recent years via de facto or de jure arrangements with many banks that made Visa’s debit network, signature and PIN, their exclusive POS debit networks. If that ends, competing networks, including MasterCard and the PIN debit competitors such as Star, PULSE, NYCE, Shazam and others may step into the breach.

Combined with substantial reductions in debit interchange such changes may well signal the end of signature debit. This means that Visa’s days of dominating the debit market may be numbered.

Card Data Security in an IP World White Paper

A Frost and Sullivan White Paper sponsored by TNS

Card data security is becoming increasingly important as a business enabler for retailers, consumer billing organizations and other participants in the payments industry. Managing the growing security threats and ensuring compliance in an IP world impacts an organization’s ability to retain customers and to acquire new ones.

Reliable broadband connections, either wired or wireless, offer significant advantages over legacy technologies e.g. dial-up or leased line, including "always-on" connectivity, faster transaction speeds and lower costs of support. 

While a shift to IP based payment systems (from legacy systems) offers many advantages to businesses, it also presents a much more advantageous environment for cybercriminals to operate as the protocols are easily understood; they can easily remain anonymous on public IP networks, and maintain hundreds or thousands of simultaneous connections for malicious purposes such as Denial of Service, which can make payment networks unavailable for processing transactions.

Against this background, Frost & Sullivan research indicates that:

  • Fraud and other risks associated with internet or IP-based crime continue to grow and pose a major challenge to both merchants and their bank acquirers;

  • A combination of compliance and utilization of enhanced security techniques are among practices that can help to protect organizations from card fraud;

  • Secure outsourcing of payments networking is an effective means to deal with the increasing threat of card fraud and the mounting burden of compliance.

To learn more about card data security, request a copy of the Frost and Sullivan white paper by clicking here.
Enhanced by Zemanta Acquires Vendio

SAN FRANCISCO (DOW JONES)--Chinese ecommerce giant (1688.HK) has expanded its U.S. presence by agreeing to acquire Vendio Services, Inc., a small software-as-a-service startup that helps merchants sell their goods on sites such as Inc. (AMZN) and eBay Inc. ...

Click Here
Here's the official Press Release from Business Wire: Acquires Vendio, Continues to Advance Global E-Commerce Platform

Acquisition Integrates AliExpress and Vendio E-Commerce Services into a Complete Solution for Small Businesses in the U.S.
HONG KONG--(BUSINESS WIRE) (HKSE:1688.HK) (HK.1688), the world’s leading e-commerce company for small business, has entered into an agreement to acquire Vendio Services, Inc., a multi-channel e-commerce company providing a one-stop solution for small businesses that are selling online across multiple channels . From the Vendio Platform, merchants can source products from’s trusted supplier network and sell through channels such as eBay, Amazon, and their own Vendio-supported store. This platform is offered on Software as a Service (SaaS) cloud-computing model to help businesses increase their sales while managing costs to enhance their profit margin.
“At, our goal is to make it easier for our customers around the world to do business by providing solutions that increase margins, productivity and competitiveness through e-commerce”
Through this acquisition, gains access to more than 80,000 targeted small businesses in the U.S. with potential sourcing needs from suppliers on’s sourcing platform and AliExpress (, a wholesale transaction platform operated by In addition, the acquisition will provide access to e-commerce storefronts and multi-channel selling services for AliExpress customers looking to reach consumers online through the Vendio Platform. AliExpress and Vendio customers are able to source efficiently from the 5 million+ products available on AliExpress and then sell goods through Vendio on the retail marketplaces of their choice around the world.
With the acquisition, will connect AliExpress directly with Vendio through back-end integration, creating an AliExpress tab within the Vendio Platform. This integration allows Vendio users to easily access a private sourcing experience within their Vendio inventory and sales management interfaces. Exclusive guarantees, promotions and special deals on AliExpress wholesale products will also be available to Vendio users.
AliExpress complements Vendio by strengthening the first step in the business cycle for small businesses: how to locate products for sale. According to a recent survey, more than 80 percent of Vendio customers have never used online supplier services and nearly 90 percent have never tried to take advantage of import-export. This integration creates an opportunity for Vendio customers to expand their supply chain and lower their cost through instant, free access to the more than 1.4 million supplier storefronts on and AliExpress. Now and Vendio members have access to complete e-commerce solutions to meet their sourcing, buying and selling needs through an integrated set of tools and features.
“At, our goal is to make it easier for our customers around the world to do business by providing solutions that increase margins, productivity and competitiveness through e-commerce,” said David Wei, chief executive officer of “We continue to look for synergies and investment opportunities to grow our customer base, acquire additional technology and add new applications that will help our customer base grow and prosper. Vendio is our first acquisition in the U.S. and we are open for more partnership opportunities. The connection of Vendio with will completely integrate the e-commerce value chain between the B2B and B2C platforms, fully realizing the B2B2C model. I am confident that our complementary businesses will create enhanced opportunities for our customers. ”
“We identify with’s vision of creating a seamless global e-commerce experience for business owners,” said Mike Effle, COO of Vendio. “We are particularly impressed by's deep commitment to creating immense value for small businesses. Efficiently integrating’s extensive supplier base will allow Vendio’s merchants to earn higher profit margins while providing unique and competitively priced products from around the world to their customers. The increased efficiency and product breadth will yield additional positive effects for the marketplaces we support and throughout the entire e-commerce ecosystem.”
The acquisition is part of the US$100 million investment plan for AliExpress that announced in April 2010. It is expected to close in July 2010. After the closing, Vendio will become a new business unit within and will retain its own brand name and operations. Mike Effle, current Vendio COO, will assume the role of the Vendio CEO and Rodrigo Sales, current Vendio CEO, will become a strategic advisor to the company.
Rothschild was the financial adviser to for this transaction and Pacific Crest Securities was the adviser to Vendio for this transaction. Financial terms were not disclosed.
About Limited (HKSE:1688) (1688.HK) is the global leader in e-commerce for small businesses and the flagship company of Alibaba Group. Founded in 1999 in Hangzhou, China, makes it easy for millions of buyers and suppliers around the world to do business online through three marketplaces: a global trade platform ( for importers and exporters; a Chinese platform ( for domestic trade in China; and, through an associated company, a Japanese platform ( facilitating trade to and from Japan. In addition, offers a wholesale platform on the global site ( geared for smaller buyers seeking fast shipment of small quantities of goods. Together, these marketplaces form a community of more than 50 million registered users in more than 240 countries and regions. also offers business management software and Internet infrastructure services targeting businesses across China, and provides educational services to incubate enterprise management and e-commerce professionals. has offices in more than 60 cities across Greater China, Japan, Korea, Europe and the United States.
About Vendio
Founded in 1999, Vendio Services, Inc. ( helps small- to medium-sized merchants (SMM's) succeed by offering them an integrated solution to manage their sales seamlessly and cost-effectively across multiple online sales channels including their online store,, eBay, Google, Shopzilla, and more. Each year over 80,000 merchants use Vendio’s award winning multi-channel platform and applications to sell nearly $2 billion in merchandise. The company also operates Dealio (, a shopping and coupons site for consumers. Vendio is headquartered in San Mateo, California with a development office in Romania.
For photos and broadcast-standard video supporting this press release, please visit If you are a first-time user, please take a moment to register. If you have any questions, please email


For media inquiries:

Andrea Meyer, +408-748-1200 ext. 221

Linda Kozlowski, +852 9028 5150


For investor inquiries:

Lindy Lau, +852 2215 5215

Hackers, Fraudsters and Botnets: Tackling the Problem of CyberCrime

"The Australian Government Standing Committee on Communications has released the results of a year long enquiry into cybercrime in a report titled Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime.  Here's an overview:

House Standing Committee on Communications

Committee activities (inquiries and reports)

Inquiry into Cyber Crime

Inquiry home | Terms of reference | Submissions | Public hearings | Media releases


On Monday 21 June 2010, the Standing Committee on Communications tabled its report on the inquiry into Cyber Crime entitled Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime.

To view or print the report, you will need Adobe Acrobat® PDF Reader, which can be downloaded free of charge from Adobe
Report accessibility:
If you have difficulty accessing the report, please contact the Committee Secretariat.

This report is comprised of preliminary pages, 11 chapters, 2 supplementary remarks and 5 appendices.

Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime

Preliminary pages (PDF 201KB)

Contents, Foreword, Committee Membership, Terms of Reference, List of Abbreviations and List of Recommendations
Chapter 2 (PDF 704KB)

Nature, Prevalence and Economic Impact of Cyber Crime
Chapter 3 (PDF 340KB)

Research and Data Collection
Chapter 4 (PDF 197KB)

Community Awareness and Vulnerability
Chapter 5 (PDF 451KB)

Domestic and International Coordination
Chapter 6 (PDF 340KB)

Criminal and Law Enforcement Framework
Chapter 7 (PDF 545KB)

Protecting the Integrity of the Internet
Chapter 8 (PDF 400KB)

Consumer Protection
Chapter 9 (PDF 165KB)

Privacy Measures to Combat Cyber Crime
Chapter 10 (PDF 170KB)

Community Awareness and Education Initiatives
Chapter 11 (PDF 140KB)

Emerging Technical Measures to Combat Cyber Crime
Appendix D (PDF 59KB)

Commonwealth Computer Offences
Appendix E (PDF 61KB)

Proposed Commonwealth Identity Fraud Offences

Hacker Shows CBC How to Crack a "Contactless" MasterCard

RFID smart cards

New credit cards pose security problem

Hacker shows CBC how to crack 'contactless' MasterCard

By Zach Dubinsky, CBC News

'It's not encrypted, which is not what we were expecting.'—IT security expert Pablos Holman
All new MasterCards in Canada, as well as Visa cards from two of the big banks, supply cardholder info over radio waves.All new MasterCards in Canada, as well as Visa cards from two of the big banks, supply cardholder info over radio waves.
Most newly issued credit cards pose major fraud and privacy concerns because of how they're designed to be scanned through the air, some cyber-security experts warn.
"Contactless" MasterCards and Visa cards have been available in Canada for several years, but they've only recently reached the bulk of consumers as the country's biggest banks adopt them.
The credit cards have an embedded computer chip called a radio frequency identification, or RFID, tag. When waved near a payment terminal in a store, the chip supplies the card's number and expiry date through radio waves, avoiding the need to swipe or insert the card or have a cashier handle it.

And that's the first problem, U.S. cyber-security expert Pablos Holman says. Anyone can buy an RFID credit card reader online, where second-hand units sometimes sell for under $10, and start scanning cards in public — without cardholders knowing.

"It's not encrypted, which is not what we were expecting," said Holman, who has gone on U.S. TV newscasts to demonstrate the security gap. "It's really easy to read. … Now you can get a generic RFID reader and use open-source programs available on the web and read cards."
RFID credit cards surfaced in Canada since 2006, when MasterCard started aggressively pushing its PayPass cards. Today, about 90 per cent of MasterCards in the country are RFID-enabled and the company aims for 100 per cent by the end of the year, said Scott Lapstra, vice-president of market development for MasterCard Canada.

Visa has been slower to market such "proximity cards" under its own brand, payWave.
Royal Bank decided only this year to make all its Visas payWave-enabled and all newly issued TD Visa cards have the feature. But most Visa cards in Canada, including those from CIBC and Scotiabank, don't have RFID.

Both credit-card companies limit contactless purchases to $50 each and have pushed to have reader terminals installed mainly in high-volume, low-price businesses like big-chain coffee shops, fast-food outlets, gas stations and grocery stores.

The benefit for customers, the card companies say, is faster, more convenient shopping and less fumbling for cash. Merchants, on the other hand, can cut down on lineups and boost their average sale value.

"A person who uses PayPass spends about 25 per cent more on their card on a monthly basis," MasterCard's Lapstra said. "We launched this product to … have our cards be used more."

Fraud risk

Lapstra and other financial executives insist the system is safe.
The PayPass website vaunts the card's "secure encryption technology" and says the card "never leaves your hand to make a payment," making it difficult for someone to copy it clandestinely. Visa's site boasts it's "one of the most secure payment solutions available today," while TD Canada Trust promises "payment details are securely transmitted."

"It's encrypted information that is specific to that one transaction. It is not your card number, it is not your PIN and it certainly is not going out into the open," said Anne Koski, head of payment innovations at Royal Bank's cards division. "It's encrypted information."
Information stolen from an early-generation RFID credit card can be encoded onto a traditional magnetic-stripe card and used to make counterfeit purchases, a security expert says.Information stolen from an early-generation RFID credit card can be encoded onto a traditional magnetic-stripe card and used to make counterfeit purchases, a security expert says.

(Canadian Press)

Not so, says 3ric Johanson, an IT security expert from Seattle who gave CBC News an in-person demonstration of how to hack a MasterCard from President's Choice Financial. (Johanson had his first name legally changed from Eric.)

Using his laptop, a PayPass reader and some software, Johanson, sitting in the lobby of a downtown Toronto hotel, extracted a credit card's number and expiry date, using his own reader at close range. Earlier in his trip, he had pulled off a similar feat in front of a stunned audience at a security conference, using a random audience member's RFID credit card.

"When you go to read a card, you just take a reader and say, 'Give me your card number,' and it will do that," Johanson said.
"It's still very much transmitted over the air by the RFID interface. There's no message for the card to authenticate the reader it's about to talk to — it will talk to anyone."
Shirley Matthews, head of chip platforms at Visa Canada, acknowledged that payWave credit cards do not disguise the card number and expiry date when they send that data over the air to a card reader.

"We don't typically encrypt that," Matthews said.

The MasterCards in Johanson's demonstrations were of a later model and didn't cough up their cardholders' names. But most first-generation RFID credit cards, like the ones that Holman demonstrated on TV, will do so, and many are still in circulation, raising serious privacy concerns — in addition to fraud risks.

Credit-card company and bank executives played down these concerns, saying the cards can only be scanned from close range, even requiring physical contact with a reader sometimes.

"Typically, my experience has been you actually have to touch the card to the reader," Koski said.
Lapstra added: "The cards are actually powered from the reader and they have to be within four centimetres of that reader."  But that only means you need to boost the power of the reader to scan the cards from a greater distance, according to the security experts who spoke to CBC News.

Johanson said it's possible to use an RFID "gate antenna" — two electronic readers spanning a doorway, similar to the anti-theft gates in retail stores — to scan the credit cards of people passing through.

With enough high-powered gates installed at key doorways in a city or across the country, someone could collect comprehensive information on people's movements, buying habits and social patterns.

"These days you can buy a $500 antenna to mount in doorways that can read every card that goes through it," Johanson said.

Several hacks possible

The newest generation of RFID credit cards transmit an encrypted, one-time security code alongside the card number and expiry date to authenticate each transaction, as Koski alluded to.

But Johanson said it's possible to circumvent that system by deploying what's called a replay attack: A fraudster scans the RFID card dozens of times in a public place in a matter of seconds, without the cardholder knowing, and captures the security codes that the card transmits. A cloned card is then programmed to "replay" those codes at a store's payment terminal.

The credit-card company would only catch on to the fraud when the real cardholder tried to make a subsequent payWave or PayPass purchase with a security code that had already been used by the scammer.

Several other kinds of information hacks are possible, Johanson said:

  • With a first-generation RFID credit card, a fraudster can secretly scan the card's number (including a security code called CVV1) and expiry date, then program a traditional magnetic-stripe Visa or MasterCard with that information. Even without the cardholder's name, the fraudulent, cloned card could be used in many retail locations.

  • Someone could scan RFID credit cards in the mail while they're being sent to cardholders. Issuing banks have typically disregarded privacy and security concerns and refused to use magnetically shielded envelopes for mailing payWave- and PayPass-enabled cards. The advantage of this hack is that a scammer would get the person's mailing address as well, a crucial piece of info for most online purchases.

  • A company could use the workplace's card-access doorways to scan employees' credit cards and compile information on their finances and lifestyle. For example, any credit card number beginning with "5192" is a U.S.-dollar MasterCard from Bank of Montreal — and an employee who started coming to work with one in his pocket one day, then went on a three-week "sick leave" the next, might raise a red flag.

Visa, MasterCard and their issuing banks stress that credit-card security is a multi-layered apparatus, relying on much more than just the integrity of card information. One factor is the effort required to pull off a swindle.  "Particularly when it comes to contactless, these are small-ticket transactions," Koski said. "I mean, what are you gonna do, take $50 worth of free coffee?"
"Where we see fraud in the credit-card industry in general is areas where it's a stolen card and highly fence-able goods, so electronics and things they can turn into cash," Lapstra added.
"PayPass is focused on lower-dollar value, high throughput: fast foods and coffees and those kinds of things. … We are not aware of or have any evidence that PayPass cards are able to be compromised."

Johanson said it's only a matter of time, though, before sophisticated criminals who have proven adept at wide-scale debit-card fraud turn their attention to RFID credit cards.  "As with most things, what's probably going to happen is they're going to wait for a high degree of market adoption before it gets interesting to attackers."

He pointed to the example of the chip and PIN system, which Visa, MasterCard and their competitors began implementing in the early 2000s. Each credit card has a microchip in it, which works with a corresponding personal identification number, or PIN, entered by the cardholder to authenticate each purchase.

As chip-and-PIN cards become the norm, researchers at Cambridge University in Britain reported in a paper last month that the system is "broken." In a demonstration on BBC News, computer scientists fooled journalists' credit cards into making purchases without the valid PIN.
Such frauds are a bane to consumers, the researchers say, because to the banks it appears as though the correct PIN was used and it wasn't theft. Several British cardholders reporting counterfeit transactions on their accounts have had their claims rejected by their bank and been stuck with the bill.

Security expert Holman said the credit-card companies had a tremendous opportunity with the rollout of RFID, chips and PINs — the sector's biggest overhaul since "magstripe" cards were implemented in the early '80s — to implement a robust, safe payment system.

"What people don't understand is the credit-card industry isn't trying to make cards secure," Holman said. "They just have a risk-management problem where they try to control the amount of fraud on their system."

Click on the tabs to read about the different ways a scammer could get RFID credit-card info, and how they could exploit the data:

Anatomy of a hack »

Attack of the clone

  • Encode stolen info onto a magstripe card

  • Only works with data pilfered from an early-generation RFID card, and only at certain merchants

  • No $50 limit on transaction

Replay that again scam

  • Program a fake card to play back transaction-specific authentication codes scanned from a real card

  • $50 limit

  • Stops working as soon as real cardholder uses their card again

Tangled web

  • Use intercepted credit-card info to buy things on the internet

  • Only works for sites with minimal online-purchase security, otherwise would need data like billing address

Read more:

Enhanced by Zemanta

Hundreds of Thousands Lost from Credit Card Numbers Stolen from Driskill Hotel in Austin, TX

Credit Card Numbers Stolen from Driskill Hotel Guests

The credit card numbers of dozens of recent guests at the downtown Driskill Hotel were stolen after thieves hacked into the accounting network for the hotel’s management company, officials said.
Austin police said they are still trying to determine the exact number of local victims, but that up to 700 people who stayed at about three dozen properties managed by Destination Hotels & Resorts nationally may have been affected.
Austin police are investigating the local thefts; agents for the U.S. Secret Service are investigating who accessed the accounting system for the company, based in Englewood, Colo.
“We are looking at losses in the hundreds of thousands, so it is pretty serious,” said Austin police Sgt. Matt Greer, who supervises the department’s financial crimes unit. “Usually, the losses are with the bank.” 

BNZ Patents "Liquid Encryption Number" for ATM Magstripe Use

In an article entitled: "Bright Idea Cuts ATM Fraud" the New Zealand Herald reports that Bank of New Zealand has patented an invention created by Michael Turner, one of it's employees.  Mr. Turner's system is known as "liquid encryption number" which the bank revealed yesterday it has patented and hopes to sell internationally..

According to Finextra, "the system has helped BNZ cut the number of fraudulent transactions from cloned cards by 50%, prompting its Australian parent to take it up."

The "liquid encryption number" dynamically rewrites a card's magstripe data after each usage...

* Liquid encryption number technology means that the data - a series of numbers - stored on a card keeps changing.
* The data on a card's strip is rewritten each time the card is placed in an ATM.
* By the time criminals try to use the card, its data will have changed so it cannot be used in fraudulent transactions.

Read More

Enhanced by Zemanta

Disqus for ePayment News