Mobile Payment Industry News

Tuesday, April 7, 2009

HomeATM in the News

Click the Graphic on the Left
to Read About HomeATM in the latest edition of ATM&Debit News

HomeATM's PCI 2.0 PED Certification Provides the following benefits:

Card Present Rates in a Card Not Present World!

"TRUE" PIN Debit Interchange Rates!

Dual Authenticaton!

15 Times More Convenient than Typing in 14-16 Card Number Digits, Expiration Dates and CVV Codes!

Effectively Removes Internet Retailers from the Scope of PCI DSS Potentially Saving Them 100's of Thousands of Dollars! (Same with Financial Institutions, only they could save million$)

End to End Encryption |Triple DES | DUKPT Key Management | Security

Exponentially Advanced Log-In, Authentication Platform for Online Banking!

Home(r)ATM Would Eliminate Cloning Altogether!

In this ISR News post, it is reported that Credit Card Cloners Stole 3.5 million.

In a nutshell, that's 3.5 Million reasons for using HomeATM's SafeTPIN device. Without the PIN, a cloned card would be useless. So would DNS hijacking (redirecting you to a cloned website). No username/password, instead Swipe your Card, Enter your PIN. They wouldn't receive the data...unlike the username/password, which they would receive.

In fact, cloning wouldn't be an "issue" (pun intended) at all, if online merchants employed the HomeATM True PIN Debit solution.

Come to think of it neither would the over exorbitant "Card Not Present" rates...oh...and an end-to-end encryption methodology is certainly an added benefit. Don't let me forget convenience. If I can swipe my card 14-16 times faster than entering 14-16 digits from my credit or debit card, then I consider it to be 14-16 times more convenient. You? And yes, we do credit...and yes...it would be at "card present" credit card rates. Any questions?

ISR News: Credit Card Cloners Steal £3.5m
April 7, 2009 by ADMIN

Excerpts From Finextra.com

A gang of five fraudsters who ran a global credit card cloning ring out of a London flat stole £3.5 million in just a few days, a court heard yesterday.

Prosecutor Ben Fitzgerald told Southwark crown court that police found fake cards and counterfeiting technology in the London flat.

The accused allegedly went on a spree between 28 September and 8 October last year as Barclaycard migrated cardholders from the Goldfish credit card business it acquired from Discover Financial Services earlier in the year.

Computer software found in the flat was used to make fake cards before the gang stole £3.5 million, with £645,000 spent on the cards in Britain alone, the court heard.

Khi-San Voong, 46, Qiu Yeu, 46, Qiang Xue, 34, and Dauy Chung, 40, all of Walworth, deny conspiracy to defraud. Cai Caixa, 27, pleaded guilty.

The trial continues...

credit card cloning, card present, card not present, true pin debit

I Have a Present For You! And a Card!

Card Present vs. Card Not Present

Before you accuse me of luring you to this post with the promise of a "present" and a "card" simply fill out the poll on the right and send me your email and shipping address. You'll get your "card present" enabling SAFETPIN device for free. Take a look at the right sidebar or above for more details.

A recent post by Ed Kountz at the Forrester Blog which made me realize that one of the biggest impacts of a utilizing a hardware vs. software device is simply this. Interchange.

HomeATM is the only company in the world which can provide e-tailers with a PCI 2.0 PED and thus "card present" TRUE PIN Debit rates. Why do I say true? Because our transactions are conducted in the same manner as a traditional retail location.

In addition, because our device is "ALREADY" PCI 2.0 PED certified, and employs DUKPT key management, we would effectively remove e-tailers from the scope of PCI DSS as no cardholder data is transmitted during the transaction.

Once the consumer has our low cost device, they become a "card present" buyer. They swipe their card, they enter their PIN and therefore the e-merchant benefits from not only dual-authentication, but also benefit from significantly lower interchange fees.

Example:

$200 order at Amazon. Card Not Present Rate: 2% + .25 cents = $4.25
$200 order at Amazon Card Present/ PIN Authenticated: = .75 cents. Savings = $3.50 (In this example an 88% savings!)

Now, add security, (PCI 2.0 PED) add convenience (isn't swiping the card 14 to 16 times faster than typing in your 14-16 digit card number?) deduct chargebacks, add familiarity (don't you swipe your card in the store) and our SafeTPIN s a compelling value proposition.

On the flip side, a software based PIN Debit application would still be a "card not present" transaction. The CNP PIN rate doesn't exist, but the EFT networks could create one. Of course, it will be exorbitantly higher than a Card Present PIN transaction. Remember when transactions were done with the device pictured on the left? Well unlike that device, HomeATM's SAFETPIN is built for the long run...and provides safer, more secure and thus lower rates.

So at the end of the day, our device (which is also EMV ready) is built with both the consumers, banks and merchants in mind. A software application is built with only the EFT Switches in mind. So it's no wonder the EFT switches are backing it. It's like Microsoft paying people to use Live Search with their Cashback program. The EFT switches are getting paid to push a software application. But what will be the public's uptake? And where's the benefit to the merchants? A tiny savings on Interchange...in exchange for a higher risk of liability in the instance of a breach? It's all interesting. I would think that the merchants would want a bigger savings and less risk, which is what HomeATM's PCI 2.0 PED provides. Wouldn't you? We'll see...

Here's the article showing the pent up frustration with Interchange Fees from the NRF, the NGA and NACCS. (The Big 3) They are all bricks and mortar organizations and are still throwing a fit about Interchange Rates. When will the Internet Retailer 500 band together and start demanding that they at least be afforded the opportunity to enjoy the rates the "Big 3" are unhapppy with.

Transacting Value: The Impact of Credit Industry Challenges on Card Marketing
Ed Kountz - April 6th 2009

Early on in this blog, I predicted that 2009 would see an increase in the number and stridency of calls for reforms to the U.S. credit card market, particularly in terms of types and amounts of acceptable fees. The Federal Reserve’s December 2008 card industry changes certainly made clear that this was happening. But now, the long-simmering brew appears to be spreading.

Two recent events serve to validate the premise:

--The National Retail Federation (NRF), the National Grocers Association (NGA) NACCS Angle Against Interchange. Recently, the NRF, NGA and NACCS -- together, the big three of retail associations -- recently held what their release billed as a “telephonic press conference” announcing the creation of “unfaircreditcardfees.com,” as well as an associated public interest campaign, to encourage consumers to press legislators for reforms to the “unfair and hidden credit card fees called “interchange””. This approach muddles the issue, in my opinion, as it uses language that ties the interchange dispute to consumers’ raw emotions at the account-fee issue, without identifying the (basic but relevant) differences in those topics. Whatever the ultimate impact, the directness of the appeal is impossible to miss.

--Senate Banking Committee Approves Card Reforms. On March 31, the Senate Banking Committee gave one-vote approval to measures designed to rein in certain credit card industry practices. The bill would include most of the Federal Reserve Rule changes passed in December, such as bans to universal default and double cycle billing, but would add fee restrictions and protections for borrowers under 21. Bill sponsor Chris Dodd said he was going to work over the recess to garner “broad support” for the effort.

As recent delinquency trends suggest, economic conditions continue to impact credit card usage and growth at a macro level. But increased scrutiny of long-held credit card industry practices will add additional pressure to an industry already feeling the strains.

Continue Reading at the Forrester Blog for eBusiness & Chennel Strategy Profressionals

PIN Debit, PCI 2.0, PCI DSS, NACS, NRF, Forrester Research, card present, card not present

ID Cards Could Be Fitted with Chip and PIN Technology to Combat Fraud

The Press Association: ID cards 'could use chip and pin'

ID cards could be fitted with chip and pin technology to help combat identity fraud. The head of the Government agency tasked with producing the cards said there were no "technical obstacles" to adding chips to the cards and handing out pin numbers. James Hall, chief executive of the Identity and Passport Service said adding chips might allow the cards to be used in ATM machines in the future.

Officials are also looking at chip and pin as a possible way to help combat online fraud and help protect internet shoppers.

It also emerged the Home Office has issued half as many ID cards for foreign nationals in the first four months than expected.

When the card was launched in late November ministers predicted that between 40,000 and 50,000 non-EU nationals would have cards by the end of last month. But by the end of last week 22,500 cards had been issued. Mr Hall said they had encountered "the odd wrinkle" in the system but overall it had worked "pretty well".

A spokesman for the UK Border Agency (UKBA) said 42,000 foreign nationals had been through the enrollment process and had their biometric details taken. Mr Hall said he was looking at how ID card holders could "assert their identities" online when the card is rolled out.

He said: "One of the reasons for the format of the card is we have the opportunity to put it in to card readers and potentially use it in existing networks such as the ATM network.

One of the issues on the table is whether we should introduce chip and pin technology in to the card. There are no technical reasons why we couldn't do that." Editor's Note: In fact, HomeATM's SAFETPIN is EMV ready (smart card, chip ready) Which brings up a question. How would a software PIN Debit application work in an EMV environment? If you know, comment below...lol!

Related articles
BSMS - Both Sides of the Mouth Syndrome (pindebit.blogspot.com)

SizzleMoney Offers Mobile Banking to Immigrants

I blogged about SizzleMoney about a week ago, but here's an excerpt from a good article in this morning's American Banker...

Prepaid Account Offers Mobile Banking Service to Immigrants

By Will Hernandez
American Banker | Tuesday, April 7, 2009

Denarii Payments Inc. of Atlanta has developed a mobile phone-linked prepaid product called SizzleMoney that is initially targeting Hispanic immigrants.

People can use the product to send one another money by text message, access funds in their SizzleMoney accounts with a prepaid debit card and make purchases at the point of sale with their phones.

"It's basically mobile cash," said Donald Baggett, Denarii's founder and chief executive officer.

Denarii said SizzleMoney will appeal to immigrants, who often use their mobile phones as their primary method of communication.

The SizzleMoney account features debit cards bearing the logos of the Maestro, Pulse, Star and Cirrus debit networks. The cards can be used to make PIN debit purchases and to make withdrawals at automated teller machines. Customers can upgrade to MasterCard Inc.-branded debit cards.

Central National Bank of Enid, Okla., issues the cards and its Interactive Transaction Services subsidiary processes the transactions.

Continue Reading at American Banker

Will Hernandez is the associate editor of ATM&Debit News.

NACHA - 18.2 Billion ACH Payments in 2008

ACH Transaction Volume up by 1.2 Billion Payments - Despite Economic and Industry Pressures

Consumer ACH Bill Payments Made via Internet near $1 Trillion

Orlando Florida: PIN Payments News: The number of ACH payments in 2008 topped 18.2 billion, representing an increase of 1.2 billion over 2007, according to statistics released today by NACHA - The Electronic Payments Association at its PAYMENTS 2009 conference.

"Consumers, businesses, and government are continuing to embrace the safe, smart, and green attributes of ACH payments and choosing electronic over paper," said Janet O. Estep, NACHA president and chief executive officer. "Despite the overall economy slowing in 2008, the ACH Network continues to see positive growth."

The portion of ACH payment volume passing through the ACH Operators grew in 2008 to nearly 15 billion transactions. The number of ACH Network transactions in 2008 was 14,960,689,587, which is 7.1 percent more than 2007. The dollar value of these payments was $29.96 trillion, an increase of 4 percent over 2007.

Internet Payments

Internet-initiated ACH debits (WEB) experienced robust growth in 2008, increasing by 19.7 percent to almost 2.1 billion payments. When combined with consumer-initiated credit payments (CIE), the dollar value of consumer ACH payments made via the Internet is nearing $1 trillion annually ($939 billion in 2008).

Business-to-Business (B2B) Payments/Financial EDI

More than 1 billion EDI-formatted addenda records were transmitted across the ACH Network in 2008, a 14.6 percent increase over 2007. Businesses use EDI-formatted addenda records to send and receive invoice- and other payment-related information. The volume of CTX payments, which can carry up to 9,999 addenda records, increased by 16.1 percent, and the number of CCD payments carrying an addenda record increased by 17.9 percent.

Back Office Conversion (BOC)

In its first full year of availability, the newest e-check transaction - BOC - grew by 1,772 percent in 2008 to a total of 78,460,461 payments. This volume is comparable to the original Point-of-Purchase (POP) check conversion application when accounting for the significant decline in consumer check-writing over the past eight years. At the same time period after its introduction, the annualized volume of POP transactions was 101 million; however, consumer check-writing has been declining during this time period by about 4 percent per year.

Federal Government Payments

The Federal government used the ACH Network for more than 30 million Direct Deposits as part of 2008's economic stimulus package. This contributed to an overall growth of Federal government ACH payments of 10.2 percent, to 1,145,895,074 payments in 2008. According to the Financial Management Service, the Federal government saves $0.925 for every Direct Deposit that replaces a check payment. With over 1 billion Direct Deposits, the Federal government saved at least $925 million in 2008 by using the ACH Network.

Network Risk and Quality Indicators

The most significant ACH Network risk and quality indicators improved moderately in 2008. Overall, the rate at which ACH debits are returned as unauthorized declined slightly from 0.041 percent to 0.040 percent, and there were no SEC codes that had a significant increase in its unauthorized rate.

NACHA -- The Electronic Payments Association

NACHA -- The Electronic Payments Association is a not-for-profit association that oversees the Automated Clearing House (ACH) Network, a safe, efficient, green, and high-quality payment system. More than 15,000 depository financial institutions originated and received 18.2 billion ACH payments in 2008. NACHA is responsible for the administration, development, and enforcement of the NACHA Operating Rules and sound risk management practices for the ACH Network. Through its industry councils and forums, NACHA brings together hundreds of payments system stakeholder organizations to encourage the efficient utilization of the ACH Network and develop new ways to use the Network to benefit its diverse set of participants. NACHA represents nearly 11,000 financial institutions through direct membership and 19 regional payments associations. NACHA and its members provide education, tools, and resources to increase the adoption of ACH payments to benefit businesses, consumers, and governments. To learn more, visit www.nacha.org and www.electronicpayments.org.

SOURCE: NACHA

NACHA, PIN Payments News Blog

Online Banking in Ireland Soars

Source: Finextra
Complete item: http://www.finextra.com/fullstory.asp?id=19891

Description:

The popularity of online banking in Ireland has soared over the last year, with 2.2 million customers now registered, a 28% increase on the previous year. According to data gathered from financial institutions by the Irish Banking Federation (IBF) and Irish Payment Services Organisation (Ipso), 2.2 million customers were registered for online banking by the end of 2008, up 27.8% on the 1.8 million recorded at the end of 2007. Ireland has a population of around 4.4 million.

In addition, there was a 31.6% rise in the number of Internet payments to 30.7 million - equivalent to 84,000 per day. A 33.6% increase, to 123 million, was also recorded in the number of times customers accessed their account balances online.

Pat Farrell, CEO, IBF, says: "We can see from the data compiled to date that online banking is on a significant growth path in Ireland. Comparative figures for 2007 show that the average user here made 14% more online payments and 20% more online enquiries than his/her UK counterpart. However, in a leading online adopter like Norway the average customer made around three times more payments online - indicating that there is considerable scope for further growth."

Una Dillon, head, card services and communications, Ipso, adds: "Online banking is facilitating the migration from cheques and other paper-based payment methods to electronic payments. The move to electronic payments is vital in ensuring Ireland's competitiveness and efficiency within the wider European market."

Link2Gov for Professional Crastination

Link2Gov: A Procrastinating Federal Taxpayer’s Best Friend

Federal balance-due tax payments accepted at PAY1040.com, BML.PAY1040.com and businesstaxpayment.com

MILWAUKEE--(BUSINESS WIRE)--Link2Gov Corp., a Metavante (NYSE:MV) company and IRS-authorized payment processor since 2003, today is reminding individuals and businesses of their secure, convenient and reliable electronic payment options for settling-up with Uncle Sam before midnight on April 15 — the federal tax deadline. Taxpayers can beat the clock with an electronic payment initiated at any of Link2Gov’s payment portals: www.PAY1040.com, 1-888-PAY-1040 and www.businesstaxpayment.com. Taxpayers with questions about the payment services can reach Link2Gov customer service agents at 1-866-658-5465.

Federal balance-due tax payments initiated through Link2Gov payment services1 are authorized in real-time, with the IRS-recognized payment date being the same date the transaction is successfully completed. Taxpayers receive a transaction confirmation number as an assurance they have completed the payment process. PAY1040.com and businesstaxpayment.com accept American Express®, Discover®, MasterCard®, and Visa® credit and debit cards, as well as debit transactions from cards participating in the NYCE®, PULSE® and STAR® payments networks. New for Tax Season 2009, Link2Gov also accepts Bill Me Later payments at BML.PAY1040.com.

“The key attributes of our federal tax payment programs — speed, convenience and knowing an IRS bill has been instantly paid — become increasingly vital as the deadline closes in on taxpayers,” said Frank D’Angelo, group president, Metavante Payment Solutions, which includes Link2Gov. “Taxpayers choosing Link2Gov services receive peace of mind, and depending on their issuing bank’s card program, the opportunity to earn rewards as well.”

About Metavante

Metavante Technologies, Inc. (NYSE:MV) is the parent company of Metavante Corporation. Metavante Corporation delivers banking and payments technologies to approximately 8,000 financial services firms and businesses worldwide. Metavante products and services drive account processing for deposit, loan and trust systems, image-based and conventional check processing, electronic funds transfer, consumer healthcare payments, electronic presentment and payment, outsourcing, and payment network solutions including the NYCE Network, a leading ATM/PIN debit network. Metavante (www.metavante.com) is headquartered in Milwaukee.

1Link2Gov collects a convenience fee for PAY1040.com, businesstaxpayment.com and BML.PAY1040.com services.

Metavante, NYCE, Link2Gov and Pay1040.com are registered trademarks of Metavante Corporation, which is the principal subsidiary of Metavante Technologies, Inc.

All other trademarks are the property of their respective owners.

A Pain in the Bot!

To further illustrate how dangerous it is to use a personal computer as the conduit to financial transactions, I bring you the following article from the Associated Press, which was reprinted by "CapeCodeOnline."

And to illustrate even further...I created, well an illustration...depicting the dangers that lurk out there. (on left) Let's see...you've got your Zombies and Black Hats, your Snakes and Sniffers, Bots and Hackers and key-logging grifters...

What did Sanford used to tell Lizbeth? Oh yeah...Lizbit...here I come..."its the big one!" Stay tuned. It'll happen and we'll cover it right here on the PIN Payments News Blog! Here's some stuff that ought to make you think twice before you enter your primary account number via a keyboard. Remember, Visa might cover your butt, but you still have to deal with the hassle involved, and that could take weeks, even months. It's a pain in the bot!

By JORDAN ROBERTSON - THE ASSOCIATED PRESS

SAN FRANCISCO — Getting hacked is like having your computer turn traitor on you, spying on everything you do and shipping your secrets to identity thieves. Victims don't see where their stolen data end up. But sometimes security researchers do, stumbling across stolen-data troves that offer a glimpse of what identity theft looks like from criminals' perspective.

Researchers from U.K.-based security firm Prevx found one such trove, a Web site used as a stash house for data from 160,000 infected computers before it was shut down this month. The find offers a case study on just how much data criminals are stealing every day, from the utterly inconsequential to the alarmingly private.

It also shows the difficulty in shuttering criminals' ID-theft beachheads: The Web site Prevx found, which was operating on a server in Ukraine, was still online for nearly a month after security researchers alerted the Internet service provider and law-enforcement authorities. The site was sucking up data from 5,000 newly infected computers each day.

The victims in the Prevx find are mostly everyday people handing over their passwords for Facebook and banking sites, along with their love notes and other e-mails. But more dangerous personal information is there, too, including Social Security numbers and other account information from one bank's infected computer.

Caches of stolen data like these are hidden throughout the Internet, usually locked away inside password-protected Web sites or heavily fortified servers. Prevx's researchers were able to infiltrate this site because it was protected with poor encryption. (Editor's Note: Isn't that profound. The hackers had poor encryption...)

In that sense, the find illustrates how even sloppy crooks can vacuum up enormous amounts of information through massive "botnets" — armies of infected computers formed by spreading a computer virus that orders compromised machines to phone home for further instructions, such as sending out spam or relaying passwords.

The botnet Prevx found was only harvesting data, though Prevx said it could have been upgraded to do other things.

Ordinary Internet sessions are logged in great detail. One Southern California 22-year-old could be seen registering a domain name with GoDaddy.com, changing his Yahoo e-mail password and ordering a meal online from Pizza Hut. His credit card number, birth date, telephone number, address and passwords are now all in criminals' hands, though it's unclear what, if anything, criminals have done with the information yet.

Some victims are gold mines for sensitive data. An infected computer at a Georgia bank exposed customer details and credentials for the bank's wire-transfer system. Bank employees were checking e-mail, looking up BMWs and Infinitis and working with customers' accounts on the same infected machine.

Government computers were also hit, including one in Texas that coughed up Web site logins for one of the government's health care providers, and another in North Carolina that revealed access to an agency's human resources system.

"This is giving criminals the keys to the castle," said Prevx's director of malware research, Jacques Erasmus. "Once they're into this system, it might not seem at this point like it's the biggest data heist ever, but this is how they get into a network. This is their game — they do this every day."

In other words, criminals start small, then use their first point of attack as a way to jump onto more sensitive computers. Researchers who discover these stolen-data caches then have to figure out what to do with them. Notifying victims is time-consuming and difficult, and researchers tend to focus on trying to get service providers to deactivate the servers before criminals get to the data on them.

Prevx said it alerted the site's Internet provider, the FBI and U.K. authorities about the breach it discovered. The company also talked to the affected bank, Doraville, Ga.-based Metro City Bank, a community bank whose Web site lists four locations, and Prevx said the bank has removed the infected computer.

One customer — Yoon-Kee Hong, a 22-year-old college student from Suwanee, Ga. — had signed up for an account with Metro City Bank just a month before learning about the breach. He said he had not been alerted by the bank that his Social Security number and other personal details were stolen.

After being told about the breach by The Associated Press, which picked his name from the files provided by Prevx, the student said he planned to cancel his account. "I cannot trust them any more," he said. "They're not doing what they're supposed to do. They didn't even notify me. It's like they're trying to hide it from their customers."

He later relented and decided to stay with the bank after he was offered a new account and promises of fraud alerts. The bank said in a statement that it is notifying customers and is investigating the breach, refusing to comment further. State officials in North Carolina and Texas didn't return calls on the breaches there. The FBI didn't return a call about the breaches.

Such finds are becoming more common as the barrier lowers for crooks to jump into the online identity-theft racket. Top-of-the-line viruses, also known as Trojans, can be had for under $1,000. Joe Stewart, a SecureWorks Inc. botnet expert who was not involved in Prevx's research, said that last year, he helped shut down a command-and-control server for a huge botnet that had infected more than 378,000 machines and had stolen more than 460,000 usernames and passwords.

There are countless other smaller botnets, set up by less sophisticated criminals who steal as much data as they can and simply pull up stakes, and do it all over again, once their operation has been detected. "The level of amateurness speaks to how widespread it is," Stewart said. "Literally anybody with a little bit of computer knowledge at all, if they have the criminal bent, can get access to one of these Trojans and get it out there and start stealing people's data."

Monday, April 6, 2009

House Questions Visa, Visa Questions Heartland, Heartland Has No Answers Yet

Heartland Data Breach: Visa Questions Processor's PCI Compliance

Visa Executive: "We've Never Seen Anyone Who Was Breached That Was PCI Compliant"

Despite the Heartland Payment Systems (HPY) data breach and other noted compromises, Visa staunchly supports the Payment Card Industry Data Security Standard (PCI DSS).

This is the message from Adrian Phillips, Visa's Deputy Chief Enterprise Risk Officer, who in an exclusive interview hammers home the credit card company's support for the security standard - and suggests that, contrary to Heartland's own statements, the payment processor may not have been PCI compliant when it was breached sometime in 2008.

"We've never seen anyone who was breached that was PCI compliant," Phillips says without specifically naming - or excluding -- Heartland. "The breaches that we have seen have involved a key area of non-compliance."

Editor's Note: Meanwhile the House is blaming V/MC...see next post and Heartlands stock (see chart below) continues it's free fall. (well maybe not a "free" fall...it's costing shareholders some major kahunas. And they're so UN-HPY...they're suing...

Interviewed during last week's Visa Security Summit in Washington, D.C., Phillips acknowledges Heartland and other recent breaches, but uses them as an opportunity to support the PCI standard. "Let's remember we've had some bad breaches, but if we had not had PCI DSS, it would have been much worse," Phillips says. "As of today, I am confident that PCI DSS works."

Phillips comments come one week after news that Visa had removed Heartland Payment Systems from its certified PCI-DSS Compliant Service Providers list.

Continue Reading at Bank Info Security

HPY, Heartland Payment Systems, Visa, PCI Compliant,

House Says Visa, MasterCard Are to Blame for Hacks

House says Visa, MasterCard are to blame for security hacks, card compromises

• 06 Apr 2009

Editor's Note: This obviously bodes well in Heartland's decision to defend their case vigorously. However, the first shovel of dirt may have already been thrown on Heartland's grave. Class action lawsuits by consumers, banks and shareholders mean a ginormous legal bill for HPY.

The fines will be a mere pittance compared to what they may have to pay out in these legal cases. Of course, with the government saying V/MC may be to blame, HPY's strategy may be to countersue. That might keep them alive, but they'd still be dead in the water because they'll make bitter enemies out of V/MC in a court case.

Meanwhile, Visa is already on making rumblings that Heartland may not have been in PCI compliance when the breach happened. This is shaping up to be one heck of a legal battle. We'll keep following the events as they develop. Keep your eyes tuned to the PIN Payments Blog for regular updates in this matter. - JBF

Forbes: In security breach cases last year, such as Hannaford Bros. supermarket and the card processing firm Heartland Payment Systems, cybercriminals gained access to millions of consumers' credit card details, and those criminals have yet to be identified and punished. So in a hearing last week, the House of Representative's Committee on Homeland Security turned its attention to the card networks, Visa and MasterCard, which are responsible for creating and enforcing the Payment Card Industry standards that failed to prevent those breaches. Given that both Hannaford and Heartland had complied with PCI rules, the congressional panel turned the spotlight on the credit card companies, arguing that their security measures need to be redesigned or supplemented with federal laws — a potential crackdown that could require changes on the part of both retailers and financial services companies.

The Day the Mighty Case(Y Convenience over Security) Struck Out!

Wow. American's ranked "financial security" as their top security fear!

So, to all those who continue to argue the "convenience" over "security" issue, it seems that "convenience" isn't such a good marketing ploy after all... is it? Hate to say I told you so! NOT!!! As I've stated all along, a "secure" software PIN Debit application (notice I didn't say "solution") is a Figment of the PIN-agination!

At the end of the day, perception rules, and if EFT Networks or Financial Institutions want to sell convenience over security, when financial security is American's biggest fear...then one might say they are barking up the wrong tree. I understand why they want software over hardware. It's more convenient! But according to this latest Unisys Security Index report, American's aren't buying it.

So, let's review:
Convenience vs. Security. (Security Wins!)
Card Present Rates vs. Card Not Present Rates (CP rates [are] lower...and thus CP Wins over CNP.)
Hardware vs. Software (Software responsible for 92% of all breaches, Hardware, 1%, (Hardware Wins)

So, in three pitches, it look's like, with an 0-3 count, a software application for PIN Debit STRIKES OUT! Hope this "opens" some eyes to which company has the right pitch. (and which one is throwing the industry a curve, which has the screwball...and which...(nevermiind...I'll keep the knuckle comment in my head) Batter Up!

Enjoy Opening Day!

From the Unisys Security Index:

Nearly 75 percent of Americans believe that the global financial crisis increases their risk of identity and related fraud, according to the Unisys Security Index due to be released on Monday.

More than two-thirds surveyed said they are extremely or very concerned about other people obtaining and using their credit and debit card data, with 90 percent at least somewhat concerned.

Credit and debit card fraud is the top security concern for people, with 68 percent saying they are extremely or very concerned. And 66 percent said they are seriously concerned about unauthorized access to or misuse of personal information.

More than 40 percent of respondents said they are extremely or very concerned about security related to viruses and unsolicited e-mail.

Overall, people are more worried about their financial security and less worried about national security than in previous surveys, according to the survey.

The survey of more than 1,000 respondents in the U.S. was conducted from February 20-22.

Click here to download the full report. (PDF)

Pumping Up PIN Debit

Petroleum Equipment Forum -

VISA SAID TO EYE DELAY IN NEW PIN DEBIT RULE AT GAS PUMPs

Visa is believed to be considering postponing or at least easing some of its costly new security deadlines for dispensers.

At issue is whether the credit card company will delay requirements that marketers adopt a new encryption standard for PIN numbers on debit, known as Triple DES.

Currently, marketers must install new encryption devices by July 1, 2010 if they want to continue accepting PIN debit at the pump under Visa's new Payment Card Industry (PCI) standards.

Some refiners believe that that the current credit squeeze and equipment installation backlogs could lead Visa to push back the deadline by two years, to July 1, 2012.

Alternatively, Visa may opt to ease up on enforcement of a 2010 mandate, although majors consider that option less likely.

Visa is expected to make an announcement within the next month on which path, if either, it will take. Visa did not respond to a request for comment by presstime.

"We're all waiting to hear what Visa will do," says a marketing exec with one major. "People just aren't in a position to get the money right now, even if they want to get loans to comply."

Some oil companies are trying to help marketers scare up funds to start complying with multiple new PCI requirements. Shell, for example, has launched a program that offers marketers the ability to claim up to $500 in co-op funds per site for new software, or a 1ct/gal payment spread over two years.

While majors say they would welcome any such move by Visa, some are concerned that a postponement might give marketers an excuse to procrastinate further on PCI compliance.

"Retailers must realize that there will still be other PCI rules that they'll have to follow, so they shouldn't use any postponement as an excuse to put things off for too long," says one official.

Some marketers have been toying with the idea of not accepting debit cards at the islands in order to shave their PCI costs.

The most-talked about idea involves disabling PIN debit at dispensers. That would mean that customers who use a check card that can be processed as a debit or credit card would be forced to push the "credit" button on the pump for the sale to go through. The driver using a pure debit card would not be able to pay at the pump at all, but would have to go into the store to pay for fuel.

Alternatively, some marketers wonder if it would be possible to accept PIN debit at just one dispenser, slapping a decal on the pump to warn customers that they can only use their debit card at that dispenser, as first reported (OE 03/23/09).

The National Assn. of Convenience Stores says it would welcome any move by Visa that would give c-store operators more time to make "a reasoned assessment" as to whether the costs of upgrading to the new encryption devices at dispensers are worth the investment to keep PIN debit at the island. It is "a hard decision given the rising costs of PIN-debit transactions," NACS spokesman Jeff Lenard said.

pin debit at the pump, NACS, Jeff Lenard, PIN Debit, Visa

Visa Hit With Antitrust Case Again...This Time in Europe

Visa Europe Accused of Antitrust Violations by EU (Update2) - Bloomberg.com

By John Rega

April 6 (Bloomberg) -- Visa Europe Ltd. was charged with anticompetitive behavior by European Union regulators over payment-card fees after failing to cut its levies as much as MasterCard Inc. did to settle a similar case last week.

The company’s fee guidelines prevent competition among Visa-issuing banks and drive up the costs for stores accepting credit cards, the European Commission said today in a statement.

Five days after settling with MasterCard, Competition Commissioner Neelie Kroes is seeking further fee reductions on the 1.6 trillion euros ($2.1 trillion) of annual card payments in the region. Visa Europe, the operator of the largest card network in the region, must convince the commission its arrangement benefits consumers.

“I’m just staggered by this on a point of principle,” Visa Europe Chief Executive Peter Ayliffe told reporters on a conference call, adding he was “disappointed” not to at least reach a settlement on fees for debit cards.

Ayliffe said his point of principle was that the commission compared the economics of Visa cards versus using cash, rather than other forms of credit.

“We’ve got quite a bit of evidence,” he said, that Visa’s card systems save money for consumers. He declined to specify numbers on the grounds that they will be the basis of his defense.

Payment Systems

Visa Europe, like MasterCard, also argues that transaction fees are necessary to defray the costs of payment systems that benefit consumers and the economy.

The European Retail Round Table, an advocacy group for retailers that includes Wal-Mart Stores Inc. and Carrefour SA, has complained that the fee at issue raises costs by 13.5 billion euros a year.

The so-called interchange fee is based on the card company’s guidelines. It’s paid by the retailer’s bank to the bank that issued the customer’s card. The terms of last week’s MasterCard settlement will reduce fee revenue by 2.6 billion euros, halving the profitability of issuing cards, the Lafferty Group research and consulting firm estimated.

MasterCard, in its settlement, cut its credit-card fees to 0.30 percent per transaction, from a range of 0.80 percent to 1.90 percent in 2007. Debit-card fees were reduced to 0.20 percent, from at least 0.40 percent and in some cases more than 0.75 percent. The commission said the changes will save consumers 200 million euros a year.

Credit-Card Fees

Visa Europe on March 11 cut its credit-card fees to an average of 0.61 percent, from 0.7 percent, while debit-card transaction costs fell to an average of 18 euro cents per transaction, from 28 cents.

The commission said Visa Europe also restricts competition by requiring retailers to take any card without adding a surcharge, and by setting a flat fee for merchants that doesn’t make a distinction between the types of cards used.

The agency has the power to force antitrust violators to change their practices and impose fines of as much as 10 percent of yearly sales.

Visa Europe separated from Visa Inc. before the U.S. card company’s initial public offering a year ago. The London-based company, which is owned by its member banks, has sought an agreement with the commission on interchange since a previous settlement expired at the end of 2007.

To contact the reporter on this story: John Rega in Brussels at jrega@bloomberg.net.
Last Updated: April 6, 2009 12:58 EDT

You Say You Want a Revolution II

Revolution Money gets $42 million from Goldman

07:35 AM EDT By Phil Wahba

NEW YORK (Reuters) - Revolution Money, an online payment firm backed by AOL co-founder Steve Case, said on Monday it has received funding of $42 million from a group that includes a Goldman Sachs (GS.N) affiliate and earlier investors Citigroup (C.N) and Morgan Stanley (MS.N).

Revolution Money, part of Washington-based Revolution LLC, competes with EBay Inc's (EBAY.O) PayPal service in peer to peer money transfers, and offers a credit card.

Editor's Note: Did you know that HomeATM provides TRUE peer to peer money transfers...i.e. you don't have to "load" a card with money in order to send money.

That's the problem I see all the time. Let's use the recently announced TwitPay as an example. In order to use "TwitPay" users must first "load" or "FUND" their TwitPay account, which is administered by Amazon. But Why? What a PITA. In order to use a peer to peer money transfer program you first have to transfer money to an account that you'll use to transfer money? Sounds redundant. Am I alone or do you perceive that as an extra unnecessary step as well?

We say why "load or fund" a third party card when you can use the card you already have...you know, the one you need in order to "load or fund" that "third party" card.

With HomeATM's money transfer program, it's simple. You use YOUR email and YOUR EXISTING bank card to do it. Therefore HomATM eliminates the painstakingly unnecessary task of "using your bankcard" to "load another card."

How EZ is HomeATM's methodology? Just go to our site: www.HomeRemittance.com, enter the email of the individual you'd like to send money to, pull out "your"existing bankcard, (again, not a third party card, but "yours") swipe it in our SafeTPIN device and enter your PIN. You're done!

The recipient gets an email, takes out "their bankcard" swipes it in their SafeTPIN device, enters "their" PIN and instantaneously..the money is moved from your account to their account in "REAL-TIME."

Nothing competes! Anyway, back to the revolution...

The company will use the money to beef up its technology and help retailers promote the credit card, with a view to reaching 3 million retailers by 2011 despite tumbling U.S. retail sales, chairman Ted Leonsis told Reuters.

"We see more rapid adoption of our service as merchants fight in this economy for more margin from sales," said Leonsis, who owns the National Hockey League's Washington Capitals.

Revolution Money estimated its RevolutionCard credit card is accepted at about 650,000 locations in the United States including those of bookseller Barnes & Noble Inc (BKS.N), upscale grocer Whole Foods Market Inc (WFMI.O) and department store chain Nordstrom (JWN.N).

Leonsis said Revolution competes with PayPal by letting users transfer funds to one another for free and with major credit card issuers, such as Visa Inc (V.N) MasterCard Inc (MA.N) and American Express Co (AXP.N) by offering competitive interchange fees for merchants.

Interchange fees are paid by merchants to a credit card company when a customer makes a purchase.

The new investment follows on a $50 million funding in 2007 from Citi, Morgan Stanley and Deutsche Bank (DBKGn.DE), Case and others.

Despite attracting these investments in a difficult capital market, Leonsis said Revolution Money would not consider an initial public offering or put itself up for sale before 2011.

"Right now, we are focused on the build-out of the platform, but at some point to really scale the business, we would have to go public," Leonsis said.

Still, Leonsis thinks the business will be large enough in two years to attract public investors or a possible acquirer.

(Reporting by Phil Wahba; editing by Mohammad Zargham)

WOW! Get a FREE HomeATM SafeTPIN! (including S&H)

Attention: PIN Payments Blog Readers! Get a FREE SafeTPIN PCI 2.0 PIN Entry Device!

In order to celebrate 2 years of painstaking engineering prowess, HomeATM CEO Ken Mages is presenting PIN Payments News Blog Readers with an "unprecedented" opportunity!

What do I have to do you ask?

Answer the poll, located on the sidebar to the right of this post and...send your email and shipping address to jfrank@homeatm.net and you will receive a FREE HomeATM SafeTPIN (including shipping, handling, processing etc.!)

Of course, we're not completely mad, so this is a limited time offer. 10 days or 2500 units...whichever occurs first.

So...partake in the poll, send me your email address (all emails will obviously be verified) and receive the worlds only PCI 2.0 PED designed for use on the web, (with online shopping, online banking, online authentication, Person 2 Person "real time" transactions, or even to simply send your money from one account to another!) Also works with Facebook, Twitter, Cell Phones, and as a standalone Point of Sale device... etc.

This is the SAFEST, MOST SECURE and OBVIOUSLY, THE LEAST EXPENSIVE way to protect your cardholder information.

The HomeATM SafeTPIN provides End-to-End Encryption, (including Track 2 Data) of your cardholder data and replicates a traditional retail store transaction...using a dually authenticated DUKPT process...previously unavailable to the general public. Oh...and did I mention it works with cell-phones? (Coming soon!!!...Blackberrys too!!!)

Remember, it's easy. Send me an email (jfrank@homeatm.net) ...enter "Free SafeTPIN" in the Subject Line, and of course, your home address...(where you want it sent to) HomeATM will provide you and your family with our recently PCI 2.0 Certified PED for FREE. No catches. HomeATM pays for shipping, handling, insurance, and the processing of your order.

Oh...and to read more about HomeATM's recent PCI 2.0 PED Certification, click the related link below:

Sunday, April 5, 2009

Society of Payment Security Professionals Analysis

Society of Payment Security Professionals - Compliance Demystified » Blog Archive » Summary of the Congressional Hearing on PCI DSS (update)

Summary of the Congressional Hearing on PCI DSS (update)
March 31st, 2009 by cmark Posted in PCI DSS

The Society of Payment Security Professionals’ own Dr. Heather Mark has completed an analysis on the congressional PCI DSS hearings. While there are a number of people who analyzed this, Heather’ brings a PhD in Public Policy, as well as deep experience in the payment card industry and PCI DSS and this is right in her wheelhouse. If you are interested in learning about incrementalism, issue attention cycles, lesson drawing, implementation by adaptation and other public policy models and seeing them in practice, then this article is for you. Read all 17 pages here!

Society of Payment Security Professionals, PCI DSS, Dr. Heather Mark, Chris Mark, Aegenis Group, Congressional Hearing on PCI DSS

Saturday, April 4, 2009

HPY Shareholders Sue Heartland in Class Action

HPY Shareholders Not So HPY afterall...

Editor's Note: The graphic depicted (below/right) documents a 42% drop in shareholder value on January 22nd. Heartland stock has dropped as low as $3.57 per share on March 9th vs. a 52 week high of $33.00. Although they're HPY shareholders, apparently they're not HPY enough to prevent them from partaking in a class action lawsuit.

Shareholder Class Action Filed Against Heartland Payment Systems, Inc.

By the Law Firm of Barroway Topaz Kessler Meltzer & Check, LLP

RADNOR, Pa., April 3 /PRNewswire/ -- The following statement was issued today by the law firm of Barroway Topaz Kessler Meltzer & Check, LLP:

Notice is hereby given that a class action lawsuit was filed in the United States District Court for the District of New Jersey on behalf of purchasers of Heartland Payment Systems' ("Heartland" or the "Company") (NYSE: HPY) securities between February 13, 2008 and February 23, 2009, inclusive (the "Class Period").

If you wish to discuss this action or have any questions concerning this notice or your rights or interests with respect to these matters, please contact Barroway Topaz Kessler Meltzer & Check, LLP (Darren J. Check, Esq. or David M. Promisloff, Esq.) toll free at 1-888-299-7706 or 1-610-667-7706, or via e-mail at info@btkmc.com.

The Complaint charges Heartland and certain of its officers and directors with violations of the Securities Exchange Act of 1934. Heartland provides bank card payment processing services to merchants in the United States. More specifically, the Complaint alleges that the Company failed to disclose and misrepresented the following material adverse facts which were known to defendants or recklessly disregarded by them: (1) that the Company was in imminent danger of having the security of its processing system breached; (2) that the Company had not taken the proper steps to secure its systems; (3) that further, it was likely that the Company would not be aware such a breach occurred until weeks or months later; (4) that the Company had been notified of a potential breach in its security system; (5) that as a result, the Company would face significant costs related to, among other things, liability and the implementation of proper measures; and (6) that the Company lacked adequate internal controls.

On January 20, 2009, the Company shocked investors when it disclosed for the first time that it was the victim of a security breach within its processing system in 2008. The Company stated that it found evidence of an intrusion the previous week and notified federal law enforcement agencies. Heartland stated that it immediately took a number of steps to further secure its systems. Then, on January 22, 2009, Bloomberg published an article about the breach. The article stated that the breach may have involved 100 million accounts, which would be double the size of the largest such theft in history. Upon the release of this news, the Company's shares declined $5.93 per share, or 42.03 percent, to close on January 22, 2009 at $8.18 per share, on unusually heavy trading volume.

On February 24, 2009, the Company announced disappointing quarterly financial results in an earnings press release. Additionally, the Company announced that it was cutting its dividend 72 percent, and further warned that it could face losses due to the security breach. Later that day, during an earnings conference call, defendants disclosed that the Company was under investigation by the SEC, the United States Department of Justice, the United States Federal Trade Commission, and the Office of the Comptroller of the Currency. Upon the release of this news, the Company's shares fell an additional $2.31 per share, or 30.20 percent, to close on February 24, 2009 at $5.34 per share, also on unusually heavy trading volume.

Plaintiff seeks to recover damages on behalf of class members and is represented by the law firm of Barroway Topaz Kessler Meltzer & Check which prosecutes class actions in both state and federal courts throughout the country. Barroway Topaz Kessler Meltzer & Check is a driving force behind corporate governance reform, and has recovered billions of dollars on behalf of institutional and individual investors from the United States and around the world.

For more information about Barroway Topaz Kessler Meltzer & Check or to sign up to participate in this action online, please visit www.btkmc.com

If you are a member of the class described above, you may, not later than May 5, 2009, move the Court to serve as lead plaintiff of the class, if you so choose. A lead plaintiff is a representative party that acts on behalf of other class members in directing the litigation. In order to be appointed lead plaintiff, the Court must determine that the class member's claim is typical of the claims of other class members, and that the class member will adequately represent the class. Your ability to share in any recovery is not, however, affected by the decision whether or not to serve as a lead plaintiff. Any member of the purported class may move the court to serve as lead plaintiff through counsel of their choice, or may choose to do nothing and remain an absent class member.

CONTACT: Barroway Topaz Kessler Meltzer & Check, LLP
Darren J. Check, Esq.
David M. Promisloff, Esq.
280 King of Prussia Road
Radnor, PA 19087
1-888-299-7706 (toll free) or 1-610-667-7706
Or by e-mail at info@btkmc.com

HPY, Class Action, Heartland Payments Systems, Robert O. Carr, SEC Violations

Tuesday, April 7, 2009

Related articles by Zemanta

Related articles

Monday, April 6, 2009

Sunday, April 5, 2009

Saturday, April 4, 2009

Disqus for ePayment News