Mobile Payment Industry News

Tuesday, February 17, 2009

A Billion Internet Users

eMarketer.com is reporting that Internet users surpassed the billion landmark in December. China's number 1, but it is predicted that #7 India will eventually surpass #2 United States. That surprised me a little bit. Here's what eMarketer has to say about the comScore World Metrix... (You may click the graphics to enlarge.)

FEBRUARY 17, 2009

Growing and growing and growing and...

The moment when the Internet passed 1 million users is veiled in history.

The truth is, whenever it happened, no one was counting—or even had the means to do so. But according to the “Internet Growth Survey” from MIT, there were 1 million hosts (defined as either a computer or IP address) in 1995.

At the time, it was estimated that the Internet was doubling in size every year, so there would be over 1 billion users in 2005.

That timeline proved overly optimistic. But according to the comScore World Metrix audience measurement service, the Internet surpassed 1 billion visitors in December 2008.

“Surpassing 1 billion global users is a significant landmark in the history of the Internet,” said Magid Abraham, comScore CEO, in a statement. “It is a monument to the increasingly unified global community in which we live and reminds us that the world truly is becoming more flat.”

comScore got to a billion users without counting access from Internet cafes, mobile phones or PDAs.

By contrast, eMarketer employs a slightly broader audience definition—access by anyone of any age from any location—to estimate that there were 1.172 billion Internet users worldwide in 2008.

Either way you count, one thing few prognosticators foresaw in 1995 was that the US would have only the second-largest online population when the Internet hit the billion-user mark. China ranks No. 1.

The Web still has plenty of room to grow.

“China has taken the lead in the number of Internet users worldwide, and today only about 20% of its residents are online,” said Lisa E. Phillips, eMarketer senior analyst. “While China will continue to lead the world in Internet users, look for India to eventually overtake the US, Japan and Germany.”

While Internet usage is close to saturation in the US, Japan and Germany, India’s Internet population lags behind its status as the second-most-populous nation on earth. “But eventually India’s Internet population will grow large enough to overtake those smaller countries that are now in the top spots,” Ms. Phillips continued.
“The second billion will be online before we know it,” said Mr. Abraham, “and the third billion will arrive even faster than that.”

See all that’s happening in digital marketing and media around the world, look into an eMarketer Total Access Subscription for your company today.

The Cost of PCI Compliance - Element Payment Services Blog

In a great informational post provided by the PCI DSS Compliance Blog, published by Element Payment Services they talk about the cost of PCI compliance.

I had the pleasure of working with Sean Kramer, the founder and CEO of Element Payment Services, when he was with Concord EFS. We jointly provided an innovative payments package/solution for U.S. FoodService members. I am happy to see (but not surprised by) the growth enjoyed by Element. It couldn't happen to a nicer guy! Congrats to Sean and his team, including Roy Bricker who previously worked at Pay By Touch.

Here's their post:

PCI DSS Compliance Blog: Cost of PCI Compliance

Cost of PCI Compliance

'What does it cost be PCI compliant?’ is a common question by business owners and software providers facing compliance requirements. Several estimates have been generated by industry leaders on PCI compliance costs.

For Merchants (Complying with PCI DSS)

IT security firms Solidcore Systems, Emagined Security and Fortrex Technologies have identified three main categories of PCI compliance costs:

• Upgrading payment systems and security infrastructure,
• Verifying compliance (assessments), and
• Sustaining compliance.

New components that might have to be installed to upgrade payment systems and security infrastructureWorld image include additional firewalls, upgraded anti-virus and anti-spyware software, secure wireless systems, data encryption technologies and file-integrity monitoring software.

Compliance assessments include the PCI Self-Assessment Questionnaire (PCI SAQ) for Level 2, 3 and 4 merchants and an on-site audit for Level 1 merchants.

In 2008, IT research giant Gartner reported that merchant spending to protect cardholder data and become PCI compliant increased nearly fivefold during the previous 18 months. Among the Level 1 retailers Gartner surveyed, an average of $2.7 million was spent to become PCI compliant, excluding the costs of PCI assessment services. That number compares with an average of $568,000 reported by Level 1 merchants in a fall 2006 Gartner survey. Level 1 merchants spent an average of $237,000 on PCI security assessments.

Level 2 merchants reported spending $1.1 million on PCI compliance (compared to $267,000 in fall 2006) and an average of $135,000 on assessment. Level 3 merchants, those processing between 20,000 and one million transactions per year, spent an average of $155,000, excluding security assessment. Gartner did not discuss Level 4 merchants in the report.

For Software Developers (Complying with PA-DSS)

To achieve PA-DSS compliance, software providers must undergo the lengthy and costly process of validating their application. This involves a security audit from a PA-DSS Qualified Security Assessor (QSA) and the development time and expense to bring the application into compliance. These PA-DSS certification costs can range from tens to hundreds of thousands of dollars.

Additionally, software providers are required to pay $1,250 annually per software application to have their solution listed as a validated PA-DSS-compliant solution.

To visit the PCI DSS Compliance Blog click here. Element Payment Services site is located at: www.elementps.com

element payment services, PCI DSS

Can Prepaid Cards Be Loaded by Hackers?

Kara Gammell writes in today's Telegraph.com.uk about prepaid cards and questions whether or not they would provide more protection than credit or debit cards and entice 50% of the UK population to shop online in an article entitled: "Will Prepaid Cards Keep the Fraudsters at Bay?"

"More than half of the population are so worried about becoming a victim of fraud that they refuse to shop online. The research, conducted by CyberSource, a company specialising in electronic payments, said that one in three respondents knew someone who had been the victim of fraud.

But for these reluctant shoppers, a prepaid card might just be the answer.

A prepaid card looks just like a normal credit or debit card, and enables you to buy products and services where ever these cards are accepted.

The main difference is that you can only spend the balance that has been preloaded onto it. This means there is no risk of running into debt as it has no credit or overdraft facility and crucially, the card has none of your personal bank details attached to it.

In the beginning prepaid cards were used by parents to manage their children's spending habits and the market has been typically has been dominated by Mastercard and Maestro. But now a number of rival cards have appeared, targeting everyone from overseas travellers, nervous online shoppers to new mothers.

Andrew Hagger, spokesman for Moneynet.co.uk, said: "Prepaid credit cards allow such people to be part of the modern day 'plastic culture' which allows you to take advantage of online shopping discounts as well as access to hugely popular sites such as eBay."

For those shoppers who are hesitant about spending on the web, this type of card could help reduce the potential for fraudsters to steal your personal details.

Mr Harrison said: "The risk with a credit card is that the fraudsters will be able to max out your card, where a prepaid card is almost like a pay-as-you-go mobile phone. The only money that can be stolen, is the money you have loaded on.

"And unlike a debit card, a prepaid card does not have any link to your bank account or address, so the chance of fraud is next to none."

Editor's Note: The problem the UK is having is with cloning/counterfeit cards. I would imagine that hackers have their eye on the prepaid market as it is readily more easy to counterfeit $50 cards than $50 bills.

How do prepaid cards work?

Money – typically up to £5,000 – can be loaded on to a prepaid card by cash at a bank, Post Office, at Pay zone or PayPoint terminals, bank transfer, through your employer or even by another credit card. Editor's Note: or even by a hacker using a stolen credit/debit card!

Continue Reading

card cloninig, hacking, prepaid, fraud

Aconite Extends Chip & PIN Support to Banks in Middle East

Aconite extends Chip & PIN support to banks in the Middle East

London, 17th February 2009

New webinar provides guidance to banks as they prepare to roll out Chip & PIN cards

London, 16th February, 2009: Aconite, a leading provider of software and consulting services for managing business applications on chips in smart cards, tokens or mobiles, is running a webinar to provide timely support to banks in the Middle East in light of recent increased pressure from Central Banks in the region on banks operating locally to implement Chip and PIN cards. These mandates, issued in the United Arab Emirates, Kuwait, the Kingdom of Bahrain and Saudi Arabia for example, require banks to quickly deploy chip technology to increase card security and reduce fraud. And whilst some countries have been mandated to migrate, neighbouring countries will also feel the pressure to increase security on their cards as fraudsters target lesser protected card schemes.

The complimentary webinar entitled “Your guide to introducing Chip & PIN cards” will provide practical advice and highlight important considerations to assist card issuers in making a smooth transition to Chip & PIN cards. The webinar programme will be led by Aconite’s David Worthington, Regional Manager for the Middle East and Bev Stevens, Senior Consultant. Collectively, they have over 25 years chip experience and have delivered various EMV and consulting projects in the Middle East. This includes assignments at numerous banks across Bahrain, Kuwait, Jordan, Oman, Qatar, Saudi Arabia and the UAE, as well as periods spent working directly for KNET and SAMA.

David comments “Aconite is well placed to assist banks taking up this challenge as the company’s team has been engaged in the migration of chip technology since the first pilot of chip cards in the UK in 1993. Through hands-on international experience, we have gained a thorough understanding of every stage of the migration process; our aim is to share best practice to make the migration process for card issuers in the Middle East as straight forward as possible”.

The webinar is schedule for 11am GMT on Wednesday, March, 4th. For more information or to register for the webinar please visit: www.aconite.net/newsEvents/webinars.aspx.

I've provided further information about the Aconite webinar below:

"Your guide to introducing Chip and PIN cards in the Middle East"

Overview

It was recently announced that the UAE Central Bank has requested that all banks operating in the country are required to upgrade their ATM cards to Chip & PIN cards to reduce the risk of debit and credit card fraud, whilst in the Kingdom of Bahrain, the Central Bank of Bahrain has also issued mandates for Chip & PIN implementation for both Issuers and Acquirers. Whilst some countries are being driven to increase the security of their card base by such national mandates, neighbouring countries will quickly feel the pressure to follow suit as fraudsters will inevitably target lesser protected card schemes.

As a card issuer in the Middle East, what exactly does that mean from you? What are the cost implications? And just how do you go about embarking on such a migration project?

Aconite has been helping financial institutions define their Chip & PIN strategy since the very first chip pilot in the UK back in early 1990s. We would like to share with you practical advice and considerations to help you make a smooth transition from magnetic stripe to chip cards.

aconite, chip & PIN, Middle East, EMV

330+ Banks Impacted by Heartland Breach as Numbers Climb

Heartland Data Breach: More Than 330 Institutions Impacted

Bermuda, Canada and Guam Now Report Effects from Breach

Bank Info Security is reporting that more than 330 Financial Institutions have reported that they are being impacted by the Heartland Payments Systems Data Breach.

From their site:
"The Heartland Payment Systems [HPY] data breach is the first major information security incident of 2009. As first reported on Jan. 20, Heartland, the sixth-largest payments processor in the U.S., revealed that its processing systems were breached in 2008, exposing an undetermined number of consumers to potential fraud. Since then, a growing number of banking institutions have stepped forward to announce that their customers were among those affected by the breach."

see a full list of all the affected institutions, click here

heartland breach, banks impacted

Biometric Facial Authentication Hacked

Researchers Hack Faces In Biometric Facial Authentication Systems - DarkReading

Vietnamese researchers have cracked facial recognition technology in Lenovo, Asus, and Toshiba laptops; demonstration planned for Black Hat DC next week

By Kelly Jackson Higgins
DarkReading

A Vietnamese researcher will demonstrate at Black Hat DC next week how he and his colleagues were able to easily spoof and bypass biometric systems that authenticate users by scanning their faces.

The researchers cracked the biometric authentication embedded in Lenovo, Asus, and Toshiba laptops by spoofing the biometric systems with everything from a photo of the authorized user to brute-force hacking using fake facial images. They successfully bypassed Lenovo's Veriface III, Asus' SmartLogon V1.0.0005, and Toshiba's Face Recognition 2.0.2.32 -- each set to its highest security level -- demonstrating vulnerabilities in the systems that let an attacker cheat them with phony photos of the legitimate user and gain access to the laptops.

Editor's Note: Guess it's time for HD-3D webcam's eh?

These Windows XP and Vista laptops come with built-in webcams that work with the facial-recognition technology. This form of authentication is considered more convenient than fingerprint scans and more secure than traditional passwords. The software scans the user's face and stores the images and facial characteristics. Then the user can log in by scanning his or her face, which is then matched against the image data.

Continue "DarkReading"

Accumulate Strengthens Mobile Credit Card Transaction Security

Barcelona 2009 Accumulate strengthens security of credit card transactions via the mobile
Presse Anglaise

The launch of the ME-platform and the Check ME product enables enhanced security and opens up for new, innovative and cost-effective services in payment and identification using the mobile phone.

Barcelona, February 17, 2009 – At the Mobile World Congress 2009, Accumulate will launch its new mobile technology platform – Mobile Everywhere (ME). The platform is based on patented technology that enables new and innovative payment and identification solutions on the mobile device.

The first product to be released from the Accumulate ME-platform is Check ME, which extends security and control features of the mobile phone, so that consumers can comfortably conduct credit card transactions over their device.

“When online fraud increases, it hinders business opportunities. With the Accumulate ME-platform, card issuers and online shop owners can increase their business while greatly minimizing the fear many end-users have when using credit cards for online transactions”, says Stefan Hultberg, CEO of Accumulate.

Check ME is based on the ME-platform and secures online credit card transactions using the mobile to verify and authenticate the user. Customers are typically credit card issuers such as banks. Key benefits are:

Mobile is always with you – increasing accessibility
As secure as token generators – eliminates need for extra device
No external storage of credit card data
Works with almost every mobile phone
Easy to use
An example Check ME’s usage: A consumer makes a credit card purchase online, and authenticates her identity with a pin code provided to her via Check ME on her mobile.

“The launch of the ME-platform and Check ME will be followed by additional new, innovative and cost-effective identification and payment services using the ever present mobile phone”, says Stefan Hultberg.

ME-platform – the technology
The core components of the ME-platform consist of a mobile client that is distributed to users and a back-end transaction server system. The ME-platform offers 3D security and uses a standard mobile phone as a security device, making truly secure authentication accessible for the masses.

For each transaction two separate lines of communication are established – simultaneously – between the customer and the service provider, using two different communication systems: the mobile phone and computer-to-computer communication via the Internet. The end users use their regular computer and standard cellular phone. The service provider sends encrypted information – and receives encrypted reconfirmation – using their web server, and an external transaction service.

The ME-platform products currently work on all major mobile platforms including Android, Blackberry, iPhone, Java, Linux, Nokia Series 40/60 and Windows Mobile.

Visit Accumulate at MWC 2009
If you would like to meet Accumulate in Barcelona, just send a mail with your request to info@accumulate.se Cette adresse email est protégée contre les robots des spammeurs, vous devez activer Javascript pour la voir. . We will reply with more information on where and when to meet.

More information
Stefan Hultberg, +46 70 350 5704, stefan.hultberg@accumulate.se Cette adresse email est protégée contre les robots des spammeurs, vous devez activer Javascript pour la voir. .

About Accumulate
Accumulate – world leading provider for secure connected mobile solutions. For more information please visit www.accumulate.se or contact us in Stockholm or London.
London office: Accumulate UK Limited, 306 Harbour Yard, Chelsea Harbour, London SW10 0XD, United Kingdom. Phone + 44 207 351 5944
Stockholm office: Accumulate AB, Norrlandsgatan 23, S-111 43 Stockholm, Sweden. Phone +46 8 20 46 15

mobile, accumulate, mobile world congress

Nominations Open for Outstanding Smart Card Achievement Awards

Nominations Open for Smart Card Alliance 2009 OSCA Awards

PRINCETON JUNCTION, NJ, February 17, 2009 –The Smart Card Alliance will once again honor the companies and individuals who have significantly impacted and influenced the market for smart cards in North America with its prestigious “Outstanding Smart Card Achievement” (OSCA) awards.

The 2009 OSCA awards will be presented during the Smart Card Alliance 2009 Annual Conference held in conjunction with CTST 2009 – The Americas Conference on May 4 - 7, 2009 in New Orleans. Complete details and nomination forms can be found at http://www.smartcardalliance.org/pages/activities-osca-awards. All nominations must be received by March 20, 2009.

Nominations are open in three award categories – two for organizations and one for an individual.

Outstanding Issuing Organization Award. For an organization that is issuing smart card technology to its internal clients or external customers for their use in North America.

Outstanding Technology Organization Award. For an organization with offices in North America that designs, develops or manufactures smart card technology; or that integrates, designs or implements systems in which smart card technology as an important part of an overall solution; or that provides services that support smart card usage in North America.

Outstanding Individual Leadership Award. For an individual who stands out for his or her individual contributions to the smart card industry in North America based on a professional record of leadership, vision, support and commitment to the smart card industry in North America.
A judging panel consisting of North American smart card industry suppliers, end-users and individuals from the analyst and media communities will review all qualified OSCA applications. They will select three finalists in each category based on the nominee’s merits and qualifications as outlined in the applications and determine the award for 2009.

Visit the Smart Card Alliance Web site to see the 2008 OSCA Award winners.

CheckSavers Plans Rollout

Check Savers (www.checksavers.com) is pleased to announce the planned 2009 rollout of its new payment technology. Click their comparison chart on left to enlarge.

Check Savers uses a patented technology to receive data over the web and create payment items which get deposited directly into merchants’ accounts.

The payment system developed by Check Savers has taken the best features from traditional payment methods - credit cards, ACH and checks in order to bring a comprehensive solution suitable for any industry.

At a reduced operating cost of approximately 25% to 50% of the price of credit card acquiring, and elimination of traditional chargeback exposures, merchants have more protection in their business operations than ever before.

"We have predictable pricing models ensuring that companies can accurately forecast their operating costs. This feature, coupled with enhanced fraud management and the fact that companies can use their existing banking relationships, means that we truly have a merchant-centric product. Companies can now promote sensible spending across their client base, whilst at the same time pass on significant savings to their clients; something which is not lost in the financial climate of 2009" Teo Leonard - Operations Director

It has been commonly misinterpreted as ’another Check 21 product’ . Check Savers provides a whole new concept in acquiring technology; a single solution for all bill payment, acquiring and invoice management is now at your fingertips.

Government, non-profit and traditional commerce industries, contact us to see how we can fit into your world.

Secret Service & FBI Issue CyberAttack Advisory

*** Joint USSS/FBI Advisory ***

PREVENTIVE MEASURES

Over the past year, there has been a considerable spike in cyber attacks against the financial services and the online retail industry. There are a number of actions a firm can take in order to prevent or thwart the specific attacks and techniques used by these intruders. The following steps can be taken to reduce the likelihood of a similar compromise while improving an organization's ability to detect and respond to similar incidents quickly and thoroughly.
Attacker Methodology:
In general, the attackers perform the following activities on the networks they compromise:

1.They identify Web sites that are vulnerable to SQL injection. They appear to target MSSQL only.
2.They use "xp_cmdshell", an extended procedure installed by default on MSSQL, to download their hacker tools to the compromised MSSQL server.
3.They obtain valid Windows credentials by using fgdump or a similar tool.
4.They install network "sniffers" to identify card data and systems involved in processing credit card transactions.
5.They install backdoors that "beacon" periodically to their command and control servers, allowing surreptitious access to the compromised networks.
6.They target databases, Hardware Security Modules (HSMs), and processing applications in an effort to obtain credit card data or brute-force ATM PINs.
7.They use WinRAR to compress the information they pilfer from the compromised networks.

We are providing the following preventive measures. Performing these steps may not prevent the intruders from gaining access, but they will severely impact their effectiveness based on current attack methods.

Recommendation 1: Disable potentially harmful SQL stored procedure calls.

Continue Reading this USSS/FBI Advisory at Visa (PDF)

M-Banking Given Boost by Gates Foundation

Finextra: Gates Foundation teams with GSMA to boost m-banking in developing world

The GSMA, which represents the interests of the worldwide mobile communications industry, and the Bill & Melinda Gates Foundation have announced a new program that aims to expand the availability of financial services to millions of people in the developing world through mobile phones.

The Mobile Money for the Unbanked (MMU) program, supported by a US$12.5 million grant from the foundation, will work with mobile operators, banks, microfinance institutions, government and development organisations to encourage the expansion of reliable, affordable mobile financial services to the unbanked.

"There are over 1 billion people in emerging markets today who don't have a bank account but do have a mobile phone," said Rob Conway, CEO and Member of the Board of the GSMA. "This represents a huge opportunity and mobile operators are perfectly placed to bring mobile financial services to this largely untapped consumer base. Based on the initial findings of research conducted with the microfinance centre CGAP and McKinsey & Company, we believe that mobile money for the unbanked has the potential to become a US$5 billion market opportunity over the next three years."

continue reading at Finextra

Monday, February 16, 2009

Do We Need a New Internet?

In yesterday's New York Times, John Markoff writes that maybe we need a brand new Internet. This time with security... I allude to this article with the sole intent of bringing into perspective, why HomeATM has chosen to take a hardware-based (outside of the browser space) end-to-end encrypted approach to e-transactions.

Here are some selected quotes:

"Bad enough that there is a growing belief among engineers and security experts that Internet security and privacy have become so maddeningly elusive that the only way to fix the problem is to start over."
The Internet’s original designers never foresaw that the academic and military research network they created would one day bear the burden of carrying all the world’s communications and commerce. There was no one central control point and its designers wanted to make it possible for every network to exchange data with every other network. Little attention was given to security. Since then, there have been immense efforts to bolt on security, to little effect.
“In many respects we are probably worse off than we were 20 years ago,” said Eugene Spafford, the executive director of the Center for Education and Research in Information Assurance and Security at Purdue University and a pioneering Internet security researcher, “because all of the money has been devoted to patching the current problem rather than investing in the redesign of our infrastructure.”
Despite a thriving global computer security industry that is projected to reach $79 billion in revenues next year, and the fact that in 2002 Microsoft itself began an intense corporate-wide effort to improve the security of its software, Internet security has continued to deteriorate globally.
Even the most heavily garrisoned military networks have proved vulnerable. Last November, the United States military command in charge of both the Iraq and Afghanistan wars discovered that its computer networks had been purposely infected with software that may have permitted a devastating espionage attack.

To read the NYT article in it's entirety, click here

$1 Trillion Lost to Cybercrime...Can Hackers Bail US Out?

According to the numbers provided in recent report from McAfee, maybe we should be asking the hackers, instead of US taxpayers to bail us out of this recession.

McAfee, in a recent report entitled, "Unsecured Economies: Protecting Vital Information, states that data theft and breaches from cybercrime may have cost businesses as much as $1 trillion globally in lost intellectual property and expenditures for repairing the damage in 2008.

McAfee made the projection based on responses to a survey of more than 800 chief information officers in the U.S., United Kingdom, Germany, Japan, China, India, Brazil, and Dubai.

The respondents estimated that they lost data worth a total of $4.6 billion and spent about $600 million cleaning up after breaches, McAfee said. McAfee CEO Dave DeWalt spoke to CBR about the results and said that the findings suggested the figure around the world could be much larger.

“The findings are startling,” he said. “We believe the potential figure for total losses worldwide could be as much as $1,000,000,000,000 trillion.”

In what has to be one of the dumbest mindsets/perceptions out there, the survey also found that respondents worried more about the damage that leakage or loss of vital information would do to their company’s reputation than about the financial impact. That statement would lead me to respond that if they're more worried about their company's reputation than financial impact, then they should donate all of their gross revenues to the bailout fund. That would help their reputation as far as how US taxpayers would perceive them. C'mon.

The financial impact of a breach could potentially destroy a company...let alone their reputation. Of course there "may" be exceptions, for instance, Kapersky, (now more famoulsy known as "KaperSkyisFalling") F-Secure (who knew that the F stood for Failure) and BitSecure. (are they contemplating rebranding their company as: "A BitMoreSecure?") whom all were recent victiims of the same Romanian hackers SQL Injection/cross site scripting attack which allow him to gain access to key data. They have to worry about their company's reputation because they're supposed to "provide security." On the other hand, ask Heartland Payment Systems if they're more worried, at this point, about their reputation or the financial impact of the breach.

Not surprisingly, McAfee's DeWalt said "that kind of mindset (reputation first, financial impact later) could be very damaging to enterprises." Asked if he felt companies did not fully understand the value of IP, he said: “Yes, it’s all about brand protection, but that is after the fact. Businesses need a much better understanding of what data they have and where it is stored.” He added that a combination of education, technology and government intervention is they key to improving data security.

"This is the number one security concern at the moment." McAfee suggested that situation could get worse as businesses are put under increasing pressure to reduce costs during the economic downturn. Reduced spending and staffing levels have led to more porous defenses and increased opportunity for crime," DeWalt said.

China's Credit Card Market - 2008 Report Available

Description

After five consecutive years of growth since 2003, China's credit card market finally started its adjustment in 2008. And since the beginning of the second half of that year China's banks have been cutting their issue of credit cards because the global financial crisis and the degradation of international credit market and thus that banks needed to control risks.

As a result, the increase of issue of credit cards was down more than 50% from a year ago. But the absolute number of credit cards still went beyond 150 million in China in 2008 in spite of the slowdown of issue.

The major credit-card brands in China include: China UnionPay, VISA, MasterCard, American Express, and JCB.

The market shares of which were UnionPay 64.6%, VISA 18.0%, MasterCard 15.2%, American Express 0.7%, and JCB 1.6% by the end of November 2008. (see graphic on left)

To view the "Table of Contents" from the report, click the link provided below:

2008 Report on China's Credit Card Market TOC - PDF

Wyndham Hotels Hacked...Cards Compromised

Hack Alert

This is getting a little ridiculous is it not? Every week there's a new hack. This time you're being warned that if you stayed at a Wyndham Hotels and Resorts property last year that you may want to monitor your credit card statements They are the "latest" victim, for lack of a better word, of a data breach which has compromised payment card information.

Here's the Press Release
Press Release
February 16, 2009

To our Wyndham Hotels and Resorts guests:

In mid-September, 2008, our company discovered that a sophisticated hacker penetrated the computer systems of one of the Wyndham Hotels and Resorts (WHR) franchised hotels. By going through the centralized network connection, the hacker was then able to access and download information from several, but not all, of the other WHR properties and create a unique file containing payment card information of a small percentage of our WHR customers. The incident did not affect any of the other branded hotels in the Wyndham Hotel Group system. We deeply regret that this incident occurred and are doing everything we can to notify our customers directly, to address and remedy the problem, and, more importantly, to ensure that it does not reoccur.

CLICK HERE FOR FAQS ABOUT THE INCIDENT.

In addition to ensuring that the hack was immediately terminated and disabled, we promptly retained a qualified investigator to assess the problem and ensure that we had isolated it, and then to help us implement the proper changes to strengthen and improve the security of our connections with each of our WHR branded properties. Further, each of the impacted properties separately brought in a qualified PCI investigative firm to assess and improve the security at each hotel property in the system.

To ensure our customers’ card numbers were protected, we provided each of the payment card companies (American Express, Visa, Mastercard and Discover) with the actual card numbers that were accessed so that these payment card companies could take such action as they deemed appropriate to monitor the use of the cards.

We also notified the Secret Service, as well as several states' attorneys general offices with information about the breach, and continue to work with law enforcement to assist in the investigations of this matter.

Because only payment card information was compromised, we had difficulty locating the names and addresses of the individual customers’ impacted. Undaunted, we contracted with secure third party consumer reporting agencies to match every active credit card in the United States with the consumer’s name and address and we personally provided notice to those individuals.

CLICK HERE FOR A COPY OF THE CONSUMER LETTER THAT WAS DELIVERED TO EACH IMPACTED CONSUMER.

Potentially exposed through this breach are guest and/or cardholder names and card numbers, expiration dates and other data from the card’s magnetic stripe. At this time, no criminal identity theft related to the use of the consumer data has been identified. Importantly, we believe that it is unlikely that identity theft will occur because of the limited amount of information that was compromised. Birthdates, SSNs, addresses or other personally identifying information were not kept by the hotels and therefore not part of the compromise. Nevertheless, we recommend that you regularly monitor your card and bank statements and that you promptly report all suspicious activity to the financial institution that issued your card.

CLICK HERE FOR A DESCRIPTION OF ACTIONS YOU CAN TAKE TO PROTECT YOUR CREDIT.

Wyndham prides itself on providing exceptional value for our guests. We deeply regret this incident occurred and we will work hard to restore your confidence in our brand.

Sincerely,

Kirsten Hotchkiss

Airmiles...Use 'em or Lose 'em

Credit card holders could lose their Airmiles

Millions of people face losing all the Airmiles they have collected through buying with their credit cards and shopping online if they fail to collect any in the next six months.

Airmiles – the UK's longest-running loyalty programme – has written to 1.7 million customers who have 500 Airmiles or more but have not collected any in the past two years, telling them that if they do not collect at least one Airmile in the next six months, their accounts will be closed and they will lose any Airmiles they have accrued.

The company's actions have angered customers, and Simon Calder, the Independent's travel editor likening the move to banks closing savers' current accounts through lack of activity.

Mr Calder told the BBC: "That's a bit like having a bank account where you're told, 'Ah, well, you haven't put any money in it for a couple of years so we've closed it down and kept your money.'"

Continue Reading at Fair Investment

Sunday, February 15, 2009

Another Payment Card Processor Hacked

Anthony Freed, Financial Editor for Information Security Resources writes, in an excellent article, that there are reports that another Payment Card Processsor has been hacked. The company has not yet been named, but "multiple tips from multiple sources" claim that another processor, other than Heartland is behind recent warnings to banks about potentially having to replace consumer cards.

Developing...

Another Payment Card Processor Hacked

By Anthony M. Freed, Information-Security-Resources.com Financial Editor

Reports are surfacing that there has been another major information security breach at a credit card payment processor, though the company has not yet been identified.

The breach news comes less than one month after Heartland Payment Systems announced they had suffered what is likely to be the biggest PCI breach to date, possibly bigger than the TJMAX breach.

Heartland (HPY) is the sixth largest payment processor in the nation.

There had been indications in early Heartland reports that the FBI was pursuing suspects who may be part of a larger criminal conspiracy targeting multiple companies, but there are no reports yet as to whether this latest breach is part of that investigation, or whether the revelations at Heartland led to this breach being uncovered.

From DataLossDB.org on the breach at the unknown company:

Banks around the country are reportedly receiving warnings, and perhaps even new lists of cards to replace. This is apparently regarding another credit card processor, unrelated to Heartland Payment Systems, having a significant breach.

OSF has received multiple tips from multiple sources, and has spoken with the good people over at bankinfosecurity.com who have confirmed they too are hearing the exact same thing. From what we’ve heard, this second breach is significant in scale, but we have not as of yet been told who the processor is.

Also, speaking of BankInfoSecurity.com, they’ve released an article about three people being arrested for allegedly using credit cards from the Heartland Breach. And also, their list grows of institutions affected by the Heartland incident (they maintain a much more comprehensive list than we did). Hats off!
Our team has been predicting that 2009 will be the year that InfoSec moves to the forefront of the economic crisis. We believe the somewhat obscure issue will be as familiar to the American public as the notorious subprime and pay option ARMs have in the last year or two.

Much like the meltdown of the mortgage industry, the revelations of lax governance in the handling of sensitive and private data will likely shock the public and the business community alike, and those revelations are bound to come all too painfully slow, especially for shareholders.

The data loss debacle at Heartland highlights the fact that the failure to secure information is the next major shareholder derivative, director and officer liability, regulatory, consumer product safety, and class-action issue to impact our economy.

Nearly one month after going public, few details of the Heartland breach have been released, and many questions remain regarding a long chain of events that include both the breach and also an aggressive executive 10b5-1 stock selling plan adopted in early August of last year, the same month the breach is now reported to have ended, but still five months before the breach was announced publicly.

Heartland Payment Systems stock price has been flat-lined since losing half of it’s value shortly after the January 20, 2009 breach announcement. A report form komonews.com gravely illustrates that this is more than a security issue, it is a commercial viability issue:
Heartland says it has closed the security hole that allowed criminals to infiltrate their systems, but the matter is far from settled. The company will likely have to pay big penalties to banks to reimburse the cost of issuing new cards, and analysts say the intrusion could even threaten the company’s survival if the big card brands decide to cut off Heartland from connecting to their networks.

One big payment processor, CardSystemsSolutions, went under after a 2005 data breach in which 40 million credit card accounts were compromised and the big card brands stopped doing business with CardSystems. Representatives for Visa Inc. and MasterCard Inc. declined to comment.

The latest piece of news for the Heartland timeline comes from StorefrontBacktalk.com’s Evan Schuman:
“According to a MasterCard alert, this sniffer program stole card numbers and expiration dates from credit and debit cards processed by Heartland from May 14, 2008, through Aug. 19, 2008, as the information entered Heartland’s payment switch,”
Here is what we know of the Heartland timeline thus far, which is not much, but it does beg for a more thorough explanation by company officials for no other reason than several important things happened in a relatively short period of time, and that alone should be reason enough:
May 14, 2008: Breach reported to have began
May 20, 2008 Carr Makes first stock sale of the year, 2695 shares
August (first week), 2008: CEO Robert Carr’s 10b5-1 is proposed
August 8, 2008: Board approves 10b5-1 plan
August 8 - August 14, 2008: Carr makes six separate sales of stocks totalling 60,000 shares
August 19, 2008: Breach reported to have ended
August 28, 2008: Carr sells 80,000 shares
September 3, 2008: Carr sells 80,000 shares
September 17, 2008: Carr sells 80,000 shares
October 15, 2008: Carr sells 80,000 shares
October 28, 2008: Visa and MasterCard notify Heartland of problems; Carr sells 80,000 shares
November 6, 2008: Carr sells 80,000 shares
November 20, 2008: Carr sells 80,000 shares
December 11, 2008: Carr sells 80,000 shares
December 26, 2008: Carr sells 42,900 shares
January 7, 2009: Carr sells 80,000 shares
January ??, 2009: Carr suspends his 10b5-1 stock selling plan
January 20, 2009: Breach Announced
HeartLand representatives maintain that company officials were not alerted to the breach until being contacted by Visa (V) and MasterCard (US:MA) officials in late October.

In an email I received from Heartland’s representatives, they state that there is no relationship whatsoever between the breach and Carr’s stock sales:
At the time of this announcement, Mr. Carr was not under any trading restrictions pursuant to the company’s insider trading policy and was not in possession of any material non-public information concerning the company. Under this 10b5-1 plan, programmed sales of company stock were made on Mr. Carr’s behalf, and he had no discretion regarding the timing or other aspects of those sales.

Although he was not required to do so, Mr. Carr terminated his 10b5-1 when the company confirmed the security breach it disclosed in the company’s press release of January 20, 2009. As has been reported, Heartland first learned of a potential problem from the card associations on October 28th of last year, well after the announcement of this 10b5-1 plan. Heartland categorically denies that Mr. Carr was aware of a potential security breach at the time he adopted his trading plan.
I can see no reason not to take them at their word, but I also urge Heartland officials to release more information to clear up the issue, such as the documentation that Heartland’s Systems and IT departments keep to show compliance with requirements for sensitive data protection. Hard copy confirmation that no one at Heartland was aware of any major security problems prior to October 28, 2008 would put any questions to rest with more finality than a corporate press release or an email.

Something to look forward to is the conference call with Carr now scheduled to take place in the last week of February. The agenda state the call will discuss Q4-2008 earnings, but it seems almost certain they will address the breach then, and hopefully will provide more details regarding an eventful August 2008.

From the press release:
Chairman & Chief Executive Officer Robert Carr and President & Chief Financial Officer Robert Baldwin will host a conference call beginning at 8:30 AM Eastern Time, Tuesday, February 24, 2009, to discuss fourth quarter and fiscal year end 2008 results and conduct a question and answer session.

Heartland Payment Systems invites all interested parties to listen to its conference call broadcast through a webcast on the Company's website. To access the call, please visit the Investor Relations portion of the Company?s website at: www.heartlandpaymentsystems.com. The webcast will be archived on the Company?s website within two hours of the live call and will remain available through Friday, May 22, 2009.

You may also participate by calling (800) 559-6679 and providing the operator with Pin Number 81829786
The SEC does require disclosure by company leadership of known threats to share price, so we should expect that more will be revealed during the call - unless the investigation would prevent the release of such information, in that case we would probably at least get some statements to that effect.

Either way it seems that much will be revealed in the call.

As for the latest breach, let’s hope it is not a record breaker and that no fraud cases are the result. Be vigilant about checking your own credit card statements and report any suspicious activity immediately. Then just keep your fingers crossed that we can effectively put the information security genie back in the bottle before the next breach is not just a financial security matter, but a national security event as well.

Anthony is a researcher, analyst and freelance writer who worked as a consultant to senior members of product development, secondary, and capital markets from the largest financial institutions in the country during the height of the credit bubble. Anthony’s work is featured by leading Internet publishers including Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha, and ML-Implode.