Wednesday, September 23, 2009

Bill Me Later Coming to eBay - PayPal Blog

Bill Me Later Coming Soon to eBay and Offered through PayPal at Merchant Sites

Hi everybody. Sam Shrauger here, PayPal’s vice president of global product strategy. As Scott Thompson said in his post after eBay acquired Bill Me Later, the opportunity that eBay, PayPal and Bill Me Later have together is nothing short of tremendous. I’m excited to tell you that in the coming weeks we’ll be introducing Bill Me Later on eBay, as well as on other merchant sites through PayPal, beginning with a launch for a limited number of buyers and sellers in the U.S.

Bill Me Later on eBay: Qualified PayPal customers will be able to use Bill Me Later during eBay checkout. For select sellers, PayPal will automatically add Bill Me Later as a way to pay. Sellers included in the initial rollout will be notified via email by PayPal.

Bill Me Later through PayPal: Qualified PayPal customers will also be able to use Bill Me Later at thousands of their favorite merchants. After selecting PayPal at checkout, buyers will see Bill Me Later as a fast and secure way to pay, with the added benefit of deferred billing.

Continue Reading Sam's Post at the PayPal Blog

Bankcard Industry Lobbies Congress to Leave Interchange Fees Alone

Analysis by: Duncan MacDonald

Analysis of: Lafferty Group - Interchange battle rages on

Published at: www.lafferty.com

http://www.glgroup.com/News/Bankcard-industry-lobbies-Congress-to-leave-interchange-fees-alone-43534.html

Summary

The primary story here is not the card industry's standard defense of bankcard interchange fees. It is that Visa and industry trade associations are responding to the clear and present danger that an angry Congress is going to side with merchants by enacting a law to limit interchange fees. Their defense of the fee is that polling of consumers shows a wide majority in favor of charging merchants for accepting cards. But it doesn't address whether current fees are too high and unfairly applied.

Analysis

If Congress enacts a law, the bankcard networks and their issuers could lose billions in revenues, thus forcing higher APRs on cardholders. It also holds the risk of increasing the industry's exposure in the interchange antitrust lawsuit in Brooklyn. In effect, a potentially very costly double whammy. The industry has the better argument vis-a-vis new legislation. Namely, that price controls invariably backfire, and in this case will screw not only consumers but merchants in lost sales. Their argument that merchants will pocket any reductions in interchange fees will probably fall on deaf ears, as there is no way to prove it. Their argument that current interchange practices are fair probably will also fail in Congress. It's an argument that hasn't succeeded anywhere else around the world. The latest proof of this is the networks' settlement of the issue in New Zealand in favor of the merchant position. In the EU, the EC has all but decided that the bankcard industry is a cartel involved in price fixing. Congress is hearing the same defense that hasn't persuaded foreign governments anywhere. Visa and MasterCard set interchange fees that they charge to merchant banks, knowing the fees will be passed on to merchants and paid through network settlement systems to issuers. The fees are nonnegotiable and V & MC don't receive a cent of them. All they do is collect it for issuers. In effect, the fee is an issuer fee -- a fee charged by banks. And nowadays nobody likes banks. Bottom line: interchange legislation in some disturbing form will happen next year, unless the bankcard industry settles the Brooklyn lawsuit in a way that resolves the issue for years to come. Put another way, the industry can best prevent legislation via self reform -- a negotiated deal with its adversaries in court.

Raiffeisen Bank Romania orders 190,000 Todos Smart Card Readers

Raiffeisen Bank has selected leading eBanking security vendor Todos AB to provide their online customers with the latest in security technology. The choice fell on smartcard reader Todos A200 for more trustworthy and user-friendly eBanking in Romania

PRLog (Press Release) – Sep 23, 2009 – GOTHENBURG, SWEDEN - SEPTEMBER 23 - Raiffeisen Bank Romania has ordered 190,000 Todos A200 smartcard readers. The bank's objective is to increase security for its online customers and, as a result, increase their trust and confidence in eBanking with Todos's advanced technology.

Raiffeisen Bank is one the country's leading banks with more than two million customers. It is a subsidiary of the Austrian Raiffeisen International Bank-Holding AG, which in turn is a fully consolidated subsidiary of Vienna-based Raiffeisen Zentralbank Österreich AG (RZB). RZB operates one of the largest banking networks in CEE, covering 17 Central and Eastern European markets through subsidiary banks, leasing companies and other financial services firms. The group's nearly 62,000 employees service 14.9 million customers via more than 3,200 business outlets.

This is Todos's first order from Raiffeisen Bank Romania, although Todos supplied a sister company, Tatra banka in Slovakia, with the same technology. This gave Raiffeisen a template for their own system and great confidence in Todos's abilities.

Todos A200 - Raiffeisen Bank Romania edition

Raiffeisen Bank wanted to roll out an authentication solution very quickly and Todos was able to deploy a solution within weeks. Despite the speed of the process, Todos still managed to customize the devices with Romanian manuals, menus and the bank's logo.

"Todos's technology brings a new level of trust and security to Raiffeisen Bank Romania," says Bo Emanuelsson, Todos's Sales Director EMEA. "We are very excited to add them as a new client and we look forward to a long and happy relationship with the Raiffeisen network."

"Todos was a natural choice for us considering their impressive work with Tatra banka, amongst others," says Iulian Dascalescu, Procurement Director at Raiffeisen Romania. "This brings a new level of security to Romanian eBanking."

# # #

Todos helps banks create trusted, secure relationships with their customers online. Founded in 1987, Todos designs, develops and supports online security. We have delivered over 18m products to 100+ financial institutions When trust matters, trust Todos.

Companies Struggling with PCI Compliance

Redwood Shores, Calif. and Traverse City, Mich. – September 23, 2009 – PIN Payments News Blog: Imperva and the Ponemon Institute today announced the findings of a survey across more than 500 U.S. and multinational IT security practitioners showing that, despite the Payment Card Industry’s (PCI) Data Security Standard (DSS), companies still struggle with data security, putting consumers at continued risk for identity theft. In fact, 71% of companies surveyed admit to not making data security a top strategic initiative, and 55% admit to only securing credit card information and not sensitive information such as Social Security numbers, driver’s license numbers, and bank account details.

However, the survey also found that companies taking a strategic approach to PCI compliance have fewer data breaches. Based on these findings, Imperva is making specific recommendations to consumers, businesses and the PCI DSS Council to improve the safety of consumers’ personal information.

The PCI DSS standard was put into effect to provide security guidelines to all businesses that handle credit card information to better protect consumers. Since it was enacted in June 2005, the number of data breaches and amount of credit card fraud has continued to rise.

According to the survey of more than 500 U.S. and multinational IT security practitioners at companies with an average of $5.6 billion in annual revenue:

71% of respondents do not treat PCI as a strategic initiative, yet 79 percent have experienced a data breach involving the loss or theft of credit card information.

55% of respondents focus only on credit card data protection and do not attempt to secure sensitive information such as Social Security numbers, driver’s license numbers, bank account details and other data about people and families.

60% of respondents don’t think they have sufficient resources to comply with PCI and bring about a necessary level of cardholder security.

“Nobody is in business to be compliant. But there is a silver lining to this survey: if you protect consumers as required by the PCI DSS standard, there is an incredible opportunity to improve your overall security posture,” said Shlomo Kramer, Imperva’s CEO.

“Security departments are using PCI compliance as leverage to gain more budget, but these resources are not always translating into greater security for sensitive customer data,” said Larry Ponemon, chairman and founder, Ponemon Institute. “The results of our study indicate that while some companies have figured out how to convert PCI standards into an overall security mandate—many more have not.”

Smaller businesses struggle the most

The survey found that only 28% of smaller companies (501-1000 employees) comply with PCI as opposed to 70% of larger companies (75,000 or more employees).

“Companies devote 35% of their IT security budgets to PCI compliance on average, making cost a significant obstacle, especially for smaller companies,” explained Amichai Shulman, Imperva’s CTO. “This is why Imperva is recommending that the PCI DSS Council modify the requirements for larger and smaller companies to take into account different environments and security needs.”

“The PCI Security Standards and the card brands must update the PCI-DSS so that it’s risk-based, depending on the system configuration of the complying company. The ‘one size fits all’ approach of the current standard imposes unreasonable requirements on many companies that have simple networks, or have implemented security technologies that aren’t included in the PCI standards, but provide equal or greater levels of protection,” said Avivah Litan, Vice President and Distinguished Analyst with Gartner Research in a May 2009 report, “Moving Beyond PCI at Visa’s Global Security Summit.”

Companies that take a strategic approach to PCI compliance have fewer data breaches

The PCI DSS standard has the potential to make a powerful impact to corporate IT security initiatives. The survey shows that 27% of companies believe that PCI-DSS compliance is positively contributing to their organizations’ security posture and are taking a strategic approach to compliance. In fact, companies that were fully PCI compliant had fewer breaches than those that were not compliant. However, the majority (73%) of respondents have achieved PCI compliance using a basic, checklist approach.

Imperva’s recommendations to consumers, businesses and the PCI DSS Council

To coincide with the October 31st deadline for input on changing PCI-DSS standards, Imperva is providing recommendations to consumers, businesses and the PCI DSS Council.

For PCI-DSS Council

Have a compliance logo for consumers. Today, companies can’t articulate their security efforts to consumers, and consumers are not aware of the compliance status of the retailers they do business with. As a consequence, companies cannot leverage their investment in PCI compliance to gain competitive advantage.

Modify compliance needs for larger and smaller companies. Smaller companies need to have a modified standard that takes into account different environments and security needs.

Consumer recommendations Look for PCI compliant companies—In general, companies that were compliant suffered fewer breaches. Although compliance doesn’t guarantee perfect security, it helps the odds.

Business recommendations

Use PCI to bring about a broader, more effective security program.

Use PCI as a way to get senior management aware of and involved in IT security. PCI creates a business case that is tightly coupled to information security.

Assign a clear champion who owns and drives PCI as well as security that is strongly empowered to direct numerous teams for support. Without a clear champion, security—and compliance—will suffer.

For more information

Listen to Imperva’s Chief Security Strategist Brian Contos interview Dr. Larry Ponemon in a podcast or download the transcript.

About The Ponemon Institute

The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries. Visit the Ponemon Institute at www.ponemon.org.

About Imperva

Imperva, the Data Security leader, enables a complete security lifecycle for business databases and the applications that use them. Over 4,500 of the world’s leading enterprises, government organizations, and managed service providers rely on Imperva to prevent sensitive data theft, protect against data breaches, secure applications, and ensure data confidentiality. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user and is recognized for its overall ease of management and deployment. For more information, visit www.imperva.com.

# # #

Voltage Security First to Combine Encryption, Tokenization and Data Masking in Single Platform to Reduce PCI Audit Scope

Provides Widest Set of Data Protection Options With Most Rapid Deployment

LAS VEGAS, NV--(Marketwire - September 23, 2009) - PCI SSC 2009 Community Meeting -- Voltage Security, Inc. (www.voltage.com), the global leader in end-to-end data protection, today announced it has extended Voltage SecureData™ by adding tokenization and data masking capabilities to the existing encryption functionality, enabling the end-to-end protection of data, such as credit card numbers, in applications and databases. These additions make Voltage SecureData the most comprehensive end-to-end data protection solution available, giving customers the widest choice of protection options to simplify implementation, reduce PCI audit scope and lower costs.

Now, when combined with Voltage SecureMail and Voltage SecureFile, all supported by Voltage's common stateless key management approach, these solutions together form the first true end-to-end data protection platform with a single developer interface, common policy framework and centralized stateless key management.

"The addition of tokenization and data-masking allows customers to significantly reduce the likelihood of an expensive data breach while lowering overall PCI compliance costs, without adding to their IT administrative burden," said Mark Bower, vice president of product management at Voltage Security. "Voltage can now meet the most common use cases for online and offline data protection, with true stateless key management. This is something no other tokenization or encryption solution can do."

According to a recent Mercator Advisory Group Report, enterprises now spend, on average, more than $6.65 million to recover from a single data breach.(1) "A data breach could kill a company," notes Mercator principal analyst George Peabody, "but tokenization and encryption are two technologies that enable a merchant to mitigate the risk of breach."

Voltage SecureData now includes encryption, tokenization, data de-identification and masking for protection for all types of structured and unstructured data. This includes primary account numbers (PANs), Social Security Numbers (SSNs), national insurance numbers, driver's license numbers, birth dates, files, images and other types of sensitive and private information. And, as part of the Voltage End-to-End Data Protection platform, all of these capabilities are supported by a unified architecture that offers a single developer interface, centralized administration for system configuration, policy management and key management.

Examples of how customers can harness the power of Voltage SecureData include: -- End-to-end encryption of sensitive card data for authorization and settlement within payment systems

Encryption and/or tokenization of card data stored in databases and used by business applications, such as resolving charge-backs, or for post- settlement processes

Data masking and data de-identification for test and outsourced environments -- including packaged applications like Oracle E-Business Suite, PeopleSoft, Siebel, J.D. Edwards and Baan, reducing risk of inadvertent exposure of sensitive information

Voltage customers enjoy these benefits and more: -- Reduced PCI audit scope, costs and impact. Voltage SecureData provides production-ready data protection in 60 days or less.

Avoidance of brand-damaging, costly breaches. Enterprises can move beyond compliance to provide data protection across mainframes, open systems, embedded devices, and mobile platforms

Lowered IT administration burden and overhead. Unlike traditional data protection solutions, Voltage SecureData supports existing infrastructure, IT processes and policies and requires very little administration time.

Tokenization

Tokenization protects against data breaches by replacing primary account numbers (PANs) and other sensitive data with a different value, a "token." The PANs and matching tokens are stored in an encrypted database, and the organization uses the token, instead of the PAN, to process and record transactions within its own systems. If hackers gain access to those systems, they only receive meaningless tokens and are unable to sell or use customer information.

In addition to improving data security, tokenization helps to limit the scope of a merchant's PCI audit and outsource liability in the event of a data breach -- an appealing combination to cost-conscious merchants, according to the Mercator Advisory Group. Recently, the amount of regulation related to data protection has risen dramatically, with 44 states passing breach notification laws, the Fair and Accurate Credit Transactions Act (FACTA) and new privacy stipulations within the Health Information Technology for Economic and Clinical Health Act (HITECH). Analysts have reported that the amount large merchants have had to spend to achieve PCI compliance has increased dramatically over time.

One of the biggest contributors to those rising costs is the expense of PCI audits. However, when an application or database uses tokens instead of actual account numbers, that system generally falls outside of the scope of a PCI audit. As a result, organizations that use Voltage SecureData tokenization capabilities can reduce the size and expense of their audits.

Data Masking

In order to achieve full PCI compliance, organizations must protect data in every system that uses credit card data. That means companies must address quality assurance, test, application development, and outsourced systems -- not just production systems.

Voltage SecureData which already provides dynamic data protection for production systems now also provides the widest range of data masking and data de-identification options for non-production data and outsourced environments while preserving geographic and statistical relationships in the data. In addition, customers can take advantage of application metadata and automated masking rules for packaged applications such as Oracle E-Business Suite, PeopleSoft, Siebel, JD Edwards and Baan.

Voltage SecureData Masking is powered by Solix Technologies, Inc. (www.solix.com), a leading provider of enterprise data management solutions used by large enterprise customers to manage business critical data.

Technology Innovations for End-to-End Data Protection

Several technological innovations make it possible for most customers to deploy secure data end-to-end in just weeks. First, Voltage Format-Preserving Encryption (FPE) enables data values to be encrypted while retaining their original length and format. In other words, a 16-digit credit card number is replaced with an encrypted value of the same length and structure, and, as a result, organizations do not need to make time-consuming modifications to applications or database schema. Second, Voltage Identity-Based Encryption (IBE) uses simple common identities, such as an email address, as public keys, eliminating the need to store and manage keys, dramatically reducing administrative burden.

Pricing & Availability

Voltage SecureData Tokenization and Data Masking solutions are available in October with starter kits for production applications from $65K.

About Voltage Security

Voltage Security, Inc., an enterprise security company, is an encryption innovator and global leader in end-to-end data protection. Voltage solutions, based on next generation cryptography, provide end-to-end encryption, tokenization, masking and stateless key management for protecting valuable, regulated and sensitive information based on policy. Voltage products enable reduction in audit scope with rapid implementation and the lowest total cost of ownership in the industry through the use of award-winning cryptographic solutions, including Voltage Identity-Based Encryption™ (IBE) and a new breakthrough innovation: Format-Preserving Encryption™ (FPE). Offerings include Voltage SecureMail™, Voltage SecureData™, Voltage SecureFile™ and the Voltage Security Network™ (VSN), an on-demand managed service for the extended business network.

As a service to the industry and general public, the company maintains the Voltage Data Breach Index and Map which is continuously updated with global data breach information: www.voltage.com/data-breach. The Company has been issued several patents based upon breakthrough research in mathematics and cryptographic systems. Customers include Global 1000 companies in banking, retail, insurance, energy, healthcare and government. To learn more about Voltage customers and sign up for the customer news letter please visit www.voltage.com/customers.

Voltage Identity-Based Encryption, Voltage Format-Preserving Encryption, Voltage SecureMail, Voltage SecureFile, Voltage SecureData and the Voltage Security Network (VSN), are registered trademarks of Voltage Security, Inc. All other trademarks are property of their respective owners.

(1) George Peabody, Mercator Advisory Group: "Merchant Security, Tokenization and the Fairy tale of Outsourcing PCI," March 2009.

First Data and RSA Team on Tokenization

First Data and RSA Team Up To Provide Layered Security That Protects Merchant Card Data and Brand Equity

First Data^® Secure Transaction Management^SM Service Leverages Encryption and Tokenization Technology from EMC’s Security Division to Reduce Risk and Cost Associated with Processing Card Data and PCI Compliance

Atlanta, GA and Bedford, MA— First Data, a global leader in electronic commerce and payment processing services, and RSA, The Security Division of EMC (NYSE: EMC) have teamed up to provide a new service called First Data^® Secure Transaction Management^SM, which is engineered to enable merchants to secure payment card data and remove it from their environment while allowing access when needed. The new First Data Secure Transaction Management service, offered exclusively by First Data and powered by the RSA SafeProxy™ architecture, is designed to dramatically reduce the cost and complexity of complying with the Payment Card Industry Data Security Standard (PCI DSS).

By using the First Data Secure Transaction Management service, payment card data is encrypted at the time it is captured by the merchant's existing point-of-sale application and remains encrypted until it is securely delivered to the First Data authorization switch where decryption occurs. Once authorized through the switch, the card number is replaced by a "token" value that cannot be linked back to the original card data, but otherwise behaves like a card number. This enables the merchant to eliminate card numbers from various business applications without the need for costly application or point-of-sale hardware modifications. When needed, merchants can access the original card number through a secure vault that First Data maintains for controlled authorized look-ups. This outsourced service helps merchants to reduce the risks associated with the loss of cardholder data, avoid fines, and help prevent the loss of brand equity and trust.

"The increasing need for data protection and the growing complexity of PCI DSS compliance are driving merchants to evolve their business strategies for securing customers' sensitive information," said Robert Vamosi, security/risk & fraud analyst for Javelin Strategy & Research. "Organizations that can employ a layered approach to data security, one that capitalizes on the inherent advantages of encryption, tokenization and other technologies, will be well positioned to protect card data and reduce the scope of PCI compliance."

The First Data Secure Transaction Management service is powered by the RSA SafeProxy™ architecture, which employs a unique combination of tokenization, advanced encryption and public-key technologies that are engineered to provide merchants with the capability to eliminate credit card data from their environments without loss of business functionality or massive rewrites of applications.

"Payment card data protection and PCI compliance are some of the most significant challenges that our merchant customers face today. Addressing these challenges is both complex and costly," said Michael Capellas, chairman and chief executive officer of First Data. "The simplicity of integrating encryption with tokenization through the First Data Secure Transaction Management service dramatically redefines how merchants of all kinds manage and protect their customer payment data."

"To comply with the PCI DSS and reduce risk, organizations need security controls built into their infrastructure, and not bolted on," said Art Coviello, executive vice president, EMC Corporation and president, RSA, The Security Division of EMC. "Rather than addressing security risks by deploying disparate point controls throughout their infrastructure, First Data Secure Transaction Management provides organizations with a simplified and scalable solution that helps radically reduce management complexity and costs."

About First Data

First Data powers the global economy by making it easy, fast and secure for people and businesses to buy goods and services using virtually any form of electronic payment. Whether the choice of payment is a gift card, a credit or debit card or a check, First Data securely processes the transaction and harnesses the power of the data to deliver intelligence and insight for millions of merchant locations and thousands of card issuers in 36 countries. For more information, visit www.firstdata.com.

About RSA

RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world's leading organizations succeed by solving their most complex and sensitive security challenges. RSA's information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle - no matter where it moves, who accesses it or how it is used.

RSA offers industry-leading solutions in identity assurance & access control, data loss prevention, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.

Supporting Resources:

Michael Capellas and Art Coviello Discuss New Alliance

SpiderLabs to Deliver Briefings at SecTor

Members of Trustwave's SpiderLabs to Deliver Briefings at SecTor

CHICAGO (September 23, 2009) -PIN Payments News Blog- Security experts from Trustwave, the leading provider of on-demand data security and payment card industry compliance management solutions to businesses and organizations throughout the world, will deliver several briefings at SecTor in Toronto, October 5-7, 2009. The presentations will be delivered by members of SpiderLabs, the advanced security team at Trustwave responsible for incident response and forensics, penetration testing and application security.

Nicholas J. Percoco and Jibran Ilyas will present, Malware Freakshow, which will review the intricate details of three very interesting types of malware found during real-life forensic investigations. Ranging from simple to very complex, the malware discovered during these investigations are advanced software written by very skilled developers.

Trustwave's SpiderLabs has found that skilled malware developers are shifting their attack vectors from broad attacks compromising as many targets as possible to targeted attacks against specific point-of-sale (POS) systems and specific environments. Despite the varying degrees of difficulty to implement the malware, the end result of each attack is the theft of confidential data leading to significant fraud and business loss for the organizations where it was found. These new malware attack vectors are now categorized as cybercrime and the complexity in their propagation, control channels and data exporting properties will be discussed and demonstrated during the presentation.

Jon Rose, from Trustwave's SpiderLabs, will present, Deblaze – A Remote Method Enumeration Tool for Flex Servers, which will examine Flex technology and its inherent security risks.

As the Web evolves, Flex technologies provide businesses with faster, better and sleeker Internet applications. Flex is being deployed with increasing regularity without proper understanding of the security risks involved during implementation. As these new types of Internet applications gain a larger base within businesses, attackers also shift their focus towards subverting these technologies for financial gain.

Trustwave's SpiderLabs, one of the few groups with working knowledge and experience testing Flex technologies, have developed a testing tool called Deblaze. Deblaze ensures that the proper controls are in place to prevent unauthorized access to application functionality and data. This talk demonstrates how to use Deblaze, discusses the emerging security risks posed to Flex servers, and covers mitigation techniques.

SpiderLabs' Chris Pogue will present, Sniper Forensics – Changing the Landscape of Modern Forensics and Incident Response, which will look at live analysis tools and techniques to target only the systems that are part of a breach.

Rather than imaging tens of hundreds of terabytes after a breach and loading those images onto forensic software, live analysis tools and techniques allow incident responders to gather and review volatile data and RAM dumps using proven theories to target only the systems that are part of the compromise.

By using sound logic and data reduction based on forensic evidence extracted from live analysis, incident responders can introduce accuracy and efficiency into their casework at a level not available through any other means. Pogue will share tips, tools and techniques, and provide real-world examples of how live analysis can help change the landscape of modern forensic investigations, reduce the time spent on cases and increase accuracy.

"The experience and expertise of our advanced security team will teach attendees how to maintain an effective security posture against a multitude of different threats and how to properly respond to each," says Robert J. McCullen, chairman and CEO of Trustwave. "It's clear that attackers aren't slowing down; by sharing our findings businesses will understand the effectiveness of a layered security approach to protect their organization and the data it stores." About Trustwave

Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper® compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations—ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers—manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, Asia and Australia. For more information, visit https://www.trustwave.com/.

Trustwave Accredited in MasterCard's Point of Sale Terminal Security

Chicago, Sept. 22, 2009 -PIN Payments News Blog- Trustwave, the leading provider of on-demand data security and payment card industry compliance management solutions to businesses and organizations throughout the world, has been certified to perform compliance evaluations against MasterCard’s Point of Sale Terminal Security (PTS) program. Trustwave is one of a few approved laboratories worldwide.

MasterCard’s PTS program is applicable to the hardware portion of the Point-of-Sale (POS) terminal and applies to applications that transmit card data across an open Internet Protocol (IP) or wireless connection. Payment terminal manufacturers seeking PTS compliance validation engage a firm such as Trustwave to perform an evaluation similar to that of a penetration test to verify that the POS conforms to standards set forth by MasterCard.

The objective of the security evaluation program for IP-enabled POS devices is to ensure the necessary level of protection for transaction and cardholder data at merchants that use equipment that support the TCP/IP protocol suite. The security evaluation verifies that POS devices meet relevant requirements in terms of confidentiality, integrity and communicating parties’ authentication. This security program complements existing security programs at MasterCard that already address merchants or POS terminals like the Payment Card Industry Data Security Standard (PCI DSS) and PCI PIN Entry Devices (PED).

“Protecting the payment application landscape from malicious attacks is just one aspect of credit card security to which merchants must adhere,” says Robert J. McCullen, chairman and CEO of Trustwave. “Trustwave had to pass a skills test and secure its testing lab in order to gain approval to perform evaluations on compliance. We are very proud to have been certified by MasterCard and are happy to offer it as a service to our customers.”

About Trustwave

Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today’s challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper® compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations—ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers—manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, Asia and Australia. For more information, visit https://www.trustwave.com .

Source: Company press release.

U.S. Largest Credit Unions

America's Largest Credit Unions

Ranked by total assets and how many members.

In total assets, these top 50 credit unions account for $228 billion of the $825 billion in U.S. credit unions. In members, the top 50 account for 19 million of the 90 million memberships.

Credit unions have become a major force on the financial landscape of America. Until recently, many members looked to credit unions just for auto loans. Now a much wider range of financial needs is being met, including mortgages, refinancing, credit cards, online bill payments, ATM services, and more. Expansion to underserved parts of the community is having an impact. Credit union employment now exceeds 258,000!

Top 50 by Assets

1. Navy Federal Federal Credit Union

Merrifield, VA. $36.4 billion in assets.

2. State Employees Credit Union

Raleigh, NC. $16.7 billion in assets.

3. Pentagon Federal Credit Union

Alexandria, VA. $13.0 billion in assets.

4. Boeing Employees Credit Union

Tukwila, WA. $8.6 billion in assets.

5. Schoolsfirst Federal Credit Union

Santa Ana, CA. $7.8 billion in assets.

6. The Golden 1 Credit Union

Sacramento, CA. $6.0 billion in assets.

7. Alliant Credit Union

Chicago, IL. $5.9 billion in assets.

8. Suncoast Schools Federal Credit Union

Tampa, FL. $5.9 billion in assets.

9. American Airlines Federal Credit Union

Ft. Worth, TX. $5.3 billion in assets.

10. Security Service Federal Credit Union

San Antonio, TX. $5.1 billion in assets.

11. America First Federal Credit Union

Ogden, UT. $4.6 billion in assets.

12. San Diego County Credit Union

San Diego, CA. $4.5 billion in assets.

13. Digital Federal Credit Union

Marlborough, MA. $4.5 billion in assets.

14. Kinecta Federal Credit Union

Manhattan Beach, CA. $4.2 billion in assets.

15. Patelco Credit Union

San Francisco, CA. $4.1 billion in assets.

16. Star One Credit Union

Sunnyvale, CA. $4.1 billion in assets.

17. Alaska USA Federal Credit Union

Anchorage, AK. $3.8 billion in assets.

18. Citizens Equity First Credit Union

Peoria, IL. $3.8 billion in assets.

19. Vystar Credit Union

Jacksonville, FL. $3.7 billion in assets.

20. ESL Federal Credit Union

Rochester, NY. $3.6 billion in assets.

21. Pennsylvania State Employees Credit Union

Harrisburg, PA. $3.3 billion in assets.

22. Wescom Central Credit Union

Pasadena, CA. $3.2 billion in assets.

23. Bethpage Federal Credit Union

Bethpage, NY. $3.2 billion in assets.

24. Desert Schools Federal Credit Union

Phoenix, AZ. $3.2 billion in assets.

25. State Farm Federal Credit Union

Bloomington, IL. $3.2 billion in assets.

26. Randolph-Brooks Federal Credit Union

Live Oak, TX. $3.1 billion in assets.

27. Police & Fire Federal Credit Union

Philadelphia, PA. $2.9 billion in assets.

28. Delta Community Credit Union

Atlanta, GA. $2.9 billion in assets.

29. Lockheed Federal Credit Union

Burbank, CA. $2.8 billion in assets.

30. Mountain America Federal Credit Union

West Jordan, UT. $2.8 billion in assets.

31. United Nations Federal Credit Union

Long Island Cit, NY. $2.8 billion in assets.

32. San Antonio Federal Credit Union

San Antonio, TX. $2.7 billion in assets.

33. Teachers Federal Credit Union

Farmingville, NY. $2.7 billion in assets.

34. Ent Federal Credit Union

Colorado Springs, CO. $2.6 billion in assets.

35. Bank Fund Staff Federal Credit Union

Washington, DC. $2.6 billion in assets.

36. Onpoint Community Credit Union

Portland, OR. $2.6 billion in assets.

37. Hudson Valley Federal Credit Union

Poughkeepsie, NY. $2.5 billion in assets.

38. Redstone Federal Credit Union

Huntsville, AL. $2.4 billion in assets.

39. Addison Avenue Federal Credit Union

Palo Alto, CA. $2.2 billion in assets.

40. Visions Federal Credit Union

Endicott, NY. $2.2 billion in assets.

41. Dfcu Financial Federal Credit Union

Dearborn, MI. $2.1 billion in assets.

42. Coastal Federal Credit Union

Raleigh, NC. $2.1 billion in assets.

43. Eastman Credit Union

Kingsport, TN. $2.0 billion in assets.

44. Wings Financial Federal Credit Union

Apple Valley, MN. $2.0 billion in assets.

45. Bellco Credit Union

Greenwood Village, CO. $2.0 billion in assets.

46. First Technology Credit Union

Beaverton, OR. $1.9 billion in assets.

47. GTE Federal Credit Union

Tampa, FL. $1.9 billion in assets.

48. Mission Federal Credit Union

San Diego, CA. $1.9 billion in assets.

49. State Employees of Maryland Credit Union

Linthicum, MD. $1.9 billion in assets.

50. Teachers Credit Union

South Bend, IN. $1.9 billion in assets.

Top 50 by Membership

1. Navy Federal Federal Credit Union

Merrifield, VA. 3,194,292 members.

2. State Employees Credit Union

Raleigh, NC. 1,498,062 members.

3. Pentagon Federal Credit Union

Alexandria, VA. 864,803 members.

4. The Golden 1 Credit Union

Sacramento, CA. 694,836 members.

5. Security Service Federal Credit Union

San Antonio, TX. 681,353 members.

6. Boeing Employees Credit Union

Tukwila, WA. 588,755 members.

7. America First Federal Credit Union

Ogden, UT. 484,291 members.

8. Suncoast Schools Federal Credit Union

Tampa, FL. 471,441 members.

9. Schoolsfirst Federal Credit Union

Santa Ana, CA. 400,721 members.

10. Digital Federal Credit Union

Marlborough, MA. 370,309 members.

11. Desert Schools Federal Credit Union

Phoenix, AZ. 364,261 members.

12. Pennsylvania State Employees Credit Union

Harrisburg, PA. 350,812 members.

13. Alaska USA Federal Credit Union

Anchorage, AK. 348,933 members.

14. Vystar Credit Union

Jacksonville, FL. 347,123 members.

15. Wescom Central Credit Union

Pasadena, CA. 340,620 members.

16. Mountain America Federal Credit Union

West Jordan, UT. 319,361 members.

17. Redstone Federal Credit Union

Huntsville, AL. 304,825 members.

18. Municipal Credit Union

New York, NY. 301,068 members.

19. ESL Federal Credit Union

Rochester, NY. 298,288 members.

20. Patelco Credit Union

San Francisco, CA. 297,626 members.

21. GECU Credit Union

El Paso, TX. 281,983 members.

22. Randolph-Brooks Federal Credit Union

Live Oak, TX. 278,971 members.

23. Citizens Equity First Credit Union

Peoria, IL. 261,360 members.

24. Teachers Credit Union

South Bend, IN. 254,871 members.

25. San Antonio Federal Credit Union

San Antonio, TX. 248,548 members.

26. State Employees of Maryland Credit Union

Linthicum, MD. 245,115 members.

27. Alliant Credit Union

Chicago, IL. 234,003 members.

28. Kinecta Federal Credit Union

Manhattan Beach, CA. 228,439 members.

29. Arizona Federal Credit Union

Phoenix, AZ. 224,865 members.

30. Hudson Valley Federal Credit Union

Poughkeepsie, NY. 214,769 members.

31. American Airlines Federal Credit Union

Ft. Worth, TX. 212,362 members.

32. Eastern Financial Florida Credit Union

Miramar, FL. 206,744 members.

33. GTE Federal Credit Union

Tampa, FL. 203,376 members.

34. San Diego County Credit Union

San Diego, CA. 201,254 members.

35. Tinker Federal Credit Union

Tinker Afb, OK. 196,717 members.

36. Ent Federal Credit Union

Colorado Springs, CO. 193,449 members.

37. Keesler Federal Credit Union

Biloxi, MS. 191,474 members.

38. Onpoint Community Credit Union

Portland, OR. 191,006 members.

39. Teachers Federal Credit Union

Farmingville, NY. 189,227 members.

40. Coastal Federal Credit Union

Raleigh, NC. 187,790 members.

41. Kern Schools Federal Credit Union

Bakersfield, CA. 187,385 members.

42. Bellco Credit Union

Greenwood Village, CO. 186,978 members.

43. Grow Financial Federal Credit Union

Tampa, FL. 186,348 members.

44. Virginia Credit Union, Inc. Credit Union

Richmond, VA. 185,718 members.

45. Community America Credit Union

Kansas City, MO. 184,042 members.

46. Founders Federal Credit Union

Lancaster, SC. 183,968 members.

47. Delta Community Credit Union

Atlanta, GA. 181,259 members.

48. Truliant Federal Credit Union

Winston-Salem, NC. 181,191 members.

49. Wright-Patt Credit Union

Fairborn, OH. 172,822 members.

50. North Carolina Local Government Federal Credit Union

Raleigh, NC. 170,523 members.

* Based on December, 2008 data.

Largest U.S. Banks

United States' Largest Banks

The following list shows the largest banks in the U.S., as of May 30, 2008.

The assets are listed in millions of dollars.

Rank	Name (city, state)	Consolidated assets
1.	Citigroup (New York, N.Y.)	$2,199,848
2.	Bank of America Corp. (Charlotte, N.C.)	1,743,478
3.	J. P. Morgan Chase & Company (Columbus, Ohio)	1,642,862
4.	Wachovia Corp. (Charlotte, N.C.)	808,575
5.	Taunus Corp. (New York, N.Y.)	750,323
6.	Wells Fargo & Company (San Fransisco, Calif.)	595,221
7.	HSBC North America Inc. (Prospect Heights, Ill.)	493,010
8.	U.S. Bancorp (Minneapolis, Minn.)	241,781
9.	Bank of the New York Mellon Corp. (New York, N.Y.)	205,151
10.	Suntrust, Inc. (Atlanta, Ga.)	178,986
11.	Citizens Financial Group, Inc. (Providence, R.I.)	161,759
12.	National City Bank (Cleveland, Ohio)	155,046
13.	State Street Corp. (Boston, MA)	154,478
14.	Capital One Financial Corp. (McLean, Va.)	150,608
15.	Regions Financial Corp. (Birmingham, Ala.)	144,251
16.	PNC Financial Services Group, Inc. (Pittsburg, Pa.)	140,026
17.	BB&T Corp. (Winston-Salem, N.C.)	$136,417
18.	TD Bank North, INC. (Portland, Maine)	118,171
19.	Fifth Third Bankcorp (Cincinatti, Ohio)	111,396
20.	Keycorp (Cleveland, Ohio)	101,596
21.	Northern Trust Corp. (Chicago, Ill.)	77,480
22.	Bancwest Corp. (Honolulu, Hawaii)	74,808
23.	Harris Financial Corp. (Wilmington, Del.)	69,172
24.	Comerica Incorporated (Dallas, Tex.)	67,167
25.	M&T Bank Corp. (Buffalo, N.Y.)	66,085
26.	Marshall & Ilsley Corp. (Milwaukee, Wis.)	63,432
27.	BBVA USA Bancshares, Inc. (The Woodlands, Tex.)	59,953
28.	Unionbancal Corporation (San Fransisco, Calif.)	57,933
29.	Huntington Bancshares, Inc. (Columbus, Ohio)	55,985
30.	Zions Bancorporation (Salt Lake City, Utah)	53,597

Source: Federal Reserve System, National Information Center.

Credit Card Transaction Overview 101

Originally Posted on Technical Notes

Glossary of Terms

Customer: A customer is the one who purchases goods or services.

Cardholder: A person who is the owner of the card issued by the bank.

POS: Point of sale or point of service (POS or PoS) can mean a retail shop, a checkout counter in a shop, or the location where a transaction occurs.

Merchant: Merchant is the one who sells commodities to consumers (including businesses). A shop owner is a retail merchant.

Acquiring bank: An Acquiring bank (or acquirer) is the bank or financial institution that accepts payments for the products or services on behalf of a merchant.

Card Issuer: An issuing bank is a bank that offers card association branded payment cards directly to consumers.

Card Association: A card association is a network of issuing banks and acquiring banks that process payment cards of a specific brand. Familiar payment card association brands include Visa, MasterCard, American Express, Discover Diner’s Club, and JCB

1 Credit Cards

A credit card s part of a system of payments named after the small plastic card issued to users of the system. The issuer of the card grants a line of credit to the consumer (or the user) from which the user can borrow money for payment to a merchant.

Credit cards allow the consumers to ‘revolve’ their balance, at the cost of having interest charged.

1.1 Monthly Billing Cycle

The issuer generates a credit card bill on a predetermined day of month. The customer should pay it before grace period expires; else, a late payment fee has to be paid.

1.2 Grace period

A credit card’s grace period is the time within which the customer has to pay the balance before interest is charged to the balance. Grace periods vary, but usually range from 20 to 40 days depending on the type of credit card and the issuing bank.

1.3 Late Payment

If you carry a balance, credit cards function like very expensive loans. The credit card company allows you to pay off what you owe little by little each month, as long as you pay a minimum amount each time. In exchange, you pay interest on the balance you owe (as high as 29% each year) at the end of each period.

2 How credit card companies make money?

Credit card companies earn high profits in several ways.

High rates of interest — interest on credit cards accounts for the bulk of the profits earned by banks that issue credit cards.

Annual fees.

Late fees, over-the-limit fees, and other miscellaneous charges.

Charging merchants and service provide a fee each time a customer uses the company’s credit card in the merchant’s establishment.

3 Overview of Credit Card Processing

Signature-based (non-PIN-based) credit card transactions are a two-step process, consisting of an authorization and a settlement.

3.1 Authorization

Authorization is a verification process that happens at the time of purchase that allows merchants to verify that the customer’s account is valid and that sufficient funds are available to cover the transaction’s cost.

The verification takes place using a credit card payment terminal or Point of Sale (POS) system with a communications link to the merchant’s acquiring bank. Data from the card is obtained from a magnetic stripe or chip on the card.

At this step, the funds are "held" and deducted from the customer’s credit limit (or bank balance, in the case of a debit card) but are not yet transferred to the merchant. Upon placing a hold, this amount will become unavailable either until the merchant clears the transaction (also called settlement), or the hold "falls off." In the case of credit cards, holds may last as long as 30 days, depending on the issuing bank.

3.2 Canceling an authorization hold

The merchant can cancel an authorization hold if the merchant uses an acquirer that supports a process known as authorization reversal. Different acquirers place different restrictions on the conditions that must be met for the merchant to make an authorization reversal, but it is typical that the reversal must be made very shortly (generally within a minute) after the original authorization. In cases where the merchant cannot perform a reversal, but wishes to cancel the authorization it is typical that the merchant would contact the acquirer by telephone. Alternatively, the cardholder may contact the issuing bank to request cancellation.

3.3 Batching

Authorized transactions are stored in "batches", which are sent to the acquirer. Batches are typically submitted once per day at the end of the business day. If a transaction is not submitted in the batch, the authorization will stay valid for a period determined by the issuer, after which the held amount will be returned back to the cardholder’s available credit. Some transactions may be submitted in the batch without prior authorizations; these are either transactions falling under the merchant’s floor limit or ones where the authorization was unsuccessful but the merchant still attempts to force the transaction through.

3.4 Clearing and Settlement

The acquirer sends the batch transactions through the credit card association, which debits the issuers for payment and credits the acquirer. Essentially, the issuer pays the acquirer for the transaction.

3.5 Funding

Once the acquirer has been paid, the acquirer pays the merchant. The merchant receives the amount totaling the funds in the batch minus the "discount rate," which is the fee the merchant pays the acquirer for processing the transactions.

3.6 Process Flow Diagram

Below we have depicted Authorization, Batching, Clearing and Settlement and Funding in a process flow diagram.

4 Chargebacks

A chargeback is an event in which money in a merchant account is held due to a dispute relating to the transaction. The cardholder typically initiates charge backs. In the event of a chargeback, the issuer returns the transaction to the acquirer for resolution. The acquirer then forwards the chargeback to the merchant, who must either accept the chargeback or contest it.

The card-issuing bank will investigate disputes, and will "charge back" the value of the original transaction directly from the merchant’s acquiring bank, which is obligated under card network rules to pay the card issuer. The merchant’s acquirer will then attempt to recover an equal value of the chargeback plus a processing fee from the merchant’s bank account. Chargebacks, are typically passed on to the merchant as a matter of acquirer policy unless the merchant can prove the transaction was legitimate, or goods and services have been rendered to a customer claiming otherwise.

Sometimes the consumer dispute is untrue, and their refund claim gets denied. In these situations, merchant might have to pay a processing fee.

In cases of credit card fraud, the merchant loses

The goods or services sold.

The fees for processing the payment

Any currency conversion commissions

The processing fee for chargeback

For obvious reasons, many merchants take steps to avoid chargebacks—such as not accepting suspicious transactions. This may spawn collateral damage, where the merchant additionally loses legitimate sales by incorrectly blocking legitimate transactions.

4.1 Process Flow Diagram Files

4.2 Some of the reasons for a chargeback

Card holder requests a copy of the transaction receipt.

Card holder did not authorize the transaction.

Non-matching account number.

Transaction was processed more than once.

Refund not processed.

No authorization.

Customer never received services.

Card not used within valid expiration date.

Error in transaction amount.

Transaction receipt is incorrect, incomplete, or illegible.

Transaction processed for incorrect amount.

Product different from what was described or promised.

Transaction not processed within Visa or MasterCard time frames.

Signature on receipt different from card.

Card-holder claims merchant changed transaction amount without permission.

Merchant knowingly participated in a fraudulent transaction.

Incorrect Transaction Date.

Card-holder claims invalid mail or telephone order transaction.

Card-holder was denied ability to return item.

Transaction was not cancelled successfully.

Card-holder not satisfied with quality of product or services.

Buyer initiating a false chargeback after receiving goods or services; this is considered fraud.

Glossary of Terms

Customer: A customer is the one who purchases goods or services.

Cardholder: A person who is the owner of the card issued by the bank.

POS: Point of sale or point of service (POS or PoS) can mean a retail shop, a checkout counter in a shop, or the location where a transaction occurs.

Merchant: Merchant is the one who sells commodities to consumers (including businesses). A shop owner is a retail merchant.

Acquiring bank: An Acquiring bank (or acquirer) is the bank or financial institution that accepts payments for the products or services on behalf of a merchant.

Card Issuer: An issuing bank is a bank that offers card association branded payment cards directly to consumers.

Card Association: A card association is a network of issuing banks and acquiring banks that process payment cards of a specific brand. Familiar payment card association brands include Visa, MasterCard, American Express, Discover Diner’s Club, and JCB