By MARIA HALKIAS / The Dallas Morning News mhalkias@dallasnews.com 7-Eleven Inc. is using its 6,300 U.S. stores to send a message to Washington and the credit card industry.
Starting this week, the Dallas-based convenience store operator hopes to solicit 1 million signatures on petitions calling for Congress to change what the chain says are unfair and excessive credit card transaction fees.
Credit card companies charge retailers a fee for every transaction. The size of the purchase doesn't matter. And retailers have no power to negotiate the fees, they say.
For convenience stores alone, the fees totaled $8.4 billion last year, up 10.5 percent from 2007. That's more than the $5.2 billion the industry made in profit, the National Association of Convenience Stores says. 7-Eleven, which alone paid $160 million to credit card companies last year, is leading the lobbying effort, working with the association, which represents 146,000 stores nationwide. The efforts come as the sweeping credit card rules that Congress passed go into effect in February prohibiting certain fees on consumers.
Petitions are prominently displayed at 7-Eleven checkout counters.
PayPal woos third party developers with Adaptive Payments
PayPal is set to open up its platform to third party developers in a move the firm says will make it easier for them to make money from their ideas.
The new application programming interface (API), called Adaptive Payments, will give developers more flexibility in building apps that move money between PayPal accounts.
The API allows straight payments from customers to the PayPal accounts of receivers such as owners of Web sites or widgets on social networking sites.
It also means developers can build applications for "parallel payments", enabling a sender to make a payment to multiple receivers.
PayPal says this means users can set up a shopping cart that enables buyers to pay for items from several merchants with one payment. The cart would allocate the payment to merchants who actually provided the items.
In addition, "chained payments" will enable a sender to make a single payment to a "primary receiver", who can then keep a part of it and send the rest to "secondary receivers".
The firm says this could be used by companies such as online travel agencies which handle bookings for airfares, hotel reservations and car rentals. The primary receiver allocates their commission with the secondary receivers then getting their share of the payment.
The new API is similar to Amazon's Flexible Payments Service, which was launched in beta in 2007 as part of the e-commerce giant's attempt to muscle in on PayPal's territory.
However, in a blog post responding to TechCrunch, which broke the story, Osama Bedier, VP, platform and emerging technology, PayPal, insists Adaptive Payments is "not an effort to 'crush Amazon's fledgling payment service'".
Dublin - Research and Markets has announced the addition of Javelin Strategy & Research's new report "Understanding How PCI-Compliant Companies Can Be Breached: Security in a Post-Heartland World" to their offering.
The Payment Card Industry Data Security Standard (PCI DSS) raises the high water mark for data security. But there's a persistent myth that PCI compliance equals security. The reality is that PCI is only a baseline, and one that needs to be monitored constantly as the threat landscape changes. In the months following what may be the largest the data breach in U.S. history at Heartland Payment Systems, many people are wondering if PCI is effective. In response, the PCI Security Standards Council has released new guidance around risk-based compliance and Qualified Security Assessor (QSA) reviews and remediation. But will these be enough to calm the concerns that merchants have with PCI? This report includes an update of PCI, an overview of emerging technologies, and lessons learned from the Heartland breach. Hashing, tokenization, end-to-end encryption, and Chip and PIN are covered in depth.
Primary Questions - Does PCI compliance equal security? - Which are the most common requirements not met by previously PCI-certified firms? - What has been learned about the Heartland breach? - How can merchants store PAN data without violating PCI? - What are the emerging technologies that can help merchants take PAN data out of scope for PCI compliance? Methodology This report is based on data collected online from a random-sample panel of 2,339 respondents in September 2008. The survey targeted respondents based on representative proportions of gender, age and income compared to the overall U.S. online population. Overall margin of sampling error is 2.03% at the 95% confidence level, for 2008.The report was also based on interviews with executives from the PCI Council, Heartland, and eight security vendors Companies Mentioned: - Merchant Bank - PCI Security Standards Council - Trustware - Merrick Bank - Princeton Payments Solutions - U.S. Department of Veterans Affairs - Micheals - Qualys - Veracode - National Retail Association - RBS WorldPay - VeriSign - NT Objectives - Securosis - Verizon - nuBridges - Shift4 - Visa - Ounce Labs - T-Mobile - WhiteHat Security - Payments Software Company - The Cadence Group - Paymetrics - TJX For more information visit http://www.researchandmarkets.com/research/3113c7/understanding_how
Hackers using Active X flaw for remote code execution Published:07-July-2009
By Kevin White
Security researchers warn on Video ActiveX Control vulnerability
Potential cybercriminals have been found to be inserting a data-stealing Trojan onto PCs left vulnerable by a flaw in the Microsoft Video ActiveX Control, security experts have warned today.
The discovery, which was made yesterday by researchers in China and since confirmed by several authoritative security software vendors, enables remote code execution on targeted machines.
Finjan CTO Yuval Ben-Itzhak told us, “It stands as a zero-day attack until a patch is issued or a workaround is made, and it basically means that a hacker could take control of a remote PC by someone visiting a compromised web site.”
Some popular European music download and gaming sites are among those he said had already been be comprised. “It is low volume at present, but we expect to see it increase in the coming weeks,” he said.
(Editor's Note: Low in volume? Was that a pun considering it's music downloads that put users at risk?) Continue Reading at CBR
Indian E-Commerce Braces For Changes In Credit Card Verification Norms By Nikhil Pahwa ⋅ July 6, 2009 Post a Comment ⋅ Email This Post Email This Post ⋅ Print This Post Print This Post ⋅
The e-commerce industry in India needs to brace for the coming of a lull in transactions, which owes its origin to a notification from the Reserve Bank of India.
According to the notification, it order to enhance the security of online card transactions, it will become mandatory from August 1st 2009 onwards, to provide:
1. A system of providing for additional authentication/validation based on information not visible on the cards for all on-line card not present transactions except IVR transactions. (Editor's Note: How about making the "card present" by swiping the magnetic stripe and encrypting it through Zones 1-4?, then entering the PIN and encrypting it through Zones 1-5?
2. A system of “Online Alerts” to the cardholder for all “card not present” transactions of the value of Rs. 5,000/ and above.
Implications
Travel Portal Cleartrip recently set up a page to help its users register at various bank sites for Verified by Visa and Mastercard Secure verification norms which banks in India are adopting in order to comply with point 1 mentioned above.
Hrush Bhatt, co-founder, Cleartrip, told MediaNama that for completing transactions, merchants will have to re-direct consumers to bank sites, which will require the additional password for verification of payment. For methods that involve redirection, payment failures are around 10 times more.
Bhatt said that though the RBI circular is correct in spirit, but the manner in which this is being implemented, is going to cause disruption for customers and merchants. Cleartrip is gearing up for at least a 2-3 week disruption, “when people won’t know what this stuff is. Hopefully, after that people will enroll.” ICICI Bank is planning to mandate usage of these additional passwords on July 20th, while the rest are expected to switch between July 20th and August 1st, except American Express. “AmEx already has billing address verification in their API,” he said.
Bhatt added that this also puts Indian online companies at a disadvantage to international ones, because “International companies do not have this extra hoop to jump through. Any (Indian) company that wants to serve an international audience is also at a disadvantage.” This is because international customers will not be able to use sites from Indian merchants unless they have the additional password.
Alternatives & Why Banks Went For Additional Passwords
“Last date we heard, less than 8% of the world is enrolled in any of these programs,” Bhatt said, referring to Verified by Visa and Mastercard Secure. “In the US, merchants are provided with a variety of fraud control measures like billing address verification, date of birth verification; obviously, the banks have this information.” Bhatt said that the biggest processors of transactions online - Amazon and iTunes - do not support the additional password.
“There could be other ways, but the banks have chosen to go with the method that involved the least amount of work for them.
The existing gateways and the APIs don’t process these fields right now, so they will have to reverse integrate with wherever that information sits in their system to ensure that that an additional field is provided to the gateways.”
Editor's Note: Why mess with all that when it doesn't solve the problem anyway? Additional passwords are not needed. Encrypted True 2FA is needed. If anyone can tell me a better way to authenticate the user than swiping their own card in the safety of their own home, followed by entering their PIN, (besides using EMV and entering PIN) and transmitting the encrypted data safely with a derived unique key per transaction (DUKPT) I'd love to hear about it. In my opinion, redirecting will only create another link in the chain and another way for fraudsters to find the Gap in that system.
Impact On WAP?
Bhatt wonders how this will work on WAP, because with this additional layer of security involves a redirection to the bank sites: Do mobile browsers support those redirects?
Fraud, like water finds the path of least resistance. As more and more countries migrate to Chip and PIN, more and more criminals migrate to the web, where security is somewhere between lax and non-existant. This article talks about the fact that countries that have initiated Chip and PIN must do so across the board...including ATM's. For the record, HomeATM's PCI 2.0 Certified PIN Entry Device is EMV (Chip and PIN) ready...
Bank delays exposing Aussies to credit card fraud Marissa Calligeros July 7, 2009 - 2:05PM
New security-enhanced credit cards fitted with anti-skimming microchips are useless in the fight against credit card fraud because Australia's banks have been too slow to introduce ATMs and EFTPOS machines capable of reading them, experts say.
Former cybercrime consultant to Britain's MI5 security intelligence service Fraser Smith said banks were lulling consumers into a false sense of security with the introduction of chip and PIN enabled credit cards because the technology to make them fully effective - while available - had not been fully rolled out.
Chip and PIN cards are designed to reduce the risk of card skimming and require a "PIN pad" terminal, or a modified swipe-card reader, which accesses the security chip on the card. While several thousand of the new machines are believed to be in circulation already, the Australian Banking Association says it could be up to two years before the majority of ATMs and EFTPOS machines in Australia are upgraded to include the chip readers.
Queensland fraud investigators fear the lag is exposing already vulnerable bank customers even further. "It is a mistake," Mr Smith said of the delay, at a meeting of the Asia/Pacific Group on Money Laundering in Brisbane today. "If you're going to go (with chip and PIN) go the whole way."
Chip and PIN technology was introduced across-the-board in the UK in 2006, but Australia, like Canada and the United States, still relies on magnetic strip technology, whereby credit cards are swiped through ATM and EFTPOS machines.
Queensland Detective Superintendent Brian Hay of the Fraud and Corporate Crime Group said Australians were becoming increasingly vulnerable to international banking scams as a result.
"Whilst we still rely upon magnetic strip data and the rest of the world migrates to chip and PIN, it's going to become a bigger problem here," he said.
"It's like fish in a pond... as that pond dries up those fish are going to become more concentrated. "In Australia we are going to have a higher concentration of cyber-based criminals around the world migrating to Australia to exploit our vulnerabilities. "We will not be fully secure until all our point of sale terminals are chip compliant."
A First: PCI Compliance Mandated for State's Merchants
Should individual states mandate that businesses comply with the Payment Card Industry's Data Security Standard (PCI DSS)? The answer is "yes," according to Nevada, which has passed a new law that, as of next year, requires businesses to comply with PCI when collecting or transmitting payment card information.
As states rush to adopt or strengthen privacy legislation, Nevada's move is seen by some observers as a potential "game-changer." But they question whether states should be in the business of mandating compliance with an industry standard.
Editor's Note: More good news for HomeATM as our PCI 2.0 Certified Safe-T-PIN instantaneously encrypts Track 2 data for transmissions between Zones 1-4 (click the illustration below to enlarge and read the description of Zones 1-5 in the end-to-end-encryption process) and the Safe-T-PIN's integrated PIN Pad instantaneously encrypts the PIN for Zones 1-5. HomeATM does all that for about half the cost of other Point of Sale Terminals that encrypt Track 2 data (and we include the PIN Pad!) I'll have more on this "game-changing" historic law tomorrow.
For example...how will this law affect online merchants who have their corporate offices in Nevada?
Online scams targeting the financial sector are on the rise in Africa as more people access online banking services and mobile banking.
Phishing attacks are mainly occurring in South Africa where online banking is common, while mobile money theft is common in other parts of Africa where Internet penetration is still low. As a result of the increase, South Africa's Absa bank, the largest in Sub Saharan Africa announced Tuesday that its Internet banking customers can download security software to curb cybersecurity attacks. (See "How to Spot an E-Mail Scam.")
A phishing attack aimed at Absa customers features a plain, yet clever unsolicited message instructing them to follow a link and confirm their account information as a way for criminals to obtain passwords and user IDs. Continue Reading at PC World
I blogged a warning about this last week, but here's more information on the Michael Jackson death probe spam. Your online banking credentials are at risk...(unless of course your bank utilizes the HomeATM PCI 2.0 Certified Safe-T-PIN for 2FA two-factor-authentication log-in, in which case your bank numbers and password wouldn't be on your PC for the MJ Malware to mal. Bank issues card, Bank issues PIN, Bank issues Safe-T-PIN and you swipe your card, enter your PIN and it's all instantaneously encrypted, including the Track 2 data. We make the MJ malware threat not scary...
Washington: Beware of any emails regarding the investigation into King of Pop Michael Jackson's death, for they may be spam messages that infect computers with a virus able to steal bank account numbers and passwords.
Experts at the University of Alabama at Birmingham (UAB) have revealed that they began tracking the celebrity-focused spam early on June 30.
"We've been tracking the cyber criminals behind this spam and the associated virus for many weeks, but it is just today that they have shifted their strategy by embedding their virus into an e-mail that claims to link you to a Web site that will reveal Michael Jackson's killer," said Gary Warner, UAB's director of research in computer forensics.
"The spam related to this virus has taken many forms, including e-cards, shipment tracking links and, most recently, a fake update to Microsoft Outlook, but with the high interest in Michael Jackson's death the cyber criminals decided to change their delivery method to capitalize on that," he added.
The message in the Jackson virus spam reads "Michael Jackson was killed ... but who killed Michael Jackson." Warner said that anyone who clicks on the message won't find an answer to the question. "If you click on that e-mail and go to the page the cyber criminals have linked to the message, your computer is immediately infected with malware," he said. He warned that the malware is capable of stealing bank account information and passwords from computer hard drives.
The virus also will redirect certain Google searches performed on an infected computer, meaning the malware inserts links to other virus-infected pages into the top positions of search results. That, according to Warner, means that search results that unsuspecting users would otherwise think valid are actually portals to other virus programs and malware.
OfficialWire: Multilevel Marketing (MLM) Payouts Made Easy With CredoCard.com
Multilevel Marketing (MLM) Payouts Made Easy With CredoCard.com
CredoCard.com specializes in branded and co-branded debit card programs, white label programs, software and payment integration programs, and turnkey payment solutions Published on July 06, 2009
by CredoCard.com Press Office (OfficialWire) VIENNA, AUSTRIA
CredoCard.com specializes in branded and cobranded debit card programs, white label programs, software and payment integration programs, and turnkey payment solutions. We offer the co-branded services to our client base in following regions:
1. Africa 2. North America 3. South America 4. Asia 5. Caribbean 6. Latin America 7. Middle East 8. European Union 9. Europe
We have an extensive range of service for Multilevel Marketing Companies (MLM). Our cobranded card programs are made through self-issuance, straight partnership or the transition of a private label portfolio.
Co-branded debit cards from Credocard lead to stronger brand attachment and customer loyalty. Cobranding signifies placing the MasterCard or Visa Card logo on a simple debit card or credit card. Hence, the card gets a double identity or two brands. This gives your MLM Company a higher recognition, as Visa and MasterCard are well-known names in the credit card sector.
The Credocard holders enjoy a galore of benefits as listed below:
1. The cobranded debit cards allow easy cash outs from ATMs 2. A cardholder does not require a bank account or credit checks to accept the payment worldwide. 3. Credocard holders enjoy a global acceptance, as they are partners with well-known names like MasterCard and Visa Card. These names are extremely popular with the brand loyal customers. 4. The cardholder can have an easy access to the fund transferred on their card at ATMs, shops or restaurants.
Multilevel marketing is very popular with people seeking flexible businesses or part-time businesses. It is a type of business, where a distributor network is needed to build the business. In this business model, the payouts occur at more than one level. Direct deposits to a bank account or mailing a commission check is comparatively simple. But, a distributor abroad, who may not have a bank account, have to wait longer to cash their checks.
Electronic fund transfer services made available are faster and less expensive as compared to the traditional methods of checks and wire transfers. But, the most efficient way to transfer funds is through cobranded debit cards offered by Credocard.
MLM companies can highly benefitted by the service of www.credocard.com. Some of the services being offered are:
1. With a Credocard, your MLM Company can get a global recognition, as we are associated with names like MasterCard and Visa Card, who are market leaders in the credit card segment. 2. By incorporating our cobranded payment cards into your payout process, you can reduce the cost and hassle of international payments. 3. You can instantly transfer the funds to the card accounts, saving on your precious time and money.
Credocard strategic partners include MasterCard, Visa, ID Data, Metavante and Comodo Group. We have partnership agreement with more than 500 worldwide mobile networks, which offer both mobile payment options and SMS services. Our turnkey solutions include unlimited upgrades for all software and services needed to operate a business platform.
You can get in touch with us for more information on payroll solutions through our co-branded debit card programs, specially designed for MLM clients. Please log on to our web site credocard.com for more information or you may talk to us directly on phone to work out on your specific requirement related to MLM services.
About Credocard Ltd.
Credocard is the industry leader for software and payment integration platforms, turnkey solutions, white label programs and co-branded debit card programs. For more information on our programs please visit www.credocard.com
On July 3rd, the ZDNet Blogs reported that eyewonder.com, a digital advertising provider, has infected some popular sites via, what they call, a "malvertising" campaign. Here's an excerpt, you can read the full story by clicking the link at the end of the excerpt:
Is the EyeWonder attack a typical malvertising campaign where malicious content is pushed on legitimate sites through the ad network, or did their web site actually got compromised in the ongoing Cold Fusion web sites compromise attack?
Daniel Wolfe writes for Bank Technology News and asks whether Facebook should promote their own proprietary payment...
American Banker | Monday, July 6, 2009 by Daniel Wolf
Could Facebook credits become the currency of the Internet?
Facebook Inc.'s popular social networking site already has a small toehold in payments through its virtual gift shop, and is reportedly trying to expand the system.
The company claims more than 200 million active users worldwide who trade gossip and keep in touch with friends through its Web site, and analysts said this vast audience might welcome a way to interact commercially as well.
However, they warn that Facebook's efforts to promote an alternative currency may be unnecessary and that demand for a Facebook payments system will likely be minimal unless there is a corresponding market for products or services available through the site.
Offering more payments services through Facebook could be popular with users, "but the recipient would have to see value in Facebook credits," said Bruce Cundiff, a director of payments research and consulting for Javelin Strategy and Research of Pleasanton, Calif. "That's the big issue: are they valuable when they're no longer dollars?"
People can use credit cards now to purchase 10 credits for a dollar through the site's virtual gift shop, and can spend the credits on inexpensive digital novelties such as playful icons sent to one another's Facebook pages, including images of birthday cakes, balloons and sock monkeys — the electronic equivalent of a greeting card.
In recent months the Palo Alto, Calif., company has also opened up its payments system to eight software developers that offer games, calendar tools and other simple applications; (fluff)Friends, for example, lets people buy gifts for digital pets.
Facebook did not respond to numerous attempts to contact the company, and it has said little to date about its payments strategy.
LONDON (Reuters) - A deadline is needed to ensure full switchover to a single pan-EU system of bank payments and help industry and public authorities plan ahead, a top European Central Bank official said on Monday.
The European Union's executive European Commission has launched a public consultation on whether such an end date is needed and, if so, when it should be.
The EU has adopted a law to introduce a single euro payments area (Sepa) so that consumers can send and receive payments in euros and use their payment cards anywhere in the 27-nation bloc, all from one bank account.
The aim is to exploit the single currency to boost competition and choice in services to bring down prices for the EU's 495 million consumers. National payments systems would be shut down with transactions moved to the new Sepa system.
The introduction of direct debit under Sepa was on track for November 2009, she said, but there was still not enough competition in cross-border cards where MasterCard (MA.N) and Visa Europe dominate. "Competition concerns are an on-going concern," she said.
Here's an interesting story from Vanguard regarding the battle for supremacy between the two biggest card companies in Nigeria. (search the HomeATM blog for more on Interswitch)
Valucard, Interswitch in Battle for Supremacy - Finance Jul 6, 2009 By Babajide Komolafe
The wave of competition caught up with the two card giants in Nigeria last week as they make claims of superiority over each others products, Babajide Komolafe writes
The market was taken by surprise last week when the two card giants, Valucard and Interswitch, traded claims of authenticity of their cards opening in what could be better described as an exercise in perfect de-marketing.
The whole exercise was to enable one of them gain an upper hand in an intense competition for the market for chip and PIN, Europay, MasterCard and Visa (EMV) compliant payment cards in the country.
Valucard had last week dismissed Interswitch’s Verve cards claim to be EMV compliant saying its Visa and VPay cards are the only EMV compliant cards in the country. Interswitch in a swift reaction said Valucard claims is a lie and unnecessary de-marketing. It said the truth is that its Verve card is an EMV compliant card with more features than any other in the world. Interestingly both Valucard and Interswitch are owned by consortium of banks with some banks belonging to both consortia.
EMV is an international e-payment standard developed by Europay, MasterCard and Visa to maximize e-payment security by replacing the current and fraud prone magnetic stripe cards with EMV Chip and PIN cards Chip (EMV).
It represents the latest in payment card technology. Unlike the magnetic strip card that can be cloned by fraudsters, chip and PIN (EMV) cards cannot be cloned as a result it is considered safer and more secure.
Against this background the Central Bank of Nigeria (CBN) directed banks to stop issuing magnetic strip cards and migrate to chip and PIN (EMV) cards on or before April 30th this year.
Consequently, last year Interswitch Nigeria Limited, the sole switching company to Nigerian banks with the largest payment cards issued on its Nigeria Debit Card Scheme, developed and introduced Verve cards which is a chip and PIN (EMV) compliant card. The card was introduced to replace the 28 million magnetic strip cards on its network.
Already about six million Verve cards have been issued while 12 banks have ordered for Verve cards. The banks are Intercontinental Bank, Nigeria International Bank, Skye Bank, Bank PHB, Oceanic Bank, Ecobank, First City Monumental Bank (FCMB), First Bank, Stanbic IBTC, Unity Bank, Zenith Bank and United Bank for Africa (UBA).
Valucard however was the first to introduce EMV compliant cards. In 2004 following its partnership with Visa International, the company introduced Visa and VPay cards which are EMV compliant. The company in a statement last week however warned that the banking public should disregard any payment card claiming to be EMV compliant. Continue Reading
07/06/09 06:54 AM via The Buffalo News CREDIT Weak security opens door to hackers By Jordan Robertson | ASSOCIATED PRESS
Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.
Editor's Note: The sensitive data of which they speak is the Track 2 data, and if the Track 2 data is encrypted, the above threat does not apply. Which is why HomeATM's devices have been engineered to "instantaneously encrypt" the Track 2 data providing the industry with our unique end-to-end encryption methodology. (Zones 1-4 click pic to enlarge) and eradicating the threat spoken of in this story...
And while you may take steps to protect yourself against identity theft, an Associated Press investigation has found the banks and other companies that handle your information are not being nearly as cautious as they could.
The government leaves it to card companies to design security rules that protect the nation’s 50 billion annual transactions. Yet an examination of those industry requirements explains why so many breaches occur: The rules are cursory at best and all but meaningless at worst, according to the analysis of data breaches dating to 2005.
It means every time you pay with plastic, companies are gambling with your personal data. If hackers intercept your numbers, you’ll spend weeks straightening your mangled credit, though you can’t be held liable for unauthorized charges. Even if your transaction isn’t hacked, you still lose: Merchants pass to all their customers the costs they incur from fraud.
More than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers, according to the Privacy Rights Clearinghouse. Meanwhile, many others likely have been breached and didn’t detect it. Even the companies that had the payment industry’s top rating for computer security, a seal of approval known as PCI compliance, have fallen victim to huge heists.
Companies that are not compliant with the PCI standards—including one in 10 of the medium-sized and large retailers in the United States—face fines but are left free to process credit and debit card payments. Most retailers don’t have to endure security audits, but can evaluate themselves.
Credit card providers don’t appear to be in a rush to tighten the rules. They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost.
That is of little consolation to consumers who bet on the industry’s payment security and lost.
It took four months for Pamela LaMotte, 46, of Colchester, Vt., to fix the damage after two of her credit card accounts were tapped by hack-
LaMotte, who was unemployed at the time, says she had to borrow money from her mother and boyfriend to pay $500 in overdraft and late fees—which were eventually refunded— while the banks investigated.
“Maybe somebody who doesn’t live paycheck to paycheck, it wouldn’t matter to them too much, but for me it screwed me up in a major way,” she said. LaMotte says she pays more by cash and check now.
It all happened at a supermarket chain that met the PCI standards. Someone installed malicious software on Hannaford’s servers that snatched customer data while it was being sent to the banks for approval.
Since then, hackers plundered two companies that process payments and had PCI certification. Heartland Payment Systems lost card numbers, expiration dates and other data for potentially hundreds of millions of shoppers. RBS World- Pay Inc. got taken for more than 1 million Social Security numbers—a golden ticket to hackers that enables all kinds of fraud.
In the past, each credit card company had its own security rules, a system that was chaotic for stores.
In 2006, the big card brands—Visa, MasterCard, American Express, Discover and JCB International— formed the Payment Card Industry Security Standards Council and created uniform security rules for merchants.
Avivah Litan, a Gartner Inc. analyst, says retailers and payment processors have spent more than $2 billion on security upgrades to comply with PCI. And the payment industry touts the fact that 93 percent of big retailers in the U. S., and 88 percent of medium-sized ones, are compliant with the PCI rules.
Computer security experts say the PCI guidelines are superficial, including requirements that stores run antivirus software and install computer firewalls. Those steps are designed to keep hackers out and customer data in. Yet tests that simulate hacker attacks are required just once a year, and businesses can run the tests themselves.
“It’s like going to a doctor and getting your blood pressure read, and if your blood pressure’s good you get a clean bill of health,” said Tom Kellermann, a former senior member of the World Bank’s Treasury security team and now vice president of security awareness for Core Security Technologies, which audited Google’s Internet payment processing system.
“PCI compliance can cost just a couple hundred bucks,” said Jeremiah Grossman, founder of WhiteHat Security Inc., a Web security firm. “If that’s the case, all the incentives are in the wrong direction. The merchants are inclined to go with the cheapest certification they need.”
For some inspectors, the certification course takes just one weekend and ends in an open-book exam.
Security experts say there are several steps the payment industry could take to make sure customer information doesn’t leak out of networks.
Banks could scramble the data that travels over payment networks, so it would be meaningless to anyone not authorized to see it.
Another possibility: Some security professionals think the banks and credit card companies should start their own PCI inspection arms to make sure the audits are done properly. Banks say they have stepped up oversight of the inspections, doing their own checks of questionable PCI assessment jobs. But taking control of the whole process is far-fetched: nobody wants the liability.
LONDON, July PRNewswire/ -- NTT Europe Online is providing a bespoke hosting platform for a new mobile banking service, MoBank, which launches on 6th July 2009. MoBank - the brainchild of ex First Direct and Egg bankers, Steve Townend and Dominic Keen - is a brand new service that works with your existing bank account to let you buy and pay for items using your mobile phone.
At launch, consumers will be able to buy all sorts of things using MoBank, such as cinema tickets, clothes, music, books, flowers, gifts and tickets; and check the balance on their card from their phone. Soon, it will include extra convenient banking features such as money transfers, bill payments and budget trackers.
MoBank will initially be available on the iPhone, with plans to roll it out to Java, Google and Blackberry phones later in the year.
With a proven history of working with security-critical online financial services, NTT Europe Online's managed hosting platform is built to deliver maximum performance to MoBank users. With multi-tiered firewall protection, anti-virus and intrusion-prevention technology, the platform is fully compliant with the Payment Card Industry Data Security Standard (PCI DSS) to protect users' sensitive personal data. NTT Europe Online's managed hosting services also meet the ISO27001 Information Security Standard, allowing MoBank to guarantee the reliability and availability of the service.
Dominic Keen of MoBank said: "The Internet has revolutionised how we shop and manage our money. The next step is to take this to mobile phones. MoBank has been designed to make people's lives easier and save them time by providing banking services on the move.
"A secure hosting platform is extremely important. We worked closely with NTT Europe Online to provide this, ensuring it was scalable and capable of delivering high performance levels. The technical backing we receive from NTT Europe Online is critical in helping us achieve our goals."
Damien Skendrovic of NTT Europe Online comments: "We're delighted to be working with MoBank and their application shows us just how exciting and useful mobile technology can be. A service such as this has to have the right technological foundations to make it succeed. In MoBanks' case, its hosting platform needs to meet the levels of security required by any financial service as well as the specific demands of mobile data applications. We're convinced that MoBank will be a huge success."
MoBank is already attracting interest: in 2008, it won a Red Herring 100 award for the best startups in the world; and it won the Oxford University Saïd Business School Venture Competition in 2008.
About NTT Europe Online
NTT Europe Online provides managed hosting, security and application management services to businesses globally. These services provide the reliability, availability, security and scalability needed to underpin business success online.
NTT Europe Online is certified to ISO27001 for Information Security Management and, as part of NTT Communications, has the global reach and scale to support businesses of all sizes. NTT Communications is the global data and IP services arm of the Fortune Global 500 telecom leader, Nippon Telegraph & Telephone Corporation (NTT). For further information visit http://www.ntteuropeonline.com
About MoBank:
MoBank - http://www.mobank.co.uk - is a new mobile banking service started by ex-First Direct and Egg bankers, Steve Townend and Dominic Keen. MoBank works with your existing bank account to let you buy and pay for stuff using your mobile phone. In 2008, it won a Red Herring 100 award for the best startups in the world; and it won the Oxford University Saïd Business School Venture Fund Competition 2008.
NationalCreditReport.com Recommends Credit Monitoring in the Event of a Breach and Reporting Online and Offline Fraud Activity
Data breach at Cornell puts 45,000 at risk of identity theft. Be sure to safeguard all credit.
Delray Beach, FL - June 25, 2009 - NationalCreditReport.com™ (the"Company"), a leading provider of free credit reports and credit monitoringservices, recommends that all consumers, especially those whoseidentities have been compromised in a data breach, utilize a creditmonitoring service to help protect themselves from identity theft.Also, the Company highly recommends reporting any offline and online fraud activity.
Earlier this week, Cornell University announced that more than 45,000people associated with the university had their names and SocialSecurity numbers exposed after a laptop was stolen. Cornell has said itwill provide credit monitoring and other identity theft protectionservices to those involved.
Credit monitoring is an automated service that reduces the threat ofidentity theft by updating consumers of changes and inquiries made totheir credit files.
NationalCreditReport.com's Safeguard Credit™monitoring alerts the subscriber within 24 hours of any major changesmade to their credit file, and does not affect the subscriber's creditor credit score.
"The computer theft at Cornell demonstrates the vulnerability ofconsumers' information and the need for protective services such ascredit monitoring, especially in the event of a breach," said AllisonTomek, NationalCreditReport.com's Vice President of Investor Relationsand Corporate Communications. "Our Safeguard Credit service sends emailalerts when potentially fraudulent items, or any significant changes,are made to a credit report, like the opening of a fraudulent creditcard. Our identity security services, which encompass creditmonitoring, help give consumers peace of mind."
About NationalCreditReport.com: Since 2004,NationalCreditReport.com has specialized in providing identity theftprotection services, which encompass credit monitoring and creditreporting, to help protect consumers from identity theft. The Companyencourages consumers to utilize its credit monitoring service, especially in the event of a data breach and encourages the reporting of any fraud activity online and offline.
"A fire in Seattle’s Fisher Plaza appears to have taken down Authorize.net, a service used by online businesses to process credit card and electronic check payments.
That’s a big problem for any vendor using Authorize.net, since this basically means they can’t accept payments through their website until the service is up again. I’m told this affects both one-time and recurring payments. With its website down, Authorize has set up a new Twitter account to provide updates and address the many customer complaints and questions. Many of the tweets can be boiled down to, “The team is working hard to get things running again, but I don’t have a timetable”; the company is also trying to reassure customers, “yes we have fully redundant data center” (sic), and also just said, “Transactions are up except for Global processing and Concord. No ETA on those, but we are working on in.”
The service has been down since around midnight Pacific time. I’m also trying to find out how many businesses are affected; TechCrunch says it’s “tens of thousands of e-commerce vendors,” but when Authorize.net was acquired by CyberSource back in 2007, it reportedly had 175,000 customers, and processed 1.1 billion transactions worth $65 billion in 2006.
Meanwhile, TechFlash notes the travel section of Microsoft’s Bing “decision engine” is also down due to the fire. The Bing Travel website says the site should be back up at 5pm Pacific time today."
Happy 4th of July to all of the HomeATM Blog subscribers and readers whom reside in the good ole US of A.
Here'shoping that you all enjoy your long weekend with both friends andfamily, tasty barbeques, a couple of frosty ones and some fireworks.Speaking of which, here's a high resolution shot (click to enlarge) ofsome fireworks behind Buckingham Palace overlooking Lake Michigan in myfavorite and the USA's most beautiful city...My kind of (Chi)town.
Enjoy...and we'll be back on Monday! (unless a fire knocks out service to Authorize.net and Bing Travel)
By the way, isn't it great news that the Statue of Liberty's "crown" is back open to the public for the first time since those (insert bad word here) took down the Twin Towers on September 11th? Personally I could not think of a better way to celebrate the weekend without getting inside the head of our gal, "Liberty!"
For the first time since it was closed following the terrorist attacks of Sept. 11, 2001, the observation deck in the crown of New York City's famed Statue of Liberty will reopen to the public on July 4.
The top of the Statue of Liberty reopens to visitors on the 4th of July.
The statue itself was reopened in 2004, but visitors were only allowed into the pedestal at the base of the statue. But the pedestal is not the real draw, according to Bill Maurer of the National Parks Service.
"Everyone has been asking, 'When can we go up to the crown?'" Maurer told "Good Morning America." "Certainly, it is a pleasure to say that you can go up Saturday, if you have a reservation."
7-Eleven leads fight against what it calls excessive credit card fees | News for Dallas, Texas | Dallas Morning News | Dallas Business News
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vjZmSCA3JmRqe3IILtpDOFXenGGRHgsUjj8B4xd912P-JHa4EXC52xAVNmytRidc0ChJQa1yC00JBFfKBK9pkpcUJNQR95mFzpP7P4i-EcGxKdjyMVXVz4SgUuQJaZAnMKjYIbNnZRtA8uwiNyhww=s0-d)
Potential cybercriminals have been found to be inserting a data-stealing Trojan onto PCs left vulnerable by a flaw in the Microsoft Video ActiveX Control, security experts have warned today.
1. A system of providing for additional authentication/validation based on information not visible on the cards for all on-line card not present transactions except IVR transactions. (Editor's Note: How about making the "card present" by swiping the magnetic stripe and encrypting it through Zones 1-4?, then entering the PIN and encrypting it through Zones 1-5?
Alternatives & Why Banks Went For Additional Passwords
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vZpG_a2N9g8iX2jqVwrnKfYQxFyYHoMftkJZzh23wiLaM5pOXOlDBq_LvmBtQ0ZHO7W3Eirq94A9n7uFMdn8BexdqdaE8xm8PHpGt80QeXwrR2m1eN43OqRWTD1R4Q8VmPIXSS_HaLDsX4ZcyiGPtv=s0-d)
Online Scams Jump as More Africans Go Online - Business Center - PC World
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_scuMShRJZ7BkYP61SCANSgsoI_gUquHaeIMXFVij5wulh0_HKpfTQNhwS2HumRwdXCkv5UMWno_m1uMZMScIQgXWPD4hlXdabwir7Ic8llr52rjsC8rGrVYFfVvPAXbha0KBhl7ISRcR7olH5AlNrf=s0-d)
Multilevel Marketing (MLM) Payouts Made Easy With CredoCard.com
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_swQXnQFTKYLuGLA8cwES7COxpMjwm9gUQJhdk5IMy9kuBs22pAbuXDFE7RZ8h8bfyhhpI-IUR-w8rEoorG69ntPxCl5CNM-ChqX0GUbA6S-XnQXmjZxZ5KXq-hrAt6QiOTHZRGaulKCz1xSyfBmD9d=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tF9lxDVZwT5K3Ly-c93CpALm78YxxseatJ4miTm1GSlWxER2BfCNNI6jGR5YEsbfMi1xafWcoewiK3ywwaEI0mnwW2ScOml89DfZEYxDdOJVw5yv8Nf0aHaxBkJYM2gZXXOERWFVpfvF3DumzDg-s=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t5exlYmNr7x_d5LfD2j_eN84eKovm5KnPFWWTHVatnNhBevVDG4-AZU2EByTOdPVGkPJ1mOc7dayIvEqLST9dAJoULY9xo3SzUQFvbRRNMUoqxbyz9L03rnZLp84ssC2k-jM7slGJUHgZC3XDxXcxM=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s9--HOWHH9DSmU7kK-jJE-c6fK-CcmPOiVXQ7YpH_5fASQ809Y_n6FKRxzhkvqU8rHmSbIBleYwVAIUypbkIyKpOeQ8T1QUEe6o-2czbBY4RK010AmJMagn5Y1h3K_oeJMcBUDZ1jnOO4a6n5e93zX=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u-AksGkMRRCJPzVEFHJLMBfsJZolAEKTtpNPUmWVFq519ZXhRWyxe3l3Ezk1c69xphjlaj_IbRR0_Ymeevowy7ISwlmzdB-8LFHQmmd6978PlSFQsbVO31m1JgyhkESjWNIj5P5uRmFg-0esmb1wg=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vsqKY5RfLULTPm-CXECvTD_yPPYCcdgeanv2iCgO7Y4cIvOKDBtzEjrss8dLsDibIAiZiyg5hlSVz9aFN8OKEF9-jEOXMI7QlTLkquOqmkhuA1yZbXhPyhGy2-tqCcwojS7Dc_hxp4rmjNZqRgOBX5=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t_NV8I_jMZPszo1rWRk_Km9zu8Orua4i0wo_RV6E81p7psPfE617N8X74JG2-orfPMIwQk_0jkor0LNM6-dXt7BqvlHyWL8iBgT_KMFtugPquG56cKFGrETLy-1kaKsulHkdh3zPzFGLfkmkYgG60J=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s_otvP-agjsDvSKPphRV8zvJ1ngMssaDquMqiu7kvDHris5p8qP9ctpZGgY5K-GW69jPjksKP6EGqzRxcmWZXgiarkfOrYO_u3BS8cvUfGBnLI3-wjnz538cNuvMPMiEDQo-aeAZ8TLR4LhQqkV_w8=s0-d)