Heartland - End 2 End Encryption 2 End Hacking

Here's an update on Heartland Payment Systems.  This is a better press release than the previous ones.  It makes sense that transactions are encrypted at all times.  I was miffed at the previous press releases, the first on inauguration day and the second being pure spin.  This one however, addresses the problem head-on.   It's a good move for Heartland in their valiant attempt to make "lemonade." 

It says here they hired former ICVerify founder/payments guru Steve Elefant as the executive director of the new division.  Mr. Elefant is also the Managing Director at VC Firm Soaring Ventures in Silicon Valley.  Click here for his bio.


Heartland Payment Systems, Inc. :: Heartland Payment Systems Accelerates Development of End-to-End Encryption
 
Payments Processor Forms Dedicated Department and Names Executive Director

PRINCETON,  N.J., Jan. 27 /PRNewswire-FirstCall/ -- Payments processor Heartland Payment Systems today announced it has formed an internal department dedicated exclusively to the development of end-to-end encryption to protect merchant and consumer data used in financial transactions.

For the past year, Robert O. Carr, Heartland's chairman and chief executive  officer, has been advocating for payments industry adoption of this technology - which will protect data at rest as well as data in motion as an improvement for payment transaction security.

Carr stated, "PCI is a good and effective standard, but the bad guys have become more sophisticated to the point where encryption of data in motion appears to be one of the next required steps. There is no single silver bullet that will secure payment systems, and constant vigilance and monitoring of the infrastructure will always be required.  Nevertheless, I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed. 

"Heartland has been working on the development of end-to-end encryption, but in light of our recent data breach and the impact cyber fraud has had on the public and processors nationwide, we are ramping up our efforts," Carr continued. "To do this, we are forming a dedicated internal department  and have named Steven M. Elefant, a well-known expert in point-of-sale payments, executive director."

Elefant is a member of the US Secret Service Electronic Crimes Task Force and Infragard, a public/private partnership of the Federal Bureau of Investigation. He is the co-founder and former chief executive officer of ICVerify Inc. ICVerify became the leader in payment processing integration of PC-based point-of-sale software. In 1998, Elefant merged ICVerify with CyberCash Inc. to form an Internet service provider for electronic commerce.

Recently, Elefant has been involved in numerous technical ventures in the payments and venture capital industries. His breadth of experience spans a wide spectrum including merchant and  consumer services for online consumer auctions and ASP services for merchandise and payments management.

"Late last year, Steve began a consulting project to help us define a business model for  bringing Software as a Service (SaaS) applications to our merchant base," Carr noted. "Now, as a Heartland employee, he will focus on the first leg of end-to-end encryption - getting encrypted data from the point of swipe/entry at the merchant to our switch so malware cannot steal data in motion. The internal network encryption infrastructure will be handled by a combination of new and existing IT professionals under Steve's direction."

Elefant said, "I have known Bob Carr for more than 20 years. We gained respect for one another as  competitors in the late '80s and '90s, and I believe Heartland's desire to bring end-to-end encryption to market and work with other processors to share information about cyber crime incidents are significant steps for our industry."

Source: Company Press Release

 

Related articles on the Heartland Breach

• Major Data Breach Puts Millions At Risk
• Massive Credit Card Hack, Info Stolen
• 100 Million Credit Cards Stolen in Largest Cyber Crime Ever

Money Transfers to Mexico Drop 3.6%

Annual Mexican Remittances Drop for 1st Time on Record

According to Yahoo News,  this is the first drop since they started tracking the money in 1996...

MEXICO CITY – Mexico's central bank says the amount of money migrants sent home fell 3.6 percent in 2008, the first drop on record.

The slide is part of a global trend that is expected to worsen as more emigrants from developing countries lose jobs in the financial crisis battering the United States, Europe and Japan.

The central bank said Tuesday it is the first time remittances have fallen year-to-year since the bank starting tracking the money 13 years ago.

It gave no forecast for 2009. But Mexico's largest bank, Banamex, has predicted that remittances could drop by at least 2.5 percent in 2009.

Experts blame the U.S. recession and a crackdown on illegal immigration.

(continue reading)

Related articles by Zemanta

• An End to Latino Immigration?
• Some Mexicans Leaving U.S. For Good

TrialPay Adds 5 Million Users in 54 Days

TrialPay says it has 20 million "users" of it's service.  That's amazing, because last December 3rd, in a press release, TrialPay announced that their user base had reached 15 million with 7500 retailers.

They remain at the same "7500 merchant level  but their new users are multiplying like rabbits.   I guess it makes sense,  cause, come to think about it,  I'm pretty sure that  rabbits "get it" for free too.  Still, that's a whopping 5 million newbies in the 54 days (7.71 weeks) comprising the period between 12/3 and 1-26. 

It also equivocates into the following:

• 2,777,777 new users per month (1.8 months)
• 648,508 new users each week (7.71 weeks)
• 92,593 new users per day (54 days)
• 3858 trial users per hour (24 hours per day)
• 64 newbies per minute and
• 1.07 new users per second...

A most impressive 54 day marathon (in a good economy) .  At this rate, they'll add 33,333,324 newbies wanting buy one/get one freebies by 1/1/10.  I guess in a bad economy, you can't beat free.   A clever idea, yes, but sometimes being in the right place at the right time can't be beat iether. 

E-Commerce Payment Platform TrialPay Shines in a Dark Economy
Despite recession, TrialPay achieves record sales, tops 20 million users

Mountain View, Calif. (PRWEB) January 27, 2009 -- TrialPay has just marked its most profitable quarter, charted its highest sales day on record and reached an astonishing 20 million users--all at a time when most businesses are struggling to attract customers. By offering consumers a free product with every purchase and helping more than 7,500 industry-leading merchants increase their online sales, this rapidly growing alternative payment system is proving to be a bright spot in a bleak economy.

"In the midst of a holiday shopping season with the worst sales drop in four decades, TrialPay witnessed its highest sales day ever, experienced its best quarter to date and doubled its user numbers in less than 6 months," says Alex Rampell, co-founder and CEO of TrialPay. "TrialPay offers an inventive way for shoppers to stretch their dollars while providing a creative way for online merchants to increase sales from their current traffic."

Through TrialPay, more than 7,500 premier merchants such as McAfee, Match.com and The Wall Street Journal give away their products or services for free when shoppers try or buy one offer from one of 2,000 blue-chip advertisers (e.g. send flowers from FTD, sign up for Netflix or buy clothes from Gap). TrialPay pays the merchant the full value of the free product--and often even more--using revenue from the advertiser.

Online shoppers in more than 100 countries worldwide have stopped shopping the old-fashioned way and started checking out with TrialPay to get a 2-for-1 with every transaction. As a result, the 2-½ year-old company earned its place in the top 5 alternative electronic payments, along with PayPal, Bill Me Later, eCheck and Google Checkout, according to Javelin Strategy and Research.

"TrialPay's innovative payment method continues to be a compelling choice for consumers as our tremendous growth rivals that of the biggest names in the payments industry," adds Rampell. "Reaching 20 million users at such a rapid pace proves that TrialPay shows no signs of slowing down, even in the middle a recession." To see TrialPay in action and get products from many premier brands for free, please visit: http://www.trialpay.com/shop

About TrialPay
TrialPay is the only payment method that increases a customer's willingness to pay. Visa, MasterCard, PayPal and other standard payment options process transactions but they do nothing to boost sales. TrialPay entices shoppers to complete their purchase by giving a 2-for-1 with every transaction. Shoppers get their original product for free by completing one offer from blue-chip advertisers. With TrialPay, everyone wins: merchants make more sales from their current traffic, advertisers acquire new customers on a pay-for-performance basis and shoppers get a free product with every purchase.

TrialPay works with more than 7,500 premium merchants, including McAfee, The Wall Street Journal, Skype, Match.com and other industry leaders in software, games, publishing, online services and retail. TrialPay currently has more than 20 million registered users and offers 2,000 ways to pay by transacting with name-brand advertisers. For more information, visit http://www.trialpay.com.

Apple Today Keeps ProcessAway

iPhone Credit Card Processing - ProcessAway Makes It Possible

iPhone Credit Card Processing - ProcessAway Makes It Possible

TUSTIN, Calif., Jan. 27 /PRNewswire/ -- Apple had no idea when it launched its iPhone that it would be releasing about 5 million mobile credit card terminals into the hands of business owners. That's exactly what Apple did. The sleek phone has been turned into a mobile credit card processing device, thanks to an impressive little application called ProcessAway.

The software is made for an Apple iPhone or iPod Touch and works over any available network connection. Transactions can be processed at places such as conventions, street fairs, antique shows, and by business owners performing mobile detailing, on-site consultation or construction. The list is endless on who could benefit by offering the convenience of accepting credit cards on the spot and the confidence of getting immediate authorization for a credit card payment.

Business owners can use their iPhone to conduct real business. The ProcessAway software utilizes the Authorize.net gateway. Authorize.net was one of the very first Internet payment gateways and today they have one of the largest customer bases. They are continually releasing new and innovative tools to make their payment gateway even more powerful. The Authorize.net API is what fueled the development of ProcessAway and allows the millions of iPhone (and iTouch) users to turn their device into a credit card terminal.

The business owner is not limited to mobile transactions through their device. The Authorize.net merchant account used with ProcessAway includes an option to download transactions into Quickbooks and also a comprehensive Virtual Terminal. This gives business owners the benefit of processing transactions out of the office with ProcessAway and in the office through the web-based Virtual Terminal, all with a single account. Even though the Virtual Terminal is available, ProcessAway was designed as a stand-alone comprehensive processing solution that can be used effectively in any environment.

The ProcessAway software will be sold through the iTunes AppStore for $19.99. A fully functional free version, called ProcessLite, is identical to ProcessAway except the charge amount is limited. Additional information, screenshots, and FAQs can be found at http://www.processaway.net. Both ProcessAway and ProcessLite were submitted to Apple for review on January 26, 2008, and will appear in the AppStore according to Apple's approval schedule.

Contact:

Randy Palermo, 714/656-4426
Fax: 714/475-6957
Email: randy@rapadev.com
http://www.processaway.net

This release was issued through eReleases(TM). For more information, visit http://www.ereleases.com.

Related articles by Zemanta

• This 'New' iPhone Comes With Russian Email Address [IPhone]

AmEx Earnings Fall 79%

Image via Wikipedia

Yesterday, American Express fell 5 percent to close at $15.20, and the credit card companies Visa, MasterCard and Discover closed lower. After markets closed on Monday, American Express reported that its net income fell by 79 percent in the fourth quarter.  Ouch.

The Associated Press

American Express earnings fall 79 percent -By SARA LEPRO

NEW YORK (AP) — American Express Co. said Monday that its profit tumbled 79 percent in the fourth quarter as cardmembers cut back their spending amid the harsh economy and the company took a big severance-related charge.

This marks the fifth-straight quarter of profit declines at American Express — a credit card company that has prided itself on catering to a more affluent clientele — proving that few have been spared from the pain of the recession.

The New York-based company also said it expects spending to continue to slow in 2009, and forecast for higher delinquencies and loan losses as consumers and businesses battle worsening economic trends. The outlook echoes remarks made by fellow credit card issuer Capital One Financial Corp. last week.  For the final three months of the year, AmEx earned $172 million, or 15 cents per share, compared with earnings of $831 million, or 71 cents per share, a year earlier.

During the quarter, AmEx set aside $1.4 billion to cover bad loans, down slightly from the $1.45 billion set aside in the prior-year period when the company took a $274 million credit-related charge.  In the company's U.S. card segment, net income fell to $4 million from $7 million, as total revenue decreased 13 percent.  Average basic cardmember spending declined 13 percent to $2,758 from $3,161.  The international segment held up better in the fourth quarter, the company said, with net income falling 8 percent to $36 million. Average cardmember spending slipped 2 percent on a foreign exchange adjusted basis.

Adil Moussa, an analyst at Boston-based research firm Aite Group, said the international results were encouraging, but he warned of further deterioration to come.  "What happens in the U.S. is going to happen outside of the U.S. in a year or so," he said, referring to American consumers' pullback in spending.

The fourth quarter saw American Express transform itself into a bank holding company — a surprise move that signaled to investors just how severe the credit card giant's troubles had become.  In approving AmEx's request for bank holding company status, the Federal Reserve cited "emergency conditions."  Funding its daily operations had become more difficult and more costly amid the credit crisis. The securitization market, which AmEx uses to raise operating capital, has dried up as investors shy away from purchasing all but the safest forms of debt.

As a bank holding company, AmEx can now accept deposits and permanently access financing from the Fed. The status change also enabled AmEx to tap into the government's $700 billion financial bailout package. In January, the company received a $3.4 billion investment from the U.S. Treasury Department in the form of a preferred stock purchase.

Additionally, AmEx said it raised $6.2 billion through a new retail certificate of deposit program it launched in October.  As a result of the additional capital, the company's total capital to total managed assets was 7.9 percent at the quarter's end, up from 6.7 percent at the end of 2007.  AmEx said it remains committed to growing its deposit base and plans to launch a direct deposit program in the second quarter. 

In October, AmEx announced plans to cut 7,000 jobs, or about 10 percent of its global work force, in an effort to slash costs by $1.8 billion this year.

For the full year, the company said net income fell 34 percent to $2.63 billion, or $2.27 per share, from $4.01 billion, or $3.36 per share. Revenue rose 3 percent to $28.37 billion.

Related articles by Zemanta

• American Express earnings plunge 79%
• Profit at American Express Drops 79%
• Debit Talks and Credit Walks
• American Express To Cut 7,000 Jobs

Are Smart Phones as Smart as Hackers?

Bank of America has launched a specialized mobile banking application for BlackBerry smartphones. The software is available at mobilebanking.bankofamerica.com//bbapp and it is available for BlackBerry devices with an Operating System 4.2 or higher.

With that said, Tom Wills, from Javelin Strategy and Research wrote an amusing blog post this morning...

Android: Beware the Dark Side

"Picture this. You’re the proud owner of a shiny new Googlephone. You’ve just spent the best part of Sunday afternoon getting it configured and transferring your data onto the device, and now you’re ready to load up on some cool apps. Browsing one of the Android download portals, you’re overjoyed to see that your financial institution has a mobile banking application available, and with a few deft clicks, you download it to your handset.

You eagerly launch the app, and then the fun starts. Or … hang on … maybe this isn’t so much fun. The screen goes dark for few seconds, and then your device freezes. The only way you can turn it off is by sticking a hairpin into that little hole on the back, and when the device reboots, all of your data is gone. Address book and calendar – both wiped.

Then later that evening, several of your friends and business contacts (including the one who interviewed you on Friday for that job you’ve always wanted) email you asking why you’ve been sending them messages offering to sell them C1ali$ and V1agra. You know that kind of message. Turns out that the friendly looking banking app was actually a virus..."

He goes on to ask if he's being paranoid or writing sci-fi.  The answer is neither.

continue reading at Javelin's blog site

Related articles by Zemanta

• ABI Research: Mobile Banking to Skyrocket
• BlackBerry app store open for submissions
• Android Market to open to any app Monday
• Google Sync For BlackBerry Gets Android-like Feature

JCB Moves to Protect Online Customers

Finextra is reporting that JCB has made a move to shield customers from online fraud.  You'll be seeing a slate of press releases related to the card industry and protection in the weeks and months following the Heartland Breach.  

JCB selects RSA FraudAction to protect online customers

Japanese card issuer JCB has signed for US security vendor RSA's fraud protection service in a bid to shield customers from online fraud and phishing attacks.

The RSA FraudAction service uses a team of analysts to detect and control phishing attempts. The system will be used by JCB to protect its 60 million cardholders when they view statements and make credit application online.

Osamu Yamano, president, RSA Japan, says the country suffers from high levels of cybercriminal activity, with fraudsters setting up fake Web sites and sending phishing e-mails to trick customers into handing over sensitive information.

Masahiro Ogushi, SVP, media and channel management department, JCB, says: "We believe having the innovative RSA FraudAction service working on our behalf to find and shut down fraudulent activity targeting our business online is an essential measure of security."

VeriSign's VIP for PayPal UK

PayPal Security Key Goes Live With VeriSign® Identity Protection in the UK; Adds SMS Functionality From VeriSign to Secure Log-Ins via Text
Message

VeriSign, Inc. (NASDAQ: VRSN), the trusted provider of Internet infrastructure services for the networked world, today announced that Internet users in the UK have the option of using VeriSign® Identity Protection (VIP) on their PayPal account as an extra layer of security to protect their online identity.

VeriSign is enabling PayPal's customers to log in to their accounts by receiving a one-time-password (OTP) via text message (PayPal SMS Security Key) or by using a security token (PayPal Security Key).

Users of the 'PayPal Security Key' and 'PayPal SMS Security Key' can now access their online accounts in a secure manner through a VIP security credential that generates an OTP for every sign-on. During an online session, this password is entered into the user log-in interface along with the user's usual account name and password. When PayPal verifies the OTP and matches it to the user, clients achieve strong -- or two-factor -- authentication.

"PayPal has always taken online security very seriously and is famous for not sharing customers' financial information," said Garreth Griffith, Head of Risk Management at PayPal UK. "As a result, successful fraud attacks on PayPal accounts are very rare. But we know that some people want extra reassurance, and that's what the PayPal Security Key will offer. It's like a combination lock for your account -- designed to let you in and keep others out, with the extra safeguard that the combination always changes."

PayPal's support of strong authentication through SMS messaging means that consumers who want the protection online can use the device of their choice -- the physical Security Key token or a mobile device for generating the OTP needed to access their accounts.

Griffith comments, "Offering the Security Key via text message is really important as we want to make it as quick and convenient as possible. You just need your mobile phone to use it, which prevents having to carry another gadget around with you."

Consumers whose devices support SMS -- and who subscribe to SMS services from their mobile providers -- can receive PayPal OTPs without having to download any special software. In addition to the token and SMS functionality that PayPal has chosen to use, the VIP Authentication Service supports a wide range of authentication credentials, including stand-alone tokens, software tokens for mobile phones and credit card-size form factors.

"PayPal has proven itself to be an innovator when it comes to online safety for consumers," said Mike Davies, director of Identity and Authentication Services at VeriSign. "With today's announcement, PayPal and VeriSign are deploying what is truly a token for everyone. Now, consumers have even easier access to proven safeguards from the most trusted security brand on the Internet."

Around the world, leading online businesses have joined the VIP Network to provide their customers with identity safeguards that go beyond standard secure log-ins with user names and passwords. Members of the VIP Network display a special VIP logo, a signal to users that the site accepts a special VIP security credential that generates an OTP for every sign-on.

The new SMS functionality is provided by VeriSign's Messaging and Mobile Media division, which offers one of the most robust, scalable and reliable mobile messaging delivery engines in the world, connecting to more than 700 carriers and reaching over 3 billion wireless subscribers in over 200 countries.

About VeriSign

VeriSign, Inc. (NASDAQ: VRSN) is the trusted provider of Internet infrastructure services for the networked world. Billions of times each day, VeriSign helps companies and consumers all over the world engage in communications and commerce with confidence. Additional news and information about the company is available at www.verisign.com.

Source: Company Press Release

Related article

• PayPal signs up for stronger authentication

Personal Card Readers Becoming "Populaire"

Finextra is reporting that a French bank, "Banque Populaire," is issuing 400,000 personal card readers to secure online banking and e-commerce transactions.

In mid December, the Co-operative Financial Services decided to secure 300,000 online banking users with Xi-Sign 4000 Home Chip and PIN strong authentication card reader.

That's 700,000 personal card readers in a little over 30 days.   For HomeATM  this exciting new trend vindicates our decision to take a hardware approach to securing online transactions.

As we've been saying all along, a personal card reader is the best approach to securing transactions online.  So...what does this tell us?  It tells us that financial institutions are starting to agree with our methodology.

When  you combine this news with news of Barclays successful roll out of 1,000,000 plus PINsentry devices,  there's little doubt that HomeATM is "spot-on" with it's approach to bringing PIN Debit to the web, via it's personal SwipePIN device.  (pictured above left)

Oh, and did I happen to mention that a software application is 92 times "more likely" to induce fraudulent activity than a hardware device?   It's true...when you combine POS software with online shopping cart breaches, it's the basis for 92% of all breaches. 

Meanwhile, hardware devices fall into the realm of 1%, (See graph on right) and that's mostly due to tampering.  As I've stated before, I highly doubt that fraudsters will break into you home and tamper with your personal home swiping device, so the tampering factor is all but eliminated. 

Here's the story from Finextra:

Finextra: Banque Populaire to issue Xiring card readers to Internet banking customers

Banque Populaire in France is to equip 400,000 customers with Xiring's Xi-Sign card authentication reader for securing online banking and e-commerce.

The bank claims to be the first in France to embark on a large-scale roll-out of the system, which is currently deployed by more than 4 million UK users under the home Chip and PIN programme.

Customers will be equipped with a chip card reader - branded by Banque Populaire as a Vericode - which authenticates the card and generates an 8 digit one-time password on the LCD reader. The user then types in the displayed code on the bank Web form to confirm the transaction. 

The French bank says it will also use the card readers to verify cards for remote transactions, including Internet shopping.

P.S.  HomeATM's secure personal swiping device is EMV ready, can be emblazoned with a Financial Institution's logo, and exponentially raises the bar on e-commerce and online banking transactions.  Contact us for information on how we can help you further secure your customers online transactions.

Suspect ID'd in Heartland Breach

Heartland "Break In" News

Evan Shuman, editor of Storefront Backtalk, is reporting on his site that the Secret Service has identified the source of the Heartland breach and turned it over to the DOJ.   Or at the very least the SS has PINpointed their location...overseas.

You'd think this to be big news, considering all the attention being given to the breach.  You'd also think that since it took so long to discover the breach, it might take longer than 2 or 3 days to find the source of the breach. I've googled "heartland suspect" and apparently Mr. Shuman has quite the breaking story, because I can't find mention of the PINpointing of the suspect  anywhere else, which doesn't trackback to backtalk.  anywhere. 

From Storefront Backtalk:

"The Secret Service has identified an overseas suspect in the Heartland data breach case and the matter has been turned over to the U.S. Justice Department, according to someone close to the investigation.

Few additional law enforcement details were immediately available, other than that the government believes it has identified the cyber thief involved, has “pinpointed” that suspect’s location and that it’s outside of North America, the source said.

"Given the word that the Secret Service believes it has located the
prime suspect, it raises the possibility that law enforcement was
already on their trail long before the Heartland spyware was detected."

Continue Reading at StoreFront Backtalk


That's an interesting observation...they knew about the trail, but not about the nuts (and bolts) of their operation.   Then again, original reports did quote Heartland's president and CFO, Robert Baldwin as saying: "Our discussions with the Secret Service and Department of Justice give us a pretty good indication that this is part of a group that appears to have done security breaches at other financial institutions."


Evan Schuman also reports that Heartland is now saying it was first alerted by Visa and Mastercard in the late October, early November time frame.  (you'd think there'd be an exact date they were notified by V/MC)  A "timeframe"  applies to when they "think" the malware was  released into their system. 

Although there's no official word on when the malware was first introduced into Heartland's system, there  has been talk that the malware has been "present " since May, 2008.  That's 6+ months of MP (Malware Present") transactions. 

Evan also goes on to say that Heartland spokesman Jason Maloni advises that when the sniffer software was finally  identified by the outside forensic expert hired by the company, the malicious program was inactive, which means that the suspects may have been "on" to the forensic investigation, and turned it off. 

Related article

• Heartland reveal massive credit card scam
• Break-In News: Break in happened at unencrypted point - Storefront Backtalk
  

Heartland Fallout Continues

According to the St. Louis Journal, Heartland Bank and Bank of America said Friday they are issuing new credit and debit cards to their customers in response to the security breach at Heartland Payment Systems of New Jersey.

The Journal reports that "Heartland Payment Systems is not related to Heartland Bank." ... "confusion over the similar names has prompted 100's of calls to Heartland Bank in St. Louis this week."

Clarification: While this story makes it sound like the similarity of the Heartland names are purely coincidental, they are not.  The two entities may be unrelated today, but they are both involved in the formation what is now the nation's sixth largest processor.

When Heartland was formed, it was formed in union with Heartland Bank.  I remember going down to St. Louis and meeting with Bob Carr and Heartland's bank president back then.  (I think it was in early '97) If I remember correctly Heartland Bank and Bob Carr were the co-founders.

I think Bob Carr broke free from Heartland Bank in 2000.   So the confusion has merit.  To this day, even their logos share an iconic common denominator.

Anyway, getting back to the story, from SLBJ: "The security breach did get information on our cardholders," David Minton, Heartland Bank president and chief executive, told the Business Journal. "Like other banks all over the country, we got notices from MasterCard and Visa saying that our customers' cards have been compromised."

The two largest banks in St. Louis, U.S. Bank and Bank of America, as well as other banks nationwide received similar notices because the breach, revealed by the New Jersey payment processor on Tuesday, potentially impacts millions of credit and debit card accounts.

Bank of America is in the process of reissuing new credit and debit cards to customers, said Betty Riess, a spokeswoman. She declined to specify how many of Bank of America's customers were impacted.

continue reading at St. Louis Business Journal

Heartland CEO Talks

It took a couple day's but somehow Heartland's CEO was able to spin the breach into a positive for his company.  After all, they've added 400 merchants in the last few days, "because of our record of "candor" (first words in since Tueday) "fair dealing" (no free consumer credit reports like RBS Worldpay?) "transparency," (Oh, you must mean that "transparent" inaugural day hidden press release) and so...on...wait, make that, so off...in fact, way off. 

Remember Tylenol?  People still buy it right?  Yeah, they do, because it doesn't "remind them of the headache, it cure's it." 

Tylenol?  Please, accepting that analogy's a little tough to swallow (pun intented) considering that the Tylenol tampering resulted in multiple deaths.  Maybe that's the point...that nobody died?  Oh I guess it's not so bad then.  It could have been worse.   I buy Tylenol (I think), but this?  Maybe if it was less cheerleaderesque and more quarterbackescent.   Then again, maybe the PR did HPS some good.  The stock is up double digits (10.15% or .83 cents right now)  We'll know at the end of the day...and the Bad Ticker will track Heartland until February 14th.

Company Reports Continued Growth of Merchant Base

PRINCETON, N.J., Jan. 23 /PRNewswire-FirstCall/ -- Heartland Payment Systems added more than 400 merchants to its client base in the past few days - exceeding results for the same period from last year.

"Our organization and business model founded on fair dealings, transparency and merchant advocacy have paid off these past few days," stated Robert O. Carr, Heartland's founder, chairman and chief executive officer. "This is demonstrated in the continued organic growth of our merchant base. Despite the headwinds of the economy and attacks by some of our competitors, we have installed new merchants, new payroll clients and new check management clients since our disclosure of the breach on Tuesday morning. Our record of candor, fair dealing, no arbitrary rate increases since our formation almost 12 years ago and superior customer service is highly valued.

"Merchants continue to respect Heartland for the manner in which we do business. They appreciate our ongoing efforts to help them manage the costs and complexities of payments processing," Carr continued. "Our energized organization called on the owners of more than 150,000 business locations these past three days to help them understand the breach and what it means to them. I couldn't be prouder of our entire organization for the way everyone has pulled together to help."

No confidential merchant data, Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were retrieved in what is believed to be a global cyber-fraud operation. Heartland does not yet know how many card numbers were obtained. Many reports in the press are speculative.

Consumers will know if their card account numbers have been used by reviewing their monthly statements. Cardholders should report suspicious activity to their issuing banks (the bank that issued the card, not the card brand). If unauthorized use is confirmed, cardholders are reimbursed for the fraudulent purchases and are not held financially responsible.

Over the past few days, Carr has been talking to many industry leaders about working together to fight the cyber criminals who victimized Heartland and continue to jeopardize companies, consumers and data worldwide.

"I have talked to many payments leaders who are also concerned about the increasing success and frequency of cyber crime attacks," Carr noted. "Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again. I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week."

Heartland's goal is to turn this event into something positive for the public, the financial institutions which issue credit/debit cards and payments processors.

Carr concluded, "Just as the Tylenol(R) crisis engendered a whole new packaging standard, our aspiration is to use this recent breach incident to help the payments industry find ways to protect its data - and therefore businesses and consumers - much more effectively."

For the past year, Carr has been a strong advocate for industry adoption of end-to-end encryption - which protects data at rest as well as data in motion - as an improved and safer standard of payments security. While he believes this technology does not wholly exist on any payments platform today, Heartland has been working to develop this solution and is more committed than ever to deploying it as quickly as possible.

Source: Company Press Release

Related articles by Zemanta

• Heartland reveal massive credit card scam
• Heartland Credit-Card Breach Could Be Largest Ever
• Heartland data breach could be bigger than TJX's
• Payment Processor Heartland Reports Breach
• Credit Card Processor Says Some Data Was Stolen
• US credit card payment house breached by sniffing malware
• Credit And Debit Card Breach May Affect Over 100 Million [Record Breaking]
• Hackers attack credit card processor in massive security breach
• Payment processor Heartland reports breach
• Another day, another 100 million credit cards compromised

Alternative Payment Market Report

Image via CrunchBase

Packages Facts Releases Alternative Payments Market Report

Description

Online shopping, peer-to-peer connections and safer, more secure online services are the fundamentals driving the growth of consumer online alternative payments in the United States. In this all-new Packaged Facts report, the current and future market landscape is analyzed, which Packaged Facts estimates at $37.3 billion in 2007, up 33% over 2006.

Packaged Facts presents the market for alternative payments in relation to both the business-to-consumer (B2C) ecommerce market and the total "consumer" payments market. The report presents the size and growth of the market using several key metrics, including paper payments, card payments and electronic payments, as well as trends and factors that affect the industry. Special regard is given to the activity of top players and the varied upstarts, particularly in mobile payments, hoping to steal share and further alter the old school payments paradigm. Major key competitors are profiled, along with a focused analysis of consumer payment demographics and preferences.

Note: Packaged Facts defines alternative payments as entirely electronic and predominantly conducted over the Internet (though not all are conducted through the ACH network). Generally, alternative payments exclude all forms of paper and any debit or credit card where the purchase or remittance is made directly with that medium. The most common alternative payments are consumer-to-business purchases and peer-to-peer, also referred to as person-to-person (P2P) payments.
 Alternative Payment Systems Industry in the U.S., The    

    Publish at Scribd or explore others:          Academic Work                report            misc. banking & fina         

PIN Debit Payments Blog

Related articles by Zemanta

• Creating an Advantage in the Alternative Payments Space
• Will NFC Answer the Call?
• Traditional Payment Cards for Online Transactions Continue to Decrease
• "Amazon" Thanksgiving Day Parade?

Cards Replacement Task Begins...

A significant number of First Commonwealth Bank customers soon will receive new debit cards.

The Indiana, Pa.-based bank recently was notified by the Fraud Management Department of MasterCard International of a data security breach of a U.S.-based merchant which has since been identified as a card processor, Heartland Payment Systems of Princeton, N.J.

Affected customers soon will receive a new debit card but will keep their same PIN number.

"This was a payment processor so this is pretty unusual," Fulgenzio said. "MasterCard and Visa do a good job enforcing their rules and regulations. I think the situation is getting better because Visa and Mastercard are getting stricter with penalties for the compromise of data."

However, when breaches occur, customers are protected. "Any time there is an unauthorized transaction, the customer is protected by the Electronic Fraud Transaction Act," Fulgenzio said. "The customers are covered by these kinds of transactions, but it does create a hassle. They will not lose their money."


Platte Valley Companies and First State Bank have canceled bank cards for nearly 600 customers after learning the records of a third-party credit card processor were compromised.

"Upon notification by the VISA Alert and its high risk level, Platte Valley Bank made the decision and took immediate steps to block the cards affected, to prevent fraud and safeguard its cardholders. Platte Valley Bank began notifying its VISA Debit Card customers of the data breach and status of their cards. New cards will be issued upon receipt of application from those customers affected."

Forcht Bank - Kentucky's Forcht Bank has canceled more than 8,500 debit cards, and it's likely other banks will soon be taking similar steps. Forcht disabled 8,500 debit cards after learning hackers accessed data belonging to a company that processes debit card transactions from merchants. New cards will be sent to those customers in the next week to 10 days.

Editor's Note: So that's 600 + 8500 + "significant.  Assuming  significant is 90,000 cards, then Heartland only has to pay for the remainder of the the 99 million plus cards that need to be replaced...

Update:  Heartland has no plans of closing its doors, as eventually was the case with payment processor CardSystems Solutions, which itself suffered a devastating breach in 2005. "We're going to be a better company for it," a Heartland spokesman said.   (Yeah, and college cheerleaders still jump up and down with their team down 51-0, let alone 100 million to nothing.)

For those who are interested in reading more...there's a good story on the banks start of their card replacement triggered by the Heartland Breach at:  www.digitaltransactions.net

Related articles by Zemanta

• Heartland data breach could be bigger than TJX's
• Possibly largest data privacy breach, ever
• Hackers attack credit card processor in massive security breach
• Another day, another 100 million credit cards compromised
• Heartland reveal massive credit card scam

Tom Ridge at MRC

TOM RIDGE TO ADDRESS E-COMMERCE LEADERS IN LAS VEGAS

FIRST SECRETARY OF HOMELAND SECURITY TO SPEAK AT MERCHANT RISK COUNCIL’S ANNUAL E-COMMERCE PAYMENTS AND RISK CONFERENCE

(Seattle, WA - January 23, 2009) The Merchant Risk Council (MRC) is pleased to announce the addition of former US Congressman, Governor of Pennsylvania and the nation’s first Secretary of Homeland Security, Tom Ridge, as a special keynote speaker for the MRC’s 7th Annual e-Commerce Payments and Risk Conference at the Wynn Las Vegas Resort on March 10-12, 2009.

Ridge will address e-Commerce security, fraud, risk and payments experts on growing cyber security issues that affect both US security and the US and global economies.

We know that there are connections between e-Commerce fraud risk and national and economic security, says Tom Donlea, MRC executive director. The issues that retailers face and the crime groups that target them are often the same threats that Homeland Security is tracking. Governor Ridge's insights on the topics of global risk and emerging threats will prove an invaluable asset for the world leaders in e-Commerce.

The primary themes of the 2009 conference are: Fighting New Patterns of Fraud and Cybercrime; Emerging Risk Management Trends; and Global Online Payment Strategies.

The MRC Annual Conference includes more than 40 speakers and panelists, 30 unique sessions and 40 payment and risk industry exhibitors all delivering valuable insight and information on the growth, diversity and risks associated with e-Commerce.

The Honorable Tom Ridge is currently the president and CEO of Ridge Global LLC. As the company's chief executive, he leads a team of international experts who help businesses and governments address a range of needs throughout their organizations, including risk management and global trade security, strategic business generation, technology integration, event security, crisis management, campus security and other issues that encompass a diverse portfolio.

Governor Ridge's presentation is sponsored by Ethoca, a leader in collaborative fraud management and an MRC Signature Sponsor Member.

We are excited to sponsor Secretary Ridge's presentation at the MRC Annual Conference, states Andre Edelbrock, Ethoca's CEO. The MRC is all about online merchants working together to mitigate risk and stay on top of new and growing threats, and Mr. Ridge's insights into global risk and security issues, dovetails with the MRC’s vision of creating a safer and more profitable e-Commerce environment for all stakeholders.

Travelocity.com founder Terry Jones will deliver the conference’s official opening keynote speech, focusing on the business of innovation. The conference’s closing keynote will be delivered by Dateline NBC correspondent Chris Hansen, sharing his findings on the rapidly maturing underworld of cybercrime.

For full conference schedule, registration and exhibition information, please visit the MRC website at www.merchantriskcouncil.org.

About the MRC Annual Conference
The Merchant Risk Council 7th Annual e-Commerce Payments and Risk Conference will be held at the Wynn Las Vegas Resort on March 10-12, 2009. The 7th Annual e-Commerce Payments and Risk Conference unites the world's top Internet merchants, credit card companies, risk management providers, law enforcement agencies and various consultants and educators in discussing how to make shopping on the internet easier, safer and more profitable for all involved.
Conference Sponsors include:

* Chase Paymentech: Primary sponsor of the 2009 General Conference
* Accertify: Co-sponsor of the MRC Platinum Meeting and Platinum Party
* iovation: Co-sponsor of the MRC Platinum Meeting and Platinum Party
* Clear Commerce/Certegy: Sponsor of the Opening Night Welcome Reception
* Ethoca: Sponsor of Speaker Tom Ridge
* Experian: Sponsor of Speaker Terry Jones
* Discover: Sponsor of Closing Speaker Chris Hansen and the Closing Conference

Reception
For registration or exhibition information at this conference, please visit the MRC’s website at www.merchantriskcouncil.org.

About the Merchant Risk Council
The Merchant Risk Council (MRC) is a merchant-led trade association focused on electronic commerce risk and payments globally.╩ The MRC leads industry networking, education and advocacy programs to make electronic commerce more efficient, safe and profitable.

Today, with the power of our member-base, the MRC is the leading trade association for managing payments, preventing online fraud and promoting secure e-Commerce. The MRC is dedicated to working with e-Commerce and multi-channel merchants, credit card issuers, credit card companies, alternative payment providers, risk management experts, and law enforcement to make the Internet a safer and more profitable place to do business.

The MRC Board of Directors and Advisors includes: Expedia, Inc., Adobe Systems, Inc., Neiman Marcus Direct, 41st Parameter, Apple, BestBuy.com, Bill Me Later, Blizzard Entertainment, Chase Paymentech, CyberSource Corporation, Dell, Inc., Discover Network, Gap, Inc. Direct, iovation, Microsoft, Trustwave, and Visa, Inc.

The MRC is headquartered in Seattle, Washington.

About Ethoca
Ethoca is making e-commerce safer and more profitable through technology that enables and empowers the Global Fraud-Fighting Community ╨ a partnership of e-commerce businesses, law enforcement organizations, fraud solution vendors, credit issuers and payment processors.

By providing a global platform for cross-industry collaboration, Ethoca enables businesses that operate in customer-not-present environments (Internet, phone, fax or mail) to make more informed decisions about their customer transactions, by pooling transaction experience data from the community in a way that is secure, automated, effective and ethical. Community members see reduced fraud, lower fraud-related costs, increased revenue from fewer wrongly rejected orders and improved customer satisfaction rates.

Source: Company Press Release

Data Isn't but V/MC's Protected

In my last post, I ended it by saying that Heartland's only chance for survial is getting the dynamic duopoly, a.k.a. V/MC, to cover the costs incurred by the banks having to replace consumer cards.  I thought they had a decent argument, given the fact that they were PCI compliant.

Well, I just got done reading an article  which contained a statement from Visa regarding PCI assessments...it seems to thwart any legal argument Heartland may have.  

You see, apparently the data might not be protected, but V/MC has certainly made sure that they are.

Information Week's Andrew Conry-Murray, in an article titled, "PCI is Meaningless, But We Still Need It", points out:

Assessments "do not guarantee that those security controls remain in place after the review is complete."  In other words, a company is only compliant with PCI's security standards during the time of review. Once the assessors leave the building, all bets are off.

He goes on to say: "I believe PCI was constructed this way for two reasons.

First, it absolves the assessors and the card brands of any liability should a compliant company get breached.  The issue of liability is critical, because breaches attract lawsuits the way roadkill attracts crows."

Yes, and it looks like Heartland gets to play the part of roadkill...the banks/V/MC get to pick their part,  scratch that, pick-a-part  in their role as a "murder of crows."

Heartland's tough battle just got tougher...and the prognosis isn't good.  Lizbith...dis is da big one!

PIN Debit Payments Blog

Related articles by Zemanta

• Security is not the same as compliance

Questions About PCI Effectiveness - Network World

I saw an interesting article in Network World, which basically questions PCI's effectiveness in the wake of the RBS and Heartland breaches. In a post I wrote earlier this week, "In God We Trust, Visa/MC is Another Issue(r).  I wrote:

The "Mother of All Hacks" will never be Heartland  Payment Systems.  It will be the electronic payment system at it's very core.  Whether it's Visa, MasterCard or NACHA, if any of these system are breached, it's the end of e-payments as we know it.  Do they know it?"

I'm aware of someone else who knows it....in this article, Avivah Litan points out some very interesting facts, some of which I've included below.   To read the entire article, click the Network World link below:

Heartland breach raises questions about PCI standard's effectiveness - Network World

It's not yet known if Heartland Payment Systems' newly disclosed data breach will count as the largest card heist ever. But some analysts say what is clear is that the Payment Card Industry data security standard that Visa and MasterCard require isn't sufficient to ensure cardholder data is safeguarded.

"Billions is being spent on PCI compliance, but it isn't really working," says Gartner analyst Avivah Litan.  "PCI's dirty little secret is that it doesn't mandate encryption inside a private network because then all the processors would have to encrypt."

Encryption of data would make it much harder for attackers to benefit from the kind of network break-in that Heartland suffered, in which cyber-criminals tapped into a monthly stream of 100 million debit and credit cards for several months using malware installed on processing computers.

"The processors are definitely being targeted," Litan says, noting that once a breach occurs, it can have a terrible impact on business. CardSystems, which suffered a data breach in 2005, was basically put out of business as a result of it.

Editor's Note:  Speaking of impact, will Heartland ever recover from this nightmare?  There's definitely a black cloud hanging over it.  Yesterday their stock went into a free fall, ending 42% lower than it started out.  I expect a significant merchant attrition impact, so even if they do come out of it, it won't be as the nations 6th largest acquirer.  At the end of the day, I believe what determines Heartland's survival, is whether they (or their lawyers) can get Visa/MC to cover the banks cost of replacing all the debit/credit cards. 

You might think that the fact that they were PCI certified and that the data was encrypted when it left the building, but unencrypted at the V/MC level would provide fodder for a good argument.  I have the sneaky feeling that the "dynamic duopoly"  will hold that Heartland is liable.   It's going to messier before it gets prettier, no doubt.

Related articles

• Hackers attack credit card processor in massive security breach
• Payment Processor Heartland Reports Breach
• Heartland data breach could be bigger than TJX's
• Another day, another 100 million credit cards compromised