UATP, the low cost travel payment network privately owned by the world's airlines, has been looking for alternative payment solutions to provide the global airline industry with access to the lucrative cash market.
Its deal with Ukash will open up air travel to a huge proportion of the world's population that are currently 'unbanked' or without credit or debit cards, as well as those that choose not to make purchases over the internet due to fears of online fraud and identity theft.
UATP, which works with over 250 airlines, is diversifying its product offering as it looks to attract new consumers and maintain demand for air travel in the difficult current economic climate.
Ukash customers exchange cash for a prepaid voucher containing a unique 19-digit number which is then used to pay online. As an online payment method, Ukash provides those without access to bank accounts with a viable, safe solution for spending their money over the Internet and offers a solution to the problem of credit card fraud.
The secure Ukash voucher number is used to pay online, and as it's prepaid the payment is assured to the merchant. No financial details are exchanged with the merchant, making Ukash increasingly attractive to online consumers concerned about data security.
"Working with UATP to offer Ukash to airlines around the world will bring considerable benefits. Carriers now have the option to accept risk-free payments from consumers in countries with low card penetration whilst reassuring their customers that online payments are safe," adds Ukash CEO Mark Chirnside.
"The growth of low cost carriers is putting air travel within reach of many more people so we're delighted to add Ukash to the range of payment methods we can offer our airline partners," comments Ralph Kaiser, CEO of UATP. "We want to remove the barriers to travellers getting online access to the best range of flights and other travel services so adding payment services like Ukash that are prepaid and preserve financial anonymity is a great move forward."
Consumers from across the world can purchase Ukash vouchers online, on mobile or at more than 275,000 stores globally.
About Ukash(TM)
Ukash(TM) is a globally-recognised e-commerce payment method to enable online purchases using cash, providing freedom from credit and debit card fraud, repudiations and charge-backs, and protecting personal identity.
Ukash(TM) is regulated by the UK Financial Services Authority (FSA) and operates as one of the only a small number of Electronic Money Institutions, a status that allows a single maximum online cash payment transaction of up to 500 Sterling pounds/750 euros.
Uniquely numbered Ukash(TM) vouchers are widely available through payment terminals in retail outlets across Europe and South Africa. In the UK, they are also available direct to mobile for Vodafone subscribers and from spring 2009, Ukash vouchers will also be issued online from the company's website in most European territories.
The technology behind Ukash is protected by several patents registered across the Smart Voucher database and functionality and is, as such, protected by Patent Law in all the major economies of the world. Ukash(TM) is a registered trademark of Smart Voucher Ltd.
In 2008, Ukash(TM) established a strategic partnership with South African payments giant Blue Label Telecoms to develop the brand's services.
For more information please visit http://www.ukash.com
The upcoming ruling will determine whether parts or all of the lawsuit against the company will go forward. By TREVOR MAXWELL, Staff Writer April 2, 2009
PORTLAND — A federal judge said he will decide in the next few days whether supermarket giant Hannaford Bros. is potentially liable for damages because of a data breach that exposed more than 4 million credit and debit card numbers to computer hackers.
Judge D. Brock Hornby heard arguments on Wednesday at U.S. District Court. Attorneys for Hannaford asked the judge to dismiss the lawsuit, which was filed against the Scarborough-based company last year. Attorneys for the plaintiffs said Hornby should certify the case as a class-action suit and let it proceed toward trial.
The upcoming ruling will determine whether parts or all of the suit will go forward.
The case boils down to a couple of central questions: To what extent are merchants responsible for securing the electronic data that gets processed with every noncash purchase, and what should the consequences be when that data is stolen?
"These are fascinating and difficult issues," Hornby said after hearing the arguments Wednesday. "I'll get a written decision out to you as soon as I can." Between Dec. 7, 2007, and March 10, 2008, hackers stole credit and debit card numbers, expiration dates and PIN numbers from people shopping at Hannaford supermarkets. The grocery chain operates more than 200 stores under various names in New England, New York and Florida. More than 4 million card numbers were exposed, and by the time Hannaford publicly announced the breach, on March 17, 2008, about 1,800 fraudulent charges had been made.
By Jim Bruene on 2009/04/01 17:49 Eastern Daylight Time
In a completely unscientific poll of 123 LinkedIn users I conducted about two hours ago, I found they overwhelmingly prefer the online channel over all others when accessing bank transaction data (see notes 1, 2, 3).
I was expecting mobile to be higher. But unless you have a new-generation smartphone and your financial institution supports mobile, it's unlikely to be your first choice. So given that mobile's only been widely available in the United States for about a year, a one-in-ten preference is a strong start.
I also expected a bit more interest in the other choices: ATM, voice and social network, which only drew 3% of responses in total. Social networks went 0 for 123, showing that it's not yet viewed as a place to review financial data (note 4), at least among LinkedIn users. In a much differently worded poll of Facebook users a year ago, we found that 13% willing to view their bank balance within the social network.
Q. All else being equal, how would you prefer to access bank transaction data?
Source: Netbanker/Online Banking Report poll of 123 U.S. Linked:In users who self-selected to respond to poll while logged in to Linked:In; fielded between 1 and 2pm on 1 April 2009 using in-network polling tool.
Notes: 1. The question is strictly limited to 75 characters, I couldn't make it as precise as I would have liked. For instance, I would have like to add "assuming its secure" and "your personal" to "transaction data." It's possible some respondents were thinking more about global banking data than their own personal transactions. The poll also displayed "by Jim Bruene, Owner, Online Banking Report" in the lower-left, potentially biasing results. 2. LinkedIn users are given opportunities to respond to polls while logged in to the service. There is no financial benefit to taking the survey, but they do get to see results after taking it. 3. There were significant differences based on demographics, for instance women were almost twice as likely to select "mobile." And zero men, and 4% of women, chose voice call as the preferred method. But due to the small sample size, these demographic breakdowns don't hold much weight. There also appears to be some mathematical errors in the demographic splits, so I'm not going to cite them further until Linked:in cleans up it algorithms. 4. An interesting result, given the poll was conducted within a social network among social network users. Actually, "the branch" beat social networks, drawing one "write-in vote" in the poll comments (it was not one of the five choices). 5. For more info on mobile banking see our latest Online Banking Report on Mobile Banking 2.0 -- iPhone Edition.
New tool to be unleashed at Amsterdam conference uses SQL injection to gain a foothold into the underlying database server
By Kelly Jackson Higgins - DarkReading
A researcher at Black Hat Europe this month will demonstrate a new hack that uses SQL injection as a stepping stone to take control of a database server.
"SQL injection becomes a stepping stone to the real target: the operating system," says Bernardo Damele Assumpcao Guimaraes, an IT security engineer based in London. "I will focus on exploiting SQL injection in a Web application to get control over the underlying OS," in addition to the database software, says the researcher, who goes by the surname Damele .
SQL injection is a popular attack vector in Web applications, (Editor's Note: 450,000 Attacks PER DAY!) mainly because it's one of the most common flaws found in these apps. Web application SQL injection attacks typically target client browsers, infecting them when the victim visits a compromised Website. Another SQL injection attack is on the database itself, via a Web application carrying that vulnerability.
But Damele's new hack kicks SQL injection up a notch, using it as a first level of attack to gain control of the database server itself, as well as any systems connected to it. That includes other servers in the same LAN, plus the data in the database itself. His attack goes after MySQL, Microsoft's SQL Server, and PostgreSQL running on Windows or Linux servers. "[This] possible scenario of attack for a SQL injection is the most overlooked and [under]researched," he says.
In one attack demo, Damele will show how to exploit a buffer overflow flaw in the database software by injecting valid SQL code. He has a few other attacks up his sleeve for Black Hat, too: "I will demonstrate other possible techniques to exploit other Windows design flaws to escalate privileges via a SQL injection," he says. "The idea is to take advantage of some of the design weaknesses of the database management system, and combine it with [weaknesses] in the programming development of the Web app to execute arbitrary code, upload binary infection files, and carry out also buffer overflow exploitation."
Editor's Note: Again I have to ask...when peoples PIN's are eventually obtained due to inherent weaknesses in ALL software, who has the liability? Cause it's going to be one helluva'n expensive breach...who pays the bill?
The consumers? No, they just get to go through two weeks of hell...
The merchants? They'll lose their cost of goods bought with the fake transactions, but, I don't think that hackers will be wasting their time buying goods when they can go straight to the ATM and get CASH.
If they go straight to the ATM's the banks lose the cash, but then do they go after the EFT Networks to get it back? It'll be one mell of a hess when it (or, I suppose in "fairness" I should say) "if" it happens... Continue "DarkReading"
At the Web 2.0 Expo Internet conference yesterday in San Francisco,Hutchinson painted a bleak portrait of the combat.
Boiler rooms filledwith fraudsters who try to gain access to credit card numbers using avariety of means from phishing e-mails to computer keystroke monitoringto software that guesses credit card numbers, (Editor's Note: OR PINS) sometimes accurately,sometimes not, zombies, malware, bots, viruses, remote takeovers, DNS Hijacking, the list goes on and on...and on.
Hutchinson had a few interesting points to share about fraud rates,based on the countries where the transactions originate.
Lowest risk:
1. Austria
2. New Zealand
3. Taiwan
4. Norway
5. Spain
Highest risk:
1. Ukraine
2. Yugoslavia (curious, since the country doesn't exist anymore)
The following post , "Payment Card Industry Swallows it's Own Tail" is courtesy of Anthony Freed - Financial Editor of Information Security Resources. I've gotten to know Anthony a little bit via the blogging community and have come to enjoy his unique style of writing. (he's a REAL journalist...while I'm aware of the fact that I'm just a third rate blogger...okay...I digress...fourth-rate! (And to those who would disagree I would simply ask... c'mon be nice...fifth-rate is a little harsh on me, is it not?:-) Anyway..., Mr. Freed wrote an article (which I'm sure you'll be able to find posted at a multitude of respected websites today)about on the recent House of Representative's Committee hearings on payment card security. Personally...I abide by the belief that the Payment Card Industry Security Council does exponentially more good than bad, and after having personally met Bob Russo, I have no doubt he is on a mission to fully protect payment card data. He's got a tough job. There are a multitude of hackers, and they work 24/7/365...(unless it's leap year). Coincidentally, the only time I've ever posted the picture (above left) was the last post (On to the Next Breach) I covered from Anthony. Based on the title of THIS POST...I had to use the same graphic. Here's Anthony's article...
Payment Card Industry Swallows Its Own Tail
By Anthony M. Freed, Information-Security-Resources.com Financial Editor
PCI DSS, the self-regulatory set of guidelines that the payment card industry and retail merchants use to encourage financial information security, may well have entered it’s death throes Tuesday, as evidenced by revealing testimony during the House of Representative’s Committee on Homeland Security hearings.
Why the dire prognosis?
Anyone who has been following the cascade of security failures plaguing the payment card industry in the last year, and punctuated by the still-shrouded breaches at RBS WorldPay (RBS) and Heartland Payment systems (HPY), has to acknowledge that there are major problems with security that need to be addressed pronto.
But the greatest threat to the survival of PCI DSS (Payment Card Industry Data Security Standard) may not be the ever-evolving tactics of the criminal hackers intent on a “big score,” but instead the dysfunctional nature of the relationships between the very parties the standards are meant to serve.
The squabbling and finger pointing displayed during the first quarter of 2009 within the industry itself has resulted in nothing less than a public relations nightmare in my opinion, as major card brands, processors, and merchants each seek to deflect responsibility onto the others.
Someone on the sidelines, intently watching the game, would have to wonder what the heck these people are thinking.
First, RBS WorldPay and Heartland maintain that because they had been PCI DSS compliant at some point before their systems were breached, they can essentially shrug off any any culpability for the security lapses, offering only the caveat that they are doing the best they can with what they have.
Almost simultaneously, the PCI Security Standards Council was staunchly asserting that no company that suffers a breach can be considered PCI compliant - regardless of their being listed as in good standing with the council at the time of the breach. From Securosis.com:
Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he’s never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says.
“We’ve never seen anyone who was breached that was PCI compliant,” Phillips says without specifically naming - or excluding — Heartland. “The breaches that we have seen have involved a key area of non-compliance.”
To add to the confusion, Visa issued statements that RBS WorldPay and Heartland had been belatedly removed from the PCI Compliant list, in what has been widely considered to be merely legal maneuvering to effectively shield themselves from culpability while blocking the only alibi the processors have.
“It’s all legal maneuvering by Visa,” says Gartner security analyst Avivah Litan in an interview with ComputerWorld.com. “This is PCI enforcement as usual: They’re making the rules up as they go.”
This was apparently seen as an opportunity by some Heartland competitors to move in on some of Heartland’s clients, with reports of merchants being warned by other processors that they may be violating PCI compliance by continuing to do business with Heartland, and prompting Heartland to respond with threats of lawsuits.
Then, during Tuesday’s Congressional hearings, representatives of the merchant community, long thought to bear the brunt of security protocol “cram-downs” by the issuing brands, threw their hat into the ring in what now amounts to an industry free-for-all. From Forbes.com:
Michael Jones, the chief information officer at the retail company Michael’s, testified that the PCI rules were “expensive to implement, confusing to comply with and ultimately subjective both in their interpretation and their enforcement.”
Now bear in mind, all of these factions are supposed on the same team, and all are supposed to be working in unison to continue the evolution of ever more secure systems to thwart the increasingly resourceful criminal hackers.
Is it any wonder that the future of PCI DSS is in question?
And what could possibly be worse than an entire industry at each others throats in the midst of the biggest security problems they have faced to date?
Well, they could make enough of a brouhaha that they attract the attention of lawmakers, as they have succeeded in doing; lawmakers who have regularly demonstrated their intention of late to force industries of all stripes to cede to their “better judgment.” Also from Forbes.com:
“I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system,” (Rep. Bennie) Thompson said. “We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.”
This means that the PCI Security Council, keepers of the PCI DSS flame, have their work cut out for them if they want to remain the chief regulating body for PCI security. Maybe they left these issues to simmer on the back burner for too long, and maybe someone will be looking for a scapegoat.
It’s all uphill now.
During a phone call in early March with Lib de Veyra, VP of emerging technologies at JCB International and recently named Chair of the PCI Security Council, I expressed my concern over the state of relations between the various elements that make up the payment card industry.
I likened the public displays of policy incongruity and the tendency for all interested parties to respond to news of security lapses by rushing to throw each other under the bus, to that of the image of a snake swallowing its own tail.
I expressed concern by offering my opinion that the biggest threat to PCI DSS does not come from the endless supply of criminal hackers the industry will certainly face in perpetuity, but instead comes from the fractured portrait of an industry in crisis, and its inability to effectively manage itself.
That was one long month ago, and opportunity to avert the creation of a new regulatory body to oversee PCI may have already come and gone, which is most unfortunate everyone concerned.
PCI DSS is not broken, but the collective will to make it an effective standard for security just might be.
Anthony is a researcher, analyst and freelance writer who worked as a consultant to senior members of product development, secondary, and capital markets from the largest financial institutions in the country during the height of the credit bubble. Anthony’s work is featured by leading Internet publishers including Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha, and ML-Implode.
The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com
WASHINGTON (CNN) -- Internet-based rip-offs jumped 33 percent last year over the previous year, according to a report from a complaint center set up to monitor such crimes. The report said that about 77.4 percent of perpetrators of Internet fraud were men.
The report said that about 77.4 percent of perpetrators of Internet fraud were men.
The total dollar loss from those crimes was $265 million. That's $26 million more than the price tag in 2007, the National Internet Crime Center said. For individual victims, the average amount lost was $931.
"This report illustrates that sophisticated computer fraud schemes continue to flourish as financial data migrates to the Internet," said Shawn Henry, the FBI's assistant director of the Cyber Division.
Americans filed 275,284 reports claiming to be ripped off on the Internet, the highest number reported since the center began keeping statistics in 2000.
The dollar loss has been on a steady increase since 2004, while the number of cases referred to law enforcement has decreased steadily since that same year. Continue Reading at CNN
WASHINGTON--The self-regulatory system credit card companies havecreated to protect consumer data sacrifices some consumer protectionsfor the sake of conveniencing the credit card companies and theirfinancial institution partners, retail representatives told CongressTuesday.
In light of recent data breaches that have compromised consumer information, such as the potentially massive 2008 Heartland Payment Systems breach,some congressmen are questioning whether the Payment Card Industry DataSecurity Standards, created and regulated by credit card companies, aresufficiently protecting information.
The credit card industry maintained at a congressional hearing Tuesdaythat self-regulation is effective, pointing out that since the PCIstandards were published, security breaches have occurred only when anentity is not fully in compliance with the standards.
"I have no doubt that compliance to PCI standards are the bestline of defense," said Robert Russo, director of the PCI Data SecurityStandards Council. "We have never found a breached entity to be in fullcompliance at the time of breach."
Yet representatives of the retail industry told a panel of theHouse Homeland Security Committee that when the credit card industryestablished the PCI standards in 2004, it did so mainly to reallocateits own fraud costs.
"In our view, if you peel off all the layers around PCI datasecurity standards, you will see it for what it is," said Dave Hogan,senior vice president and chief information officer for the NationalRetail Foundation. "In significant part, (it is) a tool to shift riskoff the banks' and credit card companies' balance sheets and place iton others."
EBay’s PayPal kicked off the Web 2.0 Expo in San Francisco Wednesday with a frightening presentation on the “arms race” between online fraudsters and online retailers and shoppers.
Online fraud is becoming so lucrative, said Katherine Hutchison, PayPal’s senior director of global risk management, that it has developed into an industry with specialized players that hire each others in areas such as harvesting credit card numbers and freight forwarding. “A single professional thief doesn’t have to have all of the skills needed to commit fraud,” she said.
Here’s one trick: fraudsters use telephone services designed for the deaf to get an operator with a friendly (and middle-American) sounding voice to make calls on their behalf to a call center. “The telephone operator could realize this is very likely to be fraud, but they are legally blocked from saying anything other than what the person placing the call tells them to say,” said Hutchison.
Old techniques to track down fraudsters are becoming less helpful, she added. For example, e-commerce sites regularly check the location of an IP address making a purchase to see if they’re coming from a known high-risk place or see if they’re trying to buy something far away from where they’re asking for it to be delivered. But increasingly fraudsters hide their location by using satellite-based Internet service providers, or use “zombie” computers to reroute their traffic so it looks like it is coming from someplace harmless.
Worse, the recession seems to be contributing to the problem. Hutchison said that consolidation of the banking industry has confused consumers and made many them susceptible to attacks from fraudsters who got them to hand over account information by pretending to be from a new bank that needed to confirm their address and other account details.
Layoffs of technically minded people around the world are also contributing to a spike in sophisticated online fraud, she said. “You always see white collar crime go up when we have a recession,” said Hutchison.
PayPal makes money by selling a transaction service to e-commerce sites and consumers that make them feel more secure with online sales, so the company has a stake in all this. But Hutchison admits that efforts to stop fraud can cause problems for businesses if they go too far, by annoying or turning away legitimate customers, especially outside of the U.S.
“There are some legitimate Nigerian shoppers, but it is very difficult to shop on the Internet if you live in Nigeria,” said Hutchison.
Yesterday, the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the U.S. House Committee on Homeland Security held a hearing titled, "Do the Payment Card Industry Data Standards Reduce Cybercrime?" The subject of the hearing was to examine whether data security requirements for businesses that store, process, or transmit personal information during Internet payments provide sufficient protection against data breaches, fraud, and terrorism. The subcommittee invited me to submit a written statement on the use of credit cards by terrorists. My statement quoted from and summarized posts by Contributing Experts Dennis Lormel, Matthew Levitt, and Michael Jacobson, and included information from our panel on February 29, 2008, “Meta-Terror: Terrorism and the Virtual World,” with Contributing Experts Evan Kohlmann and Roderick Jones and the Senior Vice President and Chief Technology Officer of VeriSign. You can download my three-page statement, and here is an excerpt:
Credit cards are extremely vulnerable to fraud and are used extensively by terrorists. The internet not only serves as a learning tool for terrorists but also functions as a mechanism to steal credit card information through hacking, phishing and other means. In many instances, when terrorist operatives are apprehended, they have multiple identifications and credit cards in a variety of names in their possession. The terrorists who executed the devastating 2004 Madrid train bombings, which killed almost 200 people, and who carried out the deadly July 7, 2005, attacks on the transportation system in London were self-financed, in part through credit card fraud.
Younes Tsouli, aka “Terrorist 007,” and his two associates, Waseem Mughal and Tariq al-Daour, used computer viruses and stolen credit card accounts to set up a network of communication forums and web sites that hosted everything from tutorials on computer hacking and bomb making to videos of beheadings and suicide bombing attacks in Iraq. They raised funds through credit card information theft and fraud, which were used to support the communications, propaganda and recruitment for terrorists worldwide, as well as to purchase equipment for Jihadists in the field. One expert described their activities as “operating an online dating service for al-Qaeda.” The three men pled guilty to inciting terrorist murder via the internet.
• Stolen credit card numbers and identities were used to buy web hosting services. At least 72 stolen credit card accounts were used to register more than 180 web site domains at 95 different web hosting companies in the U.S. and Europe. • On one computer seized from al-Daour’s apartment, some 37,000 stolen credit card numbers were found. Alongside each credit card record was other information on the identity theft victims, such as the account holder’s address, date of birth, credit balances and limits.
You can download the testimony by the witnesses from the hearing website. I appreciate this opportunity and thank the subcommittee chairwoman, Rep. Yvette Clarke, for the invitation. April 1, 2009 06:20 AM Print
Finextra: 40% of small to mid-size North American banks not happy with ACH system - survey
01 April 2009
40% of small to mid-size North American banks not happy with ACH system - survey
Almost 40% of small and mid-sized banks in North America are not happy with their current ACH system, according to a survey for Fundtech.
The independently conducted survey of 70 payments professionals shows 60% of banks have seen an increase in revenue from ACH transactions over the last year and 48% recognise the potential of their systems as a source of revenue and competitive advantage.
However, the need for more sophisticated reporting and functionality in order to meet market, regulatory and economic demands, is putting pressure on banks' existing ACH systems, claims the vendor.
Half of respondents say inadequate reporting is an area of concern in relation to their ACH systems, whilst 27% cite insufficient automation. Continue Reading at Finextra
DataCash, the U.K.'s market-leading payments service provider, announced a partnership with Mazooma, the first real-time online debit payment solution for U.S. consumers.
DataCash will offer Mazooma as a payment option for its global merchants. With Mazooma merchants of DataCash can offer their U.S. customers secure option to pay with cash online.
Mazooma enables customers to make online purchases without credit card by using their Internet bank account. The system does not require pre-registration which means that customers can use it immediately. Merchants in turn get instant authorization that allows them to ship the order at once. At present time Mazooma supports over 70% of all consumer bank accounts in the U.S. and has no jurisdictional limitations.
DataCash works with about 1,000 merchants across the globe and provides them with a single interface to process payments both on and offline. Its portfolio includes worldwide merchants from the retail, travel and telecommunications sectors.
The PCI standard, long touted as one of the private sector's best attempts to regulate itself on data security, is increasingly showing signs of coming apart at the seams.
At a hearing in the U.S. House of Representatives Wednesday, federal lawmakers and representatives of the retail industry challenged the effectiveness of the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS). They claimed that the standard, which was created by the major credit card companies for use by all organizations that accept credit and debit card transactions, is overly complex and has done little thus far to stop payment-card data thefts and fraud.
The hearing, held by a subcommittee of the House Committee on Homeland Security, also highlighted the longstanding bitter divide between retailers on one side and banks and credit card companies on the other over the role that the latter organizations should play in protecting card data.
In one of the bluntest denouncements of PCI DSS to date, Rep. Yvette Clarke (D-N.Y.), chairwoman of the subcommittee that held the hearing, said the standard by itself is simply not enough to protect cardholder data. The PCI rules aren't "worthless," Clarke said. But, she added, "I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not, and the credit card companies acknowledge that."
Much of PCI's limitations have to do with the static nature of the standard's requirements, according to Clarke, who said the rules are ineffective at dealing with the highly dynamic security threats that retailers and other merchants now face.
For instance, she pointed to the data breach disclosed early last year by Hannaford Bros. Co., which said that attackers had stolen card numbers and expiration dates by installing malware on servers at each of the Scarborough, Maine-based grocery chain's stores and capturing the data as cards were swiped at cash registers.
Hannaford was certified as PCI-compliant by a third-party assessor in February 2008, just one day after the company was informed of the system intrusions, which had begun two months earlier. That means the grocer received its PCI certification "while an illegal intrusion into its network was in progress," Clarke said.
Similarly, RBS WorldPay Inc. and Heartland Payment Systems Inc. were both certified as PCI-compliant prior to breaches that the two payment processors disclosed in December and January, respectively. Visa Inc. dropped Heartland and RBS WorldPay from its list of PCI-compliant service providers last month and is requiring them to be recertified, although it has said that merchants can continue to do business with the two companies in the meantime.
Clarke also blasted the credit card companies and card-issuing banks for continuing to use what she described as "1950s-era" payment systems. She called on them to make the investments that are needed to move away from magnetic stripe and signature transactions to the kind of approaches used in Europe and Asia, such as so-called chip-and-PIN techniques.
"The bottom line," Clarke said, "is that if we care about keeping money out of the hands of terrorists and organized criminals, we have to do more, and we have to do it now."
An independent governing body called PCI Security Standards Council LLC, with representatives from the credit card companies, banks and merchants, was set up to administer PCI DSS in 2006.
But Michael Jones, CIO at arts and crafts retailer Michaels Stores Inc. and one of the people who testified at Tuesday's hearing, said that the PCI rules appear to have been developed more "from the perspective of the card companies, rather than from that of those who are expected to follow them." As a result, he contended, the requirements aren't always about better securing... Continue Reading at The Industry Standard
Ingenico warns contactless technology will divide the market
• 01 Apr 2009
LONDON — Ingenico, a provider of payment solutions, says contactless technology will split the retail market this year, improving sales figures for early adopters and costing those who shun the additional investment in this burgeoning technology.
According to a news release, in the last quarter Barclays issued its millionth Barclaycard, a contactless credit card, and announced the launch of contactless debit cards. Consumers are now driving the uptake of the card, unlike with chip and PIN in 2006.
But Ingenico warns that retailers must consider their customers’ payment expectations when investing in POS terminals this year. Those retailers who adopt contactless technology can expect swifter transactions, increased footfall and smaller queues.
“Consumers are demanding and have high expectations," said Gregor Rankin, Ingenico's marketing manager for northern Europe. "If they receive a new contactless card from their acquirer, they expect to be able to use it. It is not the case that every retailer in the U.K. has to invest in this technology today. However, for retailers that value customer service and demand the highest level of customer experience, it absolutely is something for which they should already have a strategy in place."
Rankin says in 2009, it will be important for retailers to differentiate themselves to drive customer loyalty.
"Obviously retailers planning to refresh their POS systems would be sensible to incorporate a contactless strategy into their deployment plan," he said. "Contactless terminals cost little more per unit than non-contactless versions. When you consider that it allows six times more transactions an hour than standard solutions, there is a strong case for investment. Retailers should consider what the right option for them is and make sure they aren’t missing a trick.”
Banks face a bigger risk than robbery in high-tech heists
by Claude Solnik - Long Island Business News Published: April 1, 2009
Bank customers know that if their ATM card is stolen, thieves could sneak money out of their accounts. But millions of dollars? In at least one case, bank robbers committed a massive global bank robbery with counterfeit ATM cards.
Last December RBS WorldPay, a payment processor, announced that as many as 1.5 million accounts had been compromised by thieves. But the robbers didn’t wreak havoc with everyone. They didn’t need to.
Hackers who hit RBS’s database, exposing a vast number of accounts to potential havoc, only copied about 100 cards. But it was enough to do a lot of damage. They raised withdrawal limits and otherwise altered codes so they could make $500 withdrawals in cities ranging from New York to Moscow and Hong Kong. By the time they were done, they had siphoned off $9 million in one day.
Long arm of the unlawful
RBS is the most recent case of bank robbery with a twist, but only one example of how banks’ reliance on technology in an interconnected world can put them at risk around the globe.
Tom Field, editorial director of Information Security Media Group, which operates bankinfosecurity.com and cuinformationsecurity.com said robberies affecting U.S. banking customers now goes far beyond U.S. borders.
“This is an international issue,” Field said, citing ability to access networks worldwide. “For hackers are everywhere, they’re insiders, customers themselves.” Field cited data vulnerability as a key concern, but the biggest threat to bank data today may not be within banks themselves. Field said it may be exposure to hackers breaching credit and debit card processors.
BRUSSELS — The credit card company MasterCard has settled an antitrust case by agreeing to reduce fees that raise costs for retailers, European Union regulators said Wednesday. But MasterCard said that its measures were provisional, and that it would continue a broader battle over the level of the fees in court.
Competition Commissioner Neelie Kroes of the E.U. said the move by MasterCard could save money for retailers and consumers, particularly those shopping across European borders, and she underlined that the settlement was an element in a broad effort to encourage spending and give the economy a boost.
The agreement would “provide a fair share of the benefits to consumers and retailers,” she said. Ms. Kroes also warned Visa, another card company, it remained under investigation, and she said she would monitor the business practices of other payment card operators to ensure they also benefited retailers and consumers.
The European Commission ruled in December 2007 that MasterCard’s cross-border transaction fees broke European Union antitrust rules. That ruling could have led to steep fines on the company.
MasterCard appealed that decision to the European Court of First Instance, which still must make a determination on how it sets its so-called multilateral interchange fees.
The fees are paid between banks, but lobby groups for retailers have argued the levies inflate prices for shoppers.
Ms. Kroes said MasterCard had agreed cut its transaction fees to 0.3 percent for credit cards and 0.2 percent for debit cards. The company’s cross-border fees were significantly higher in 2007.
“We do not believe this level of interchange is adequate to sustain strong competition in the European payments industry,” Reuters reported MasterCard as saying Wednesday.
Visa's move is one in a long string of events since Jan. 20, 2009,when, after being alerted by Visa and MasterCard of suspicious activitysurrounding processed card transactions, Heartland announced thatmalicious software had compromised its data in 2008. The datapotentially exposed through this breach includes card numbers,expiration dates and other data from the card's magnetic stripe, and insome cases, the names of customers who used debit or credit cards atHeartland's network of 250,000 businesses.
Heartland has not disclosed the extent of the breach, but industryofficials have described it as one of the largest in history. Banksacross the country moved quickly and began sending out replacementcards, and advised consumers to watch their account statements moreclosely than ever.
The residual fallout continues:
Heartland faces dozens of lawsuitsin federal and district courts, including one from an investor whofiled a claim in the U.S. District Court of New Jersey, on behalf ofall Heartland investors who lost money in Heartland from August 2008 toFebruary 2009.
United Bank also responded to the breach by re-issuing several of their debit and credit cards to a list of consumers supplied by Visa. MasterCard has not re-issued any of its cards.
Visaand Heartland released statements assuring their customers thatalthough Visa was suspending Heartland, the processor was still validin the Visa system. According to both companies, it was in response torivals' attempts to capture customers with false claims that usingHeartland could result in fines or certification problems.
Heartlandannounced it has fallen subject to formal inquiries by the Securitiesand Exchange Commission, the Federal Trade Commission, the U.S.Department of the Treasury's Office of the Comptroller of the Currency,as well as an investigation by the U.S. Department of Justice.
Heartland's stock valuehas plunged since the announcement of the breach, hitting a 52-week lowof $3.57 on March 12, since hovering close to $20 a share in earlyJanuary.
Credit unions have been hit hard by the breach, most notably the Healthfirst Credit Union,which has incurred losses on 800 cards, or 57 percent of their totalissued cards, and fraud exceeding $70,000 as a result of Heartlandbeing compromised
As of Feb. 12, more than 600 U.S. institutions have been impacted by the Heartland data breach, according to a list kept by Bank Info Security.
According to American Banker,many banks and credit unions are pursuing lawsuits to compensate forthe cost to notify customers of the breach, re-issuing cards andrepairing accounts for those affected by fraudulent activity. Lawsuitsagainst breached companies have seen little success in recent years. In2007, TJX Companies agreed to pay $40.9 million in settlements to Visaissuers after announcing a breach with the agreement the banks wouldnot sue the retailer, but the case was never granted class-actionstatus...
Tokyo, Apr 01, 2009 (JCN Newswire via COMTEX) ----JCB International Co., Ltd. (JCBI: undefined, undefined, undefined%), the wholly owned subsidiary of JCB Co. Ltd. (JCB: undefined, undefined, undefined%), announced the appointment of Mr. Koremitsu Sannomiya as President and Chief Operating Officer at its annual shareholders' meeting in Tokyo held today with immediate effect. Mr. Sannomiya succeeds Mr. Kenji Seto, who has served in the position since June 2007. Mr. Sannomiya will report to Mr. Tamio Takakura, Chairman and Chief Executive Officer.
Since Mr. Sannomiya joined JCB in 1985, he has greatly contributed toward the company's growth as a comprehensive payment solution provider, engaging in a wide array of JCB business encompassing international sales and marketing, corporate strategy planning, and strategic market development. During his 24-year career at JCB, Mr. Sannomiya had held a number of key positions, including Executive Vice President since 2000, providing visionary leadership in key areas and vital issues: corporate planning, supervising JCB's Next Generation System migration project, and developing emerging markets such as small value and utility payment. Prior to his appointment as President and Chief Operating Officer at JCBI, he served as Board Member, Executive Officer, and Head of Strategic Market Development Headquarters Division at JCB, where he helped to substantially expand the horizon of the credit card payment market in Japan by marketing new solutions and services, including widening the small value market with the QUICPay(TM: 67, 3.56, 5.61%) contactless smart card payment solution, and undertaking Eco-Action-Point program platform operations on behalf of Japan's Ministry of the Environment. Also, in the early years when JCB first took the path to go international as an independent brand and Japan's only international card brand, Mr. Sannomiya dedicated seven years to the company's International Department, and was involved in establishing the first JCB Plaza, the exclusive cardmember lounge now located in multiple major cities around the world, embodying the JCB brand service philosophy.
"It is an honor for me to be appointed to serve in this position. I feel deep respect and appreciation for our predecessors who have built up the JCB brand into a major international credit card brand, ever since their decision to go global as an independent brand in 1981. Moreover, I would like to express my gratitude and confidence in our partners, as today's JCB brand would be nothing without their understanding and cooperation", said Mr. Sannomiya.
"In recent years, we have experienced changes in the card industry in many countries and regions around the world, and consumer needs have become highly varied. JCB has a diverse and unique business as Japan's only international credit card brand. Taking advantage of our strength and experience, we would like to share with our partners worldwide new technologies, expertise in issuing and developing value added co-branding programs, and multiple business relationships with Japanese corporations. As JCB is a brand born in Asia, first we would like to enhance its footprint in this region through strengthening our issuing partnerships. In the Americas and EMEA, we will continue to increase the convenience of the JCB card by improving the acceptance network in response to customer needs."
JCB International Co., Ltd. (JCBI: undefined, undefined, undefined%), headquartered in Tokyo, Japan, is a wholly owned subsidiary of JCB Co., Ltd. (JCB: undefined, undefined, undefined%), also headquartered in Tokyo, Japan, the country's only international credit card brand. Aiming to maintain and expand the distribution of the JCB card, and to increase JCB brand value, JCB established JCBI to carry out operations related to the JCB brand, JCB cards, and JCB merchants outside Japan. JCB is also a major issuer of JCB cards and acquirer of JCB merchants as well as the JCB brand-holder. Under the leadership of Mr. Tamio Takakura, President and Chief Executive Officer, JCB is further strengthening its solution business going beyond the credit card business.
About JCB
JCB is a major global payment brand and leading credit card issuer and acquirer in Japan. JCB launched its card business in Japan in 1961 and began expanding overseas in 1981. Its acceptance network includes 12.76 million merchants and over a million cash advance locations in 190 countries and territories. JCB cards are now issued in 19 countries and territories, with more than 60.2 million cardmembers. As part of its international growth strategy, JCB has formed alliances with more than 350 leading banks and financial institutions globally to increase merchant coverage and cardmember base. As a comprehensive payment solution provider, JCB commits to provide responsive and high-quality service and products to all customers worldwide. For more information, visit: www.jcbcorporate.com/english.Note: JCB statistics included in About JCB are as of the end of September 2008.
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tTHTT7C6wGPa8thIN6haZ-23ngeexHgaYpUcXAsJWnwMdjABBDZMe7FiFc5UtLj2aydCWfHFDhYq-tl6DAtE0DODMk93559qcLDD9HmZexTEaaVUgWDnTvSztCxTLHPiaEAps5cxpblOaQ7bJ51fs=s0-d)
Judge to decide if Hannaford data breach should go to trial | Portland Press Herald
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uWDxii6wqYpLq0B1HahMADgvfkt0FHnb9ObWRCN2nH54hU2x6tC1kp07RLLrJGWHtPLI1cSReaT01cK_EYWn0lh7lS8mfdq68iE0Cgkeyhq_fr-p6uh-fhpTEdKec15YFhkXSZuJCW6ZuGbYJDsrqa=s0-d)
DarkReading.com
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sd2GHoLT8sz22pGVWMMhgb6qvEsBJpYnUYuvA8jhrQm9F3rg2GVoX34bQpzqBaG65W_UEsAD3CHVOurmFjo3Z-tj96ozR7gC9poN8huJJnOlSdH2eSBpy67BbCsy_wfG5hMU5G0dh9xB98lrdRKhch=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vTV2Irx-L-azY_RsqP1aYn4WPBD8QflzK0JiAuGBmtqKGZVJta73JAGlU7JML5Fhtpo3KqtHXP8akCD5kfgUUSE7okyR3rJRFArOKLIq9nUZXTpECkl1AYsetrmazd7E8O9rW4rSAJBIkSoRXAa_M=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tGJ6JK4RSyjA5gZ1wZT901a88cJcqKb1LFCTPywzCNSywmTLXSJPp0p61rMJWonuHDx5RWpvD_JUOw0DgOR05LPY5z9azEHNnROQlIUPpRNsrT8Bbmroov0NEmKMvwSGNx25GR0yfiL4w-gJjvRoJ7=s0-d)
Web crime jumps by a third last year![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vgghYam_cZ_CuxtYxrj1WWCaRrq1lROqnfIDVALK60Gcda4g2UuHszZtVrsOcynjw_pYkdYMXIXERXzCBmq5FesMlT-Cx4Mrd8unXyuY9TiJGLIAsUGhRzKqX1IGXp1Pt2f2mBoAIuNEPgUkKHT5tb=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tfr6DN7Yd3GMfHyF0rIWujKEBCZRqo8Hg_7gzraQW5mhukKHyIuWYYhM7QY1pfy42YcWitRgyWUnRUVuxkcclUemYevtoOOOHhccKUvwbQgfhkwAaWYrfhg4Hdh0J_hPWQLCz1_lOFEr7WG9TKjVs=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ukOSCfbnlRswY9L8rtxCrdhqsRyIneuUYOLNCPQKve6nTfAP7Q3-gkOcjj5sqcm7ef7QBgv-HGdpfUNirTHSEY8YN9W7S2EPkeh9EUs__nqvKSmcjirtg8-bGLLSYFZd0fd7xlDiDSRzzxPltOMUDT=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u93_3ZEf0ueAxaD93vuoN93NGIIXdhdnv1bSgeCaBWVaty0HobhlAu2H-Gz5AXU_AyJOStbeBwswqfyqxBZGFSFSlnv9XbV7P_VUDYtAGuKUtQqdG1tuRv7tfKBKbJ6Fn1saGEF1eusIhUsF6PA-j0=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ugYQzXVaMoL2B2-WfK19Cwdgf0gcQQD2QFU_956xM71l7_OV3a7D4qvcWE4b9EoMBNivFh2zmj3yELwWq-acr92UodULa03pZuvVAAE6sXroM54W_0448hWb4ElX8EZFpxBnOSJNd17be4BDagKu4-=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vkW1L-6GmbpIg7aFMdwDT7Zjq1YY5YJA6-WwgHW4oFRq64FT04lNZJYV4WKn189tCqyE5a7EfX5A3hyFKuy_2yC3ealEflzJWdckdvqHviI54q1usg6mkp0Hayd-l6IfRP0GLbb8qZr_ImeF7wljw=s0-d)
Press Release:![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tf5yaZMqyqA044qYdMT1lyerAIO4ZMyBG3Gyha5daIq8NhsaISZ05ZJJcYqtmF430s8SMu6o6ttv0Vnpv5C3tn14bCwsO9Ld6KVXp5jYpfDF6k3bedRDZ4dZAfQF7LQDbedwgTN9FuiCjlknazd-mO=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t3JnFYuCxf3ku0BxHYmhXfy1No95rgITzDGN9H7ULGCliS4A5ZqTg4AlCdpgMbSXJtWxOLqXiGEmf4lOHFF3CjJA4IG3D4W8yyAKnMjzKQXpIhGPS0iz7I5LThDTBfIOqeBBmd3Ut0opqQrB3VrTQ=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u_GaFkiA1z3dUApl9nyqQ1TpkFQIJHHO2EH0KmsHjVDN_bhItgOusF9aByuw4m54GmSY-ZU82om8gebAGeEteI04xP_lw6BSgbADJNVgfDIdSTsKWBwK8xQnggKu3yr3Q0c8VMFggV6ImQmw3DhTHs=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tauskMLY6JmaaY0HKKEUOIVGxVH2Vku09FhZcfdphG_tHkD_SEl3juQ0f-R1TrjmDbiJdOev9xJP81XOU-2h7kBYwOosC4EGiQFrGJOhDjXmvJeCmBGfHN36aiI3JnyVjL0mcAJbwCoo40Sx0Nhyo=s0-d)
Tokyo, Apr 01, 2009 (JCN Newswire via COMTEX) ----JCB International Co., Ltd. (JCBI: undefined, undefined, undefined%), the wholly owned subsidiary of JCB Co. Ltd. (JCB: undefined, undefined, undefined%), announced the appointment of Mr. Koremitsu Sannomiya as President and Chief Operating Officer at its annual shareholders' meeting in Tokyo held today with immediate effect. Mr. Sannomiya succeeds Mr. Kenji Seto, who has served in the position since June 2007. Mr. Sannomiya will report to Mr. Tamio Takakura, Chairman and Chief Executive Officer.
"In recent years, we have experienced changes in the card industry in many countries and regions around the world, and consumer needs have become highly varied. JCB has a diverse and unique business as Japan's only international credit card brand. Taking advantage of our strength and experience, we would like to share with our partners worldwide new technologies, expertise in issuing and developing value added co-branding programs, and multiple business relationships with Japanese corporations. As JCB is a brand born in Asia, first we would like to enhance its footprint in this region through strengthening our issuing partnerships. In the Americas and EMEA, we will continue to increase the convenience of the JCB card by improving the acceptance network in response to customer needs."![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sNEN7DPckcIgiPflSddc3_JdRK6QPV38dXishwP1DXky9MsybTM_6z2kdyNQCIy0znwRt6TrQxLYqFZLW_tNE09qV5pZHbEj1iEUExRkU9Xbq752SRxdI6i7JU9M8C2QC5aIZ5JSf-jr_-AaZ4g38=s0-d)