HomeATM's SafeTPIN Could Cut E2EE Upgrade Costs in Half

End-to-End Encryption Would Cost $4.8 Billion - Mercator

Could HomeATM's PCI 2.0 Certified SafeTPIN cut costs by $3.0 Billion (60%) or More! You betcha!

Digital Transactions published a story on the cost of end-to-end encryption. Here is an excerpt:

Demand is booming for better payment card security as a result of the many data breaches of recent years, and the solution being touted more than any other is “end-to-end encryption.” But a new report from Mercator Advisory Group Inc. asserts that the term is imprecise and implementing the technology will take incentives, collaboration, and a lot of salesmanship. Meanwhile, the final tab for the solution is no small matter.

"A point-of-sale terminal with end-to-end encryption starts at $500 for a mom-and-pop merchant and goes up for multi-lane retailers, the report notes. Author George Peabody, director of the emerging technologies advisory service at Maynard, Massachusetts based Mercator, estimates the total cost to upgrade all U.S. terminals at $4.8 billion.

Editor's Note: HomeATM's PCI 2.0 Certified "Safe-T-PIN" point of sale terminal provides end-to-end-encryption and can be purchased by "mom-and-pop" merchants for less than half the price quoted above. Translation: HomeATM reduces Mercator's estimates by $3.0 or more billion dollars!

In addition, the HomeATM SafeTPIN incorporates an integrated PCI 2.x Certified PIN Pad which provides full "Zone 1 through Zone 5" (see illustration below) end-to-end encryption. Based on the fact that small merchants are the source of most data breaches, there is a need for them to improve the security of their cardholder data tranmissions by upgrading to a POS terminal that instantaneously encrypts the Track 2 data (including the Primary Account Number) as soon as the card is swiped.

Kenneth Mages, CEO at HomeATM stated, “PCI 2.0 specifications are much more demanding than the previous versions when it comes to protecting a POS system. The choice of Atmel’s AT91SO25 Secure System-On-Chip has been really helpful to speed up and achieve our product certification and to ensure our unique E2EE (end to end encryption).”

MasterCard recently mandated that Level 2 merchants use a QSA to perform an onsite assement of their Site Data Security. This is a HUGE departure from the previous requirement of an in-house "self-assessment" of their Site Data Protection programs. Another HUGE departure from previous requirements of spending $500 for an E2EE point-of-sale terminal is the availability of HomeATM's SafeTPIN with integrated PCI 2.0 Certified PIN Entry Device. Says one analyst: "While this is definitely going to put a dent in Level 2 merchant budgets from this point on, I truly believe that this is a smart move by MasterCard."

Editor's Note: I agree it's a smart move, but putting a "dent" in Level 2 merchant budgets in these trying times, may not be perceived by Level 2 merchants as an "image-enhancer" for MasterCard. Then again, there's more than one way to skin a cat. How about devising an incentivizing program for (at least Level 3 and Level 4) merchants to increase their security.

An incentive program (such as lowering interchange fees) to entice Level 3 and 4 merchants to upgrade and use an E2EE PCI 2.0 device would make perfect sense. Why? Because it would significantly increase security, thus reduce fraud, thus save MasterCard money. It could also save the Level 3 and 4 merchants significant money (remove the dent) if it was able to remove them from the scope of PCI compliance...which in turn would enhance MasterCard's image.

Let's review...

• HomeATM could cut the costs of providing an E2EE Point of Sale Terminal by 60% saving upwards of $3 billion,
• The SafeTPIN Terminal "includes" a PCI 2.0 Certified PED, (which comes encrypted and provides full Zone 1-5 protection)
• The SafeTPIN Terminal would potentially remove Level 3 and 4 merchants (who are the source of most data breaches) from the scope of PCI compliance (because the data is never in the clear with our E2EE PCI compliant device)
• In order to create a "win-win-win" environment, Visa or MasterCard could incentivize them to make the upgrade by dangling the lower interchange carrot in front of them.

Think this sounds (lower Interchange Fees) far fetched? The author of the Mercator Report doesn't. Here's another excerpt from Digital Transaction News...

Small, so-called Level 4, merchants, meanwhile, are the source of most data breaches but often have little awareness of card-related security problems and balk at spending money to fix them. One way to spur the technology: interchange incentives for merchants. In the past two decades, Visa Inc. and MasterCard Inc. have offered price breaks to encourage merchants to use electronic terminals and to bring entire check- and cash-oriented merchant segments, including grocery stores and recurring billers, into the card-acceptor tent. “There’s no evidence that that’s in the offing, but there’s precedence for it,” says Peabody (the author of the Mercator Report).

Here's a graphic of the Zones required for complete 100% end-to-end-encryption. Only PIN transactions can be encrypted from Zone 1 - Zone 5. HomeATM provides Zone 1 through Zone 4 encryption for credit and debit transactions as it is currently not possible to proviide Zone 5 coverage. Visa and MasterCard would have to overhaul their internal systems to emulate a PIN transaction to make that possible...

End-to-End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance

New Research Provides Guidance on End-to-End Encryption for Merchants and Processors

Boston, MA. - With the US payments system under continuous cyberattack and data breaches endemic, merchants and processors are scrambling to protect their data assets and cardholder data in particular. Card data encryption turns valuable data into worthless bits and bytes, eliminating the economic incentive for a cyberattack.

In a new report, End-to-End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance, Mercator Advisory Group explores end-to-end encryption (E2EE) in the hands of merchants, payment service providers and processors. In the face of the three bogies of PCI DSS compliance and penalties, reputational risk and direct financial loss, the acquiring half of the payments process is evaluating options for eliminating cleartext cardholder data from their systems. Tokenization (the subject of a recent Mercator report) and end-to-end encryption are the leading candidates. This report examines the complexity of E2EE within payments and enterprise security."End-to-end encryption's beauty is very much in the beholder's eye. If you're a Tier one merchant in no mood to risk the reputational crisis of a data breach, using E2EE to rid your network of card data is a good move," George Peabody, Director of Mercator Advisory Group's Emerging Technologies Advisory Service and principal analyst on the report comments. "E2EE also reduces the scope of PCI compliance audits and remediation costs but the beauty of encryption and card security will likely be lost on millions of Tier 4 merchants. Strong sales incentives and messaging will be required to have them join in the data protection fight."

Highlights of the report include:

• End to end encryption (E2EE) is a long forestalled rational reaction to data breaches and PCI DSS audit costs.
• The advantages to merchants of getting out from under a large set of PCI compliance burdens may make E2EE worthwhile.
• Defining the "ends" in E2EE is a key step for every deployment.
• The encryption zones under a processor's control - from the merchant's magstripe reader to the interconnection point with card brand or issuer - appear to be a manageable domain where the burdens of key management and new POS gear equal the benefits.
• Standards development is in early days. A new working group under ASC X9 has brought together the key stakeholders, some of whom have sharply diverging goals.

Europe: Magnetic Stripe's Time is Up?

Europe to Eye Mag-Stripe Ban

Cardline Global

European banks may consider banning the use of magnetic stripe credit and debit cards, according to Gerard Hartsink, the chairman of the European Payments Council.


Hartsink, who is also a senior executive vice president at ABN Amro in Holland, said that European financial companies will have largely completed the transition to the EMV Integrated Circuit Card Specification by 2011, and the council, which is driving the transition to the Single Euro Payments Area, could then advise its members to stop accepting magnetic stripe cards, which are considered less secure than those that use EMV.


"My feeling is, although it has not yet been decided, the [council] will take a decision in 2011, maybe 2010, to only use chip cards," he said in comments during a presentation this week at the Contactless Cards and Payments conference in London.


The council has no enforcement power, but if banks in Europe went along with such a decision, it could leave U.S. cardholders in the lurch when they traveled to Europe and tried to use cards for purchases or ATM withdrawals.


"If [Americans] visit Europe, it's not such a problem; their institution could issue an EMV card," Hartsink said.


Payments council members will probably debate the issue in 2010 or 2011, he said.


Hartsink is not the only person suggesting a ban on magnetic stripe cards, according to Dave Birch, a director at the U.K. research company Consult Hyperion. In a recent blog post, he cited comments from a financial regulator in Singapore pressing for a "concerted, global effort to phase out magnetic stripe technology entirely."

TransCard Adds PULSE to Mix

TransCard Extending Their Cardholders’ Reach with PULSE Network

CHATTANOOGA, Tenn.--(BUSINESS WIRE)--TransCard (www.transcard.com)—a leading provider of prepaid debit card solutions branded with MasterCard®, Discover® Network and STAR associations—has launched the PULSE network, providing all cardholders with more places to use their cards.

The PULSE ATM/debit network is comprised of more than 289,000 ATMs and point-of-sale terminals, and is used by more than 4,500 financial institutions—including banks and credit unions—across the United States.

“Adding a new PIN POS network will increase the scope of card acceptance and cardholder use,” says Jerry Uffner, TransCard’s President. “We are always working to improve our products, give cardholders more ways to use their cards and, ultimately, provide more cardholder value.”

PULSE is owned by Discover Financial Services—offering a comprehensive suite of payment solutions, including PIN-less bill payment, PIN and signature debit products, credit products, stored-value card programs and, of course, ATM network services.

“Our relationship with Discover Network continues to provide benefits for all of our cardholders—with PULSE being the most recent manifestation of those benefits,” says Craig Fuller, CEO of TransCard. “We look forward to continued product enhancements that make our cardholders’ lives easier and less stressful.”

About TransCard

TransCard (www.transcard.com) is a top ten, stored-value processor and a global provider of transaction-based processing services. TransCard has provided stored-value processing services since 1993 and pay card products beginning in 1996. TransCard differentiates itself in the prepaid card industry by offering compliant solutions, real value, proprietary technology, mobile card management and stability. Its products include pay cards, financial institution stored-value processing, gift reward cards, fleet services and retail program management. TransCard handles nearly $2 billion in electronic transactions annually and was featured as a “10 to Watch” by Intele-Card News. The company was recently named as a 2009 Paybefore Awards Best-in-Category Winner for the Best Corporate-Funded Prepaid Card.

Western Union Introduces Additional Features to WU Gold Card

Western Union Launches Consumer Loyalty Prepaid Card

Eight million Western Union Gold Card loyalty members in US Targeted

According to the Banking Business Review,

"Western Union Company, a global money transfer services firm, is planning to add features to The Western Union Gold Card, the company's global consumer loyalty program, with the addition of a reloadable Visa prepaid card. However, it will selectively offer the program in July targeting eight million Western Union Gold Card loyalty members in the US.

The company said that the card members need not to fill out money-transfer forms when sending money-transfers; members can earn points to redeem for rewards that include merchandise or money-transfer discounts; every transaction with a Gold Card earns free phone time and the card also serves as a calling card, allowing the user to recharge phone time."

The company has reported that they have recently launched ‘Overnight Home Delivery’ service pilot featuring the new Western Union MoneyWise Visa prepaid debit card, designed to meet the needs of money-transfer receive consumers. The MoneyWise card is sent overnight via FedEx to be delivered at recipient's door the next day and it can be activated by the receiver with the Western Union Money Transfer Control Number. The card also is protected by the Visa zero liability policy.

Continue Reading

"Who Killed Michael Jackson?" The Answer at a Malicious Website

According to TrendMicro's blog, there is an email spam which is playing on the "inquiring minds want to know" crowd by asking: "Who killed Michael Jackson?" 

The answer of course is located on a malicious website. 

From TrendMicro:

"Michael Jackson has been dead for a week already, but there are still a lot of speculations regarding his death. The spam runs are plenty as well — a Michael Jackson-related spam was seen bearing the subject  "Who killed Michael Jackson?", coming from a sender named x-files.

The spam message suggests that the icon was killed, and that information on who murdered him can be seen on the given URL.

Clicking the said link leads to a website, where the user is asked to execute a file, which supposedly contains secret information, in order to find out who killed Michael Jackson.  (and inquiring minds should know better than to do that)

But of course, the executable is not at all related to Michael Jackson’s murderer, or to Michael Jackson at all, as the file is really an data-stealer detected by Trend Micro as TROJ_ZBOT.AXY.

The Trojan TROJ_ZBOT.AXY connects to a certain URL where it downloads a configuration file containing a list of banking-related websites. Once the user attempts to visit any of the listed sites, a spoofed site is displayed instead of the real one, thus any critical information entered on the spoofed site will be sent to a remote user.

This threat however, doesn’t stand a chance against the Smart Protection Network as of its all components — spam, URL and file — are already either blocked or detected.

http://blog.trendmicro.com/spam-speculates-michael-jacksons-murder/#ixzz0KDNXSeQu&D

Related articles by Zemanta

• Michael Jackson's death spawns malware, more scams (computerworld.com)
• The Michael Jackson spammers (bbc.co.uk)
• Jackson's death sparks barrage of online scams (mycompuquest.blogspot.com)

Nigeria Hit Hard by Onliine Scams

In late June I posted about the problems Nigeria was having with their ATM systems.  Now, ComputerWorld Kenya is reporting that banks have not done enough to protect consumers when it comes to online banking and online transactions.  Here's a blurb from the June 23rd post on the problem with Nigerian ATM's followed by ComputerWorlds story regarding online scams. 

Pictured on the left is corporate offices of the Central Bank of Nigeria (CBN)

Nigerians call for scrapping of ATM System

The current upsurge and nefarious activities of Automated TellerMachine (ATM) fraudsters is threatening electronic payment system inthe nation's banking sector with users threatening massive dumping ofthe cards if the unwholesome act is not checked.

An investigation carried out revealed that two of every five ATM card users, have become victims of fraud and the sector's regulator, (CBN), their service provider, (Interswitch) along with  law enforcement agents and banks are helpless as they have not been able to provide/offer any solution.

Onlyrecently, the CBN admitted that hundreds of millions of naira was lostto ATM-related theft last year alone. Every week, hundreds of bankcustomers across major cities are finding their deposits or asubstantial part of it stolen by faceless crooks. The Special FraudUnit (SFU) also confirmed recently that ATM fraud is on the increase inNigeria.

It was also revealed that the activities of the fraudsters cut across all the banks having ATM facilities. Consequently,  some of the users have said the technology should be scrapped if theactivities of the scammers cannot be curtailed.

Online scams up as more Africans use the Internet...Attackers are targeting the financial sector in particular

By Rebecca Wanjiku | Computerworld Kenya

Online scams targeting the financial sector are on the rise in Africa as more people access online banking services and mobile banking.

Phishing attacks are mainly occurring in South Africa where online banking is common, while mobile money theft is common in other parts of Africa where Internet penetration is still low. As a result of the increase, South Africa's Absa bank, the largest in Sub Saharan Africa announced Tuesday that its Internet banking customers can download security software to curb cybersecurity attacks.

A phishing attack aimed at Absa customers features a plain, yet clever unsolicited message instructing them to follow a link and confirm their account information as a way for criminals to obtain passwords and user IDs.

Absa's online customers can download Trend Micro's Internet Security Pro 2009 for free, said Christo Vrey, managing executive of Absa Digital Channels.

The software is expected to protect home or office computers against viruses, spyware and other malicious threats. The phishing attacks have risen since 2005 when Barclays Bank bought Absa.

South African consumers are exposed to more phishing attacks because it is the only Sub Saharan country with a developed online banking service. Other countries do not offer full-fledged online banking services and most of the population lacks bank accounts, but cybercriminals have not spared them either.

The Communications Commission of Kenya has set out on an exercise to educate consumers on cybercrime and other threats posed by the expected increase in Internet usage as a result of cheaper bandwidth. The East Africa Marine System and SEACOM cables are expected to start testing service in a month as the region prepares for cheaper connectivity. Expensive connectivity has limited the region's Internet penetration and electronic commerce is nonexistent, so cybercriminals have not targeted that area as much as South Africa.

However, cybercriminals in East Africa have used mobile phone-based tricks in which subscribers receive fake messages informing them that they have won money and are asked to transfer a certain amount via the phone as a "processing fee."

"The criminals normally they use Tanzanian or Ugandan telephone numbers, which work across the region. It's interesting how mobile phone operators and authorities have not arrested the criminals," said Tyrus Kamau, online security consultant based in Nairobi.

In Nigeria, the scams started with the infamous "419" e-mails that promised millions of dollars left behind by Africa's former dictators such as Sani Abacha and later evolved to promises of lucrative oil contracts. After officials cracked down, 419 e-mails slowed, but criminals shifted to mobile technology, which makes it hard to trace them.

"Nigeria is the most populous country in Africa and the crime has evolved just like other countries, but the problem is the inability of most GSM operators to create unique profiles for their customers. In many countries, the 98 percent of GSM users are prepaid and unidentifiable," said Fola Odufuwa, senior partner at Praxis Partners LLC

Greed and ignorance have been cited as the reasons many people in Africa fall prey to the scams as the criminals' Web sites are built to entice and make people fill out even the most intimate details.

Although Kenyan banks offering elementary online transactions have been keen on security, Kamau says that the banks have not done enough to protect consumers.

Related articles by Zemanta

• BofA Targeted by Malicious Code Phishing Attack (pindebit.blogspot.com)
• Nothing Phishy About PCI 2.0 Certified "Card Present 2FA" (pindebit.blogspot.com)
• Online Banking's Innate Security Flaws (information-security-resources.com)
• Nigeria Chip and PIN Migration Begins with CBN Compliance (pindebit.blogspot.com)
• 'Both Sides of the Mouth' Security Analysis (information-security-resources.com)

Overstock Drops Affiliates 4 States Over Internet Taxes then Rein"states" 2

Overstock.com's  marketing affiliates in two states must have been in a total "state of confusion" as Overstock first "stated" that they were being dropped (so Overstock wouldn't have to collect sales tax) before shortly thereafter, rein"stating" them. Hawaii made a "statement" by vetoing the internet tax bill and California Gov. Arnold Schwarzenegger stated it made "absolutely no sense."  I wonder if he said that from his estate? 


Wall Street Journal

Overstock.com Inc. informed its marketing affiliates in four states — California*, Hawaii**, North Carolina and Rhode Island — that it is ending its business with them to avoid collecting sales tax.

Lawmakers in the states have passed or are preparing to pass legislation that would require companies to collect sales tax if they have marketing affiliates in the state. Affiliate marketers run blogs or Web sites and get a sales commission by featuring links to outside e-commerce sites.

Rival Amazon.com Inc. has taken similar steps in the past few days, ending ties with affiliates in three of the same states and warning about California.

The decision highlights mounting tensions between online retailers and cash-strapped states. Other states are considering similar laws that would use affiliates as a way to force companies to collect sales taxes for online purchases.

Chief Executive Patrick Byrne said Overstock plans to sever its affiliate relationships in each state that appears close to passage of similar laws, but will reinstate its businesses if the laws are found unconstitutional, vetoed or repealed.

Forcing e-commerce sites to collect tax upfront would strip a key advantage they have over traditional retailers, though consumers are technically supposed to pay a so-called use tax for online purchases on their own...

Continue reading at Wall Street Journal

 
*Update 1:  Overstock.comInc. reinstated Hawaii-based Internet affiliate advertisers today,after Hawaii's governor vetoed legislation that would have forcedOverstock to collect taxes on sales in that state.Overstock shutdown affiliate programs in several states where lawmakers wanted theWeb retailer to collect taxes, even though it has no physical presencethere.

*Update 2:Overstock.com Inc. reinstated California-based Internet Retailers afterGov. Arnold Schwarzenegger said it made "absolutely no sense" to goback to taxpayers to solve the state's budget deficit, following theirrecent tax hike, and California should be doing everything it can tokeep and create jobs in the state. "We couldn't be more pleased to havebeen directly told that thegovernor is going to focus on balancing the budget via cost cutting,and not by jamming consumers and small businesses with new taxes,"Overstock Chairman and Chief Executive Patrick Byrne said. 

Related articles by Zemanta

• Amazon affiliates nixed in two more states (theregister.co.uk)
• Overstock follows Amazon, Drops Affiliates in Four States (financegeek.com)
• Amazon Warns State of California to Back Off (businesspundit.com)
• Rhode Island Affiliates Banned From Amazon.com Sales (yro.slashdot.org)
• Amazon positioned to win state tax battle (news.cnet.com)

More on MasterCard Settling 13 Year Wal*Mart Case

Earlier today, I posted that Visa has deposited a total of $4.8 Billion dollars over the past 15 months into their "Litigation Escrow Fund" which equivocates to $340,000,000 per month over the last 15 months.  Then I posted that  MasterCard has decided to pay off their antitrust lawsuit settlement early, for $335,000,000, thus saving $65,000,000.  Digital Transactions has a story on the settlement.  Here's an excerpt:

MasterCard Puts the 13-Year-Old Wal-Mart Case in the Rear-View Mirror


(July2, 2009) MasterCard Inc. plans to pay off its remaining $400 millionsettlement obligation to retailers over debit card acceptance early fora discounted $335 million, according to a filing the card network madeon Thursday with the Securities and Exchange Commission. Attorneys forthe retailer plaintiffs have signed on to the proposed deal, whichwould happen Sept. 30 if it gets the required court approval.

The casestarted in 1996 when retailers, upset about what they said was the highcost of accepting Visa- and MasterCard-branded signature debit cards,filed lawsuits challenging what were then the bank-owned cardassociations over their so-called honor-all-cards rules. The rulesrequired merchants that accepted Visa and MasterCard credit cards toalso accept the associations’ debit cards. The cases were consolidatedas a class action with more than 8 million plaintiffs and became knownas the “Wal-Mart case” because of the participation of Wal-Mart StoresInc., the nation’s largest retailer.

The cardassociations settled in 2003 for just over $3 billion—reportedly arecord—as the case was headed to trial in U.S. District Court inBrooklyn, N.Y. MasterCard’s portion called for payments into asettlement fund of $125 million by the end of 2003, followed by nineannual payments of $100 million. Visa’s initial payments of $225million were to be followed by annual payments of $200 million endingin December 2012. The card associations also agreed to drop theirhonor-all-cards rules and temporarily lowered signature-debitinterchange.

Continue Reading at Digital Transactions

Related articles by Zemanta

• Visa's surprising resilience (money.cnn.com)
• Small grocers risk folding over credit card changes, feds told (canada.com)
• Why credit card interchange fees should come down (blogs.reuters.com)
• Merchants On "Warpath" Against Interchange (pindebit.blogspot.com)
• Citi Says Sell, Deutshe Says Buy MasterCard (pindebit.blogspot.com)
• E-vidence of Paradigm Shift...MasterCard Focusing on Debit Business (pindebit.blogspot.com)
• Debit Surpasses Credit for the1st Time in Visa History (Volume & Transactions) (pindebit.blogspot.com)

Smart Payment Association Releases 2008 Global Payment Survey

Smart Payment Association releases 2008 global payment card survey (PDF)

Munich, Germany, July 2, 2009 -- The SmartPayment Association (SPA), which brings together the industry's largestmanufacturers of payment smart cards, has completed its 2008 internalmarket monitoring activity, undertaken in order to get a betterunderstanding of the current status of the payment smart card marketand its key trends.

Key findings:

• With more than 580 million payment smart cards delivered by its members, SPA represents the vast majority of the payment smart cards market. This figure corresponds to a 39% year-on-year growth (2008 vs. 2007), showing the ongoing momentum of EMV deployment.
  
  
• Over 25% growth in all regions with the fastest growth seen in North America, where shipments have more than doubled, CISEEMEA (CIS countries, Eastern Europe, Middle East and Africa) with +65% and South Asia with +49%.
  
  
• Open-platform is gaining ground and now represents 15% of all shipments, a 72% increase compared to last year. This can be explained by the development of multi-applicative EMV cards. The 70% year-on-year growth in large memory product shipments and the large increase in open-platform dual interface card shipments confirm this trend.
  
  
• Both dual interface and pure contactless cards confirm SPA's expectations, outperforming the market with year-on-year growth rates of 140% and 66% respectively.
  
  
• DDA technology is continuing to gain importance, with 69% growth year-on-year, representing 25% of SPA members' shipments in 2008. Migration to DDA has started worldwide, and both Visa and MasterCard mandate that all cards should support DDA by 2011 in Europe. The SPA is about to publish a whitepaper that will present the status of DDA migration and highlight DDA success stories. This document will also outline the impact of DDA migration on banks at both technical and business levels.

"Alot of industries were severely affected by the financial crisis.Despite a slowdown in the SPA payment smart card shipments at the endof 2008, the smart card manufacturers are not as heavily impacted asothers can be", said Marie-Jane Denis, President of the Smart PaymentAssociation. "High volumes continue to be shipped around the world anda majority of regions carry on their migration to EMV standards."

The detailed figures of the SPA 2008 market monitoring are only available to its contributing members.

About the Smart Payment Association
Foundedin December 2004, The Smart Payment Association (SPA) is anon-for-profit organisation dedicated to promoting and facilitating theuse of smart cards for payment. The SPA members are Gemalto, Giesecke& Devrient, Oberthur Technologies and Sagem Orga.

The Association's main objective is to accelerate the transition from traditional, magnetic stripe cards to chip based cards by:

• promoting the benefits of smart cards for financial institutions by publishing use cases and success stories on innovative applications;
• ensuring optimal interoperability between all system components, for both payment and value-added applications;
• becoming the voice of the payment industry towards standardization committees and payment associations.

For more information, visit the SPA web site:http://www.smartpaymentassociation.org .

Source: Company press release.

The day before yesterday, in a post entitled: "How to Hack an ATM Live Onstage, Pulled from Black Hat Event" I talked about the decision by Juniper to postpone the presentation.  The talk, which would have revealed flaws in theautomated teller machines (ATM) of an undisclosed vendors, will bepostponed until the vulnerabilities are fixed, Juniper said in astatement. The original description of the presentation stated that theresearcher, Barnaby Jack, would "retrace the steps I took to interfacewith, analyze, and find a vulnerability in a line of popular new modelATMs," and would "explore both local and remote attack vectors, andfinish with a live demonstration of an attack on an unmodified, stockATM."

Here's more directly from  Juniper's Blog

Juniper’s Decision To Postpone “Jackpotting Automated Teller Machines”

Yesterday, Juniper postponed a scheduled Blackhat USA 2009 presentation by one of our employees, Barnaby Jack, entitled "Jackpotting Automated Teller Machines." This decision has grabbed the attention of the press, the Twittersphere and Blogosphere, and understandably so.

The vulnerability Barnaby was to discuss has far reaching consequences, not only to the affected ATM vendor, but to other ATM vendors and - ultimately - the public. To publicly disclose the research findings before the affected vendor could properly mitigate the exposure would have potentially placed their customers at risk. That is something we don't want to see happen.

Therefore, we felt it our responsibility to delay the presentation until all those protection measures were put into place. Unfortunately, there isn't enough time before Blackhat to make that happen.

We did not arrive at this decision easily. Indeed, we feel that Barnaby's research is important, vital to the advancement of the state of security and should be discussed in an open forum. However, Juniper is also committed to the responsible disclosure of security vulnerabilities, and to protecting the public from them.

We look forward to sharing our findings with the security community in time and, rest assured, we will.

Related articles by Zemanta

• ATM Vendor Halts Researcher's Talk on Vulnerability (wired.com)
• High-Tech Criminals Target ATMs to Steal Vital Personal Financial Information From Customers (pindebit.blogspot.com)
• Intelligent ATM's (pindebit.blogspot.com)

7 Arrested in Int'l Credit Card Scam Down Under

Australia uncovers international credit card scam | Home >> Other Sections >> Breaking News

Australia uncovers international credit card scam
Updated July 02, 2009 11:53 AM

SYDNEY (AP) -- Australian authorities have uncovered a 6 million Australian dollar ($4.8 million) international credit card scam that used stolen personal information from people as far away as Britain and Spain, officials said Thursday.

Seven people were arrested Wednesday in searches carried out by a multi-agency team in Sydney and Melbourne, Australian Federal Police said in a statement.

The syndicate allegedly used the stolen personal details to manufacture more than 200 fake credit cards and driver's licenses a week and used them to make up to AU$500,000 in weekly purchases of electronic goods, gift cards, phone cards and alcohol, the statement said.

Federal police Assistant Commissioner Mandy Newton said the personal information was stolen from card holders in Australia, Spain, Britain and Malaysia.

"What we are identifying is a global issue, it is not just in Australia," Newton said.  More than 1,200 credit card numbers have been involved in the scam since March, Newton said. The syndicate first came to the attention of police during a 2008 Department of Immigration investigation into a suspected illegal work racket, which uncovered evidence of the credit card fraud.

That investigation identified several illegal immigrants who had been arrested for shopping along the east coast using fraudulent credit cards and who are believed to have been used as shoppers by the syndicate, said Immigration Department investigator Peter Richards, without identifying their nationalities.

The seven people will be charged with offenses including dealing in the proceeds of crime, participating in a criminal group, and making and using false instruments.

Australia uncover credit card scam, credit card scam, Sydney, Melbourne, Australian Federal Police, fake credit cards, Mandy Newton

Related articles by Zemanta

• Apple cracks down on gift card fraud (macworld.com)

Shopping Cart of the Weak

The Sad Tale of Abandoned Shopping Carts Browsingand comparing products before adding them to an online shopping carttakes time and effort, but leaving those products is as easy as“click.”And that’s a problem for online retailers.

According to an e-tailing group survey, nearly 60% of US online retailers survey are seeing cart abandonment rates of over 20% this year.

A study by PayPal and comScore found 45% of US online shoppers had abandoned shopping carts multiple times in just three weeks.

Most importantly from the merchants’ point of view, the average cost of abandoned goods in those shopping carts was $109.

In the same study, 46% of online shoppers said high shipping charges were a “very important reason” for emptying carts.
Other reasons for abandonment included:

• Wanted to comparison shop: 37%
• Lack of money: 36%
• Wanted to look for a coupon: 27%
• Wanted to shop offline: 26%
• Couldn’t find preferred pay option: 24%
• Item unavailable at checkout: 23%
• Couldn’t find customer support: 22%
• Security concerns: 21%

“Merchants who don’t welcome back abandoners are leaving hundreds ofdollars per shopper on the table,” said Eddie Davis of PayPal.

“Sweetening the deal with free shipping, coupons and specialdiscounts is a great way to encourage online shoppers to complete theirpurchases.”

And makes leaving carts behind a little bit harder.

Never miss a trend. Learn more about an eMarketer Total Access subscription, today.
 

Related articles by Zemanta

• New PayPal Survey Looks at Checkout Abandonment (paymentsnews.com)

SafeDebit's 2nd Rollout in 2010

NYCE Looks to 2010 for SafeDebit Rollout, Pilot Later This Year


(July 2, 2009) NYCE Payments Network LLC expects to start testing Internet-based debit transactions by the end of the year and to start a commercial service some time next year, says Steven A. Rathgaber, president and chief operating officer of the Secaucus, N.J.-based electronic funds transfer network. The service will rely on single-use debit card technology from Verient Inc., a San Jose, Calif.-based technology company.

A unit of Metavante Corp., NYCE signed an agreement with Verient last fall and had originally expected to get a pilot for the online service, which it calls SafeDebit, under way early this year (Digital Transactions News, Nov. 18, 2008). Rathgaber says technology implementation has gone smoothly, but the network has had to contend with the inevitable complexities regarding pricing and other business arrangements that arise when a number of banks, merchants, and networks must work together. “There’s a lot of parties at the dance,” he notes.

Continue Reading at Digital Transaction News

Related articles by Zemanta

• PIN on PED vs. PIN on the Web (pindebit.blogspot.com)
• Acculynk Accel/Exchange Announce PIN Debit Pilot (pindebit.blogspot.com)

"Month of Bugs" Focuses on Twitter

The "Month of Bugs" is an event which consists of researchers disclosing new vulnerabilities daily for a month.   It started in 2006 with the "Month of Browser Bugs" and this year, they chose to expose Twitter's bugs in what is called "Month of Twitter Bugs" of MoTB.  Kelly Jackson Higgins reports for Dark Reading...

Month Of Twitter Bugs Goes Live With Mini-URL Flaws

Researcher launches Day One of daily third-party Twitter app vulnerability disclosures, while some members of Twitter christen July 1 "TwitterSec Day"

The Month of Bugs phenomenon is back, with a new project aimed at exposing vulnerabilities in third-party Twitter applications.

Day One of The Month of Twitter Bugs project revealed four new cross-site scripting (XSS) vulnerabilities in the popular bit.ly URL-shortening tool used by many Twitter users to shorten links to fit into the 140-character Tweet limit. Bit.ly is also integrated into the popular TweetDeck Twitter interface. The controversial month-of-bugs concept -- where researchers disclose new vulnerabilities daily for a month -- was started three years ago by HD Moore, who brought attention to browser security issues with his Month of Browser Bugs project.

"I hope to raise the awareness of developers using the Twitter API to develop more secure code, as they should understand that that by developing insecure code, they are not only exposing their own users to threats, but the entire Twitter community," says Aviv Raff, the researcher behind the project.

Continue Dark Reading

Or for more information, go straight to the source, this from:  http://aviv.raffon.net/

Back in July 2006, I had the opportunity to be part of a cool initiative called “Month of Browser Bugs”. This initiative was created by H.D Moore in order to raise the awareness of security vulnerabilities in web browsers. Back then it was mainly focused on system Active-X issues, but it also provided some great examples of how, so called “unexploitable” vulnerabilities, can still be abused for a remote code execution. The initiative was a great success, in my opinion, and made the browser vendors more attentive to security vulnerabilities in their products (e.g. In Internet Explorer 8, installed Active-X controls are now not running automatically, and can be opted-in to run on specific sites).

Today, three years after the “Month of Browser Bugs”, I’ve decided to declare July 2009 as “Month of Twitter Bugs” (MoTB). I’m doing so in order to raise the awareness of the Twitter API issue I recently blogged about. MoTB could have been easily converted to any other “Month of Web2.0 service bugs”, and I hope that Twitter and other Web2.0 API providers will work closely with their API consumers to develop more secure products.

Each day I will publish a new vulnerability in a 3rd party Twitter service on the twitpwn.com web site. As those vulnerabilities can be exploited to create a Twitter worm, I’m going to give the 3rd party service provider and Twitter at-least 24 hours heads-up before I publish the vulnerability.

Even though I have enough vulnerabilities for this month, you are more than welcomed to send me (via email or twitter) vulnerabilities you find in 3rd party Twitter services. I will do my best to publish all submitted vulnerabilities. I will, of course, credit the submitter.

Aviv Raff On Net, MoTB, Month of Twitter Bugs

The Spider and the Fly (Keep Typing vs. Swiping)

The PIN Payments Blog has focused on eCommerce and security since it's inaugural post in March of 2008.

As I have come to learn, some believe I do it to bash the industry for supporting products which encourage consumers to enter (type) their card number, or their username and password into boxes on the web, or click their mouse...but that's not why I do it.

I do it because I understand that the information superhighway known as the web, is exactly that. An information superhighway. It's also known as the web, and what a wicked web it is...hackers, keyloggers, screen scrapers, data stealing malware, zombies, etc.


Think of hackers as Big Nasty Spiders and your financial data as a big meaty fly.  Get the picture?  If not, there's one on above on the left. 

When websites ask you to enter (type) your credit card or debit card numbers into a box, I know that it's Pandorian in nature and I want to prevent you from boxing yourself in. Consumers cannot "realistically" expect that their card numbers are going to be safe. Sure it may "seem" convenient, but things aren't always as they seem, are they? On the flip side, sometimes they are...and it sure "seems" that as time goes by, hackers get more advanced thus create more advanced programs designed to steal your financial information. Who knows what they'll come up with tomorrow?

This much I do know. When I started this blog, it was safer to type your cardholder data into the web than it is today. And it's safer today than it will be tomorrow. Therefore, the day after tomorrow seems to be the day when everyone will understand that "what we are trying to do here on the blog" is come from help...not anger industry insiders, nor do we want to be perceived as viciously criticizing so-called competitors. 

What we try to do here is best represent the truth on this blog...and the truth is, IT IS NOT SAFE TO TYPE YOUR CREDIT CARD NUMBERS INTO A BROWSER. 

Speaking of competitors (and truth)  HomeATM created a software-based PIN platform years ago, and contrary to a YouTube video floating around out there on the web, it was not a so-called competitor, but HomeATM, who conducted the "first" software-based PIN debit transaction on the web.  We did it in 2005, (documentation available upon request) in front of a bunch of Intel "higher ups" who in addition to asking if we were crazy, (like PC's they know the risks inside and out) practically laughed us out of the room.. .That experience instigated our engineering department to re-evaluate how PIN transactions should be conducted on the web, and there is only one way.  "Outside the Browser Space." (OBS)

So, we scrapped the software PIN debit thingy and went to work on creating a secure terminal with a built-in PIN Pad...and lo and behold, HomeATM conducted the "first" end-to-end-encrypted PIN Debit application using the Internet. (using a "secure" 3DES, protected by DUKPT hardware device, just like they do it in the stores!)


Now, there were two more tasks at hand.  The first one was achieved last March 17th, ironically while HomeATM Chairman and CEO, Ken Mages and I were listening to PCI General Manager, Bob Russo speak.   named HomeATM was certified as the first manufacturer in the world with a PIN Entry Device specifically designed for eCommerce usage as  PCI 2.x Certified and listed us on their website.

Final task.  Get our manufacturing costs down to a price point where distribution to the masses is feasible. 

The mountain:  Credit/Debit Card Terminals cost $500.00+ and PIN Pads cost $150.00+ (and encrypting the PIN Pad costs an additional $25.00+)

The result:  HomeATM becomes the first company in the world to manufacture and offer a credit/debit card terminal with integrated PIN Pad for less than $25.00!  (including PIN Pad encryption!)

The end result?  "HomeATM Knows PIN."  That said, I suspect, (k)no(w), make that know, that yesterday's doubting Thomas' will become tomorrows believers/customers...especially as new reports, like the one released by Trend Micro (below) state what we have stated from day one.  It's a dangerous and scary world (wide web) out there!

If that's not scary enough, here's more...did you know that a signature debit  transaction is at least 10 times LESS secure than a PIN Debit transaction?  That's in the brick and mortar world.  So how many times LESS secure is a "card not present" (no signature) debit transaction vs. a PIN Debit transaction?  Yet signature debit is being pushed by issuers "over" PIN debit.  Why?  All in unison!  Because they make more money!  Yup, the less secure the transaction, the more money they make.  At whose expense?  Two guesses.  If you said consumers and/or merchants your right.

In it's first Focus Report, Trend Micro examines the growth of data-stealing malware, the most dangerous of web threats today.  Growth of this threat is unprecedented and you are in exponentially MORE danger today, than when the PIN Payments Blog first started emphasizing the inherent dangers of conducting eCommerce on the web.

According to Anti-Phishing Working Group (APWG) statistics, the number of sites infecting PCs with password-stealing crimeware reached an all time high of 31,173 in December 2008—an 827 percent increase from January

While the term "data-stealing malware" is a relatively new one, itssole purpose for existence is a familiar story:  To steal proprietaryinformation such as online banking credentials, credit card numbers,social security numbers, passwords, and more from compromised networksand PCs in order to fuel an underground cyber crime economy driven byprofit-seeking criminal networks that cross geopolitical boundaries.

Trojans: The Rising Star in Data-Stealing

Trojans are the fastest growing category of data-stealing malware,according to data from TrendLabs, Trend Micro's global network ofresearch, service, and support centers committed to constant threatsurveillance and attack prevention. Trojan attacks pose a seriousthreat to computer security. True to their name, they typically arrivedisguised as something benign such as a screen saver, game, or joke.Based on TrendLabs research:

• In2007, 52 percent of data-stealing malware were Trojans; in 2008, thatnumber increased to 87 percent; as of Q1 2009, 93 percent ofdata-stealing malware were Trojans.
  
  
• Trojans and Trojan spywareare the predominant type of data-stealing malware in all regionsmonitored by TrendLabs, including Australia, Asia, Africa, SouthAmerica, North America and Europe.

Related articles by Zemanta

• If "Https://" is Really "Httbs//" Then How Do You Secure Online Transactions? (pindebit.blogspot.com)
• Online Banking's Innate Security Flaws (information-security-resources.com)
• 3DES, DUKPT & E2EE Explained (information-security-resources.com)

Survey Says...Swipe!

The Writing is On the Wall !
81.6% of Survey Respondents Prefer "Swiping" to "Typing!"

Below you will find partial results of our 5 question survey.

If you haven't yet participated in our survey, please refresh the page and do so.  We value your insight.  There are only five questions and it won't take but about 30 seconds of your time!  Thanks in advance!  

Meanwhile, I thought I'd share the results of questions 3-5 below.  It appears that people realize that when you type, your card data and or banking information (such as Username and Password) can be compromised.  (Click the graphic below to enlarge)

Here's a question,  rhetorical as it may be..."When you go shopping at a brick and mortar store, would you "write down" your credit or debit card number on a piece of paper and hand it to the cashier, or worse yet, just leave it on the counter? 

Of course you wouldn't.  You probably would be reluctant to even want to hand your card over to the cashier, as consumers have grown accustomed to swipe it themselves. 

So when it comes to "online shopping" it does not take a lot of imagination to see the analogy here, does it? 

While 73.7% of respondents to our survey believe it is "unsafe" to "type" their account numbers into a box on a website, and even higher number of respondents (81.6%) agree that it makes much more sense to replicate the brick and mortar experience and  would prefer to swipe their card in the safety of their own home, rather than type their card number into a box on a merchant's website.

79.9% believe it makes more sense to swipe their card and enter their PIN to log-in to their online banking account rather than "type" their username and password.   

MasterCard Pays Off Settlement with $335 Million

That's less than what Visa has paid ($340,000,000) on a monthly basis, over the last 15 months, into their Litigation Escrow Fund.  Plus they save $65 million for paying it off early.  In these antitrust matters, MasterCard is usually found guilty by association.  Of the two, that make up the Dynamic Duopoly, I think that we might see them take a leading role in focusing on security.  This is based on the recent announcement that Level 2 Merchants need  to be assessed by a QSA 

Here's a blurb from "The Street" which is reporting that they'll pay off the remaining $400 million balance with a $335m  lump payment at the end of Q3...

MasterCard (MA Quote)plans to pay $335 million by the end of the third quarter to pay offthe remainder of a six-year-old class action suit alleging theelectronic payments company violated federal antitrust regulations.

The Purchase, N.Y.-based company settled a class action lawsuit in June2003 with a number of U.S. merchants that took issue with certainantitrust aspects of the payment card industry. Under the settlement,MasterCard was required to pay $125 million in 2003 and $100 millionannually each December from 2004 through 2012.
The company said in a Securities and Exchange Commission filingon Thursday that it had entered into an agreement the prior day thatwould allow for MasterCard to prepay its obligations of the remaining$400 million at a discounted amount of $335 million on Sept. 30.


Continue Reading at "The Street"

Rixty Debuts Cash Based Online Payments for Gaming

Rixty's Cash-Based Payment System Now Available at More Than 10,000 Retail Locations Nationwide

Prepaid Cards and Coinstar Kiosks Enable Gaming Payment for Those without Credit Cards

BERKELEY, Calif., Jul 01, 2009 (BUSINESS WIRE) -- Paying for online entertainment without a credit card just got easier, thanks to Rixty. The innovative e-commerce company launched today its new cash-based payment system at more than 10,000 retail locations. Now anyone with cash and coins can convert that money into online purchasing power across an exciting array of entertainment merchants.

Predominantly designed for the youth market, Rixty is a flexible payment option for any age bracket due to its ease of use and accessibility. By rolling out at more than 9,000 Coinstar(R) kiosks in the US, users will enjoy the convenience of adding to their online accounts by simply choosing the Rixty option when exchanging their coins for free at local Coinstar machines. In addition to the Coinstar kiosks, users will also have the option of buying prepaid cards through the in-store racks at more than 1,000 retail locations, including Cumberland Farms and Hess convenience stores.

Realizing that merchants have traditionally faced difficulty reaching younger audiences that often have limited access to more traditional payment forms, such as credit cards, Rixty aims to reduce that transactional friction and allow users to spend freely across a variety of online publishers.

"Rixty started with the idea that there should be some way to allow online entertainment enthusiasts, particularly the younger generation, the ability to enjoy what's available without relying on a credit card," said Ted Sorom, CEO, Rixty. "Our goal is simple: To provide anyone and everyone the freedom to choose how and where they spend their online entertainment dollars. Rixty does this by converting loose change into online purchasing power."

Rixty is launching with top publishers in the massively multi-player online (MMO) game space, including Perfect World Entertainment, ijji.com, GamesCampus, Ntreev USA, Ndoors Interactive, Inc., ourWorld.com, and Three Rings Design, publisher of Puzzle Pirates and Whirled. Rixty supports business models from microtransactions to subscriptions and is compatible with all types of online entertainment, including downloadable games, virtual worlds, casual and social games on social networks, digital downloads such as music mp3s, videos and games, mobile games and ringtones. The cash-based system also empowers the younger audience to take control of their entertainment spending without requiring adult involvement or a bank account.

"Rixty's new payment solution enables many of our young gamers who don't have credit cards or Paypal to purchase in-game items in Trickster, Grand Chase and Pangya," said Chris Lee, CEO, Ntreev USA. "We are very excited to partner with Rixty."

Merchants have searched for ways to attract new customers who might have previously experienced barriers to entry, which Rixty addresses with a cash option most e-commerce outlets have lacked. In addition, Rixty offers merchants the opportunity to be "discovered" by showcasing new games and online goods on the Rixty website.

"We are very pleased to add Rixty to our payment offerings," said David Chang, executive vice president, GamesCampus. "Rixty allows our users to buy items through their unique payment channels, allowing us to expand our paying customer base."

"What's great about Rixty is its ability to reach a broad spectrum of users from a wide demographic in various age groups," said Joon Kim, customer service manager, Perfect World Entertainment. "Rixty is convenient, easy to use, and widely available in many places."

About Rixty

Rixty is an alternative payment system designed specifically for today's online youth, empowering them to take control of their entertainment spending and giving them access to the online world of multiplayer and downloadable games, virtual worlds, social networks, digital downloads, mobile games and ringtones. Rixty never charges users fees and by reducing payment friction, Rixty converts more users into paying customers, significantly increasing online publisher's revenues. For more information, visit www.rixty.com.

All trademarks are the property of their respective owners.

SOURCE: Rixty