Credit Card Transaction Overview 101

Originally Posted on Technical  Notes



Glossary of Terms

• Customer: A customer is the one who purchases goods or services.


• Cardholder: A person who is the owner of the card issued by the bank.


• POS: Point of sale or point of service (POS or PoS) can mean a retail shop, a checkout counter in a shop, or the location where a transaction occurs.


• Merchant: Merchant is the one who sells commodities to consumers (including businesses). A shop owner is a retail merchant.


• Acquiring bank: An Acquiring bank (or acquirer) is the bank or financial institution that accepts payments for the products or services on behalf of a merchant.


• Card Issuer: An issuing bank is a bank that offers card association branded payment cards directly to consumers.


• Card Association: A card association is a network of issuing banks and acquiring banks that process payment cards of a specific brand. Familiar payment card association brands include Visa, MasterCard, American Express, Discover Diner’s Club, and JCB

1 Credit Cards

A credit card s part of a system of payments named after the small plastic card issued to users of the system. The issuer of the card grants  a line of credit to the consumer (or the user) from which the user can borrow money for payment to a merchant.

Credit cards allow the consumers to ‘revolve’ their balance, at the cost of having interest charged.



1.1 Monthly Billing Cycle

The issuer generates a credit card bill on a predetermined day of month. The customer should pay it before grace period expires; else, a late payment fee has to be paid.



1.2 Grace period

A credit card’s grace period is the time within which the customer has to pay the balance before interest is charged to the balance. Grace periods vary, but usually range from 20 to 40 days depending on the type of credit card and the issuing bank.



1.3 Late Payment

If you carry a balance, credit cards function like very expensive loans. The credit card company allows you to pay off what you owe little by little each month, as long as you pay a minimum amount each time. In exchange, you pay interest on the balance you owe (as high as 29% each year) at the end of each period.

2 How credit card companies make money?

Credit card companies earn high profits in several ways.

• High rates of interest — interest on credit cards accounts for the bulk of the profits earned by banks that issue credit cards.


• Annual fees.


• Late fees, over-the-limit fees, and other miscellaneous charges.


• Charging merchants and service provide a fee each time a customer uses the company’s credit card in the merchant’s establishment.

3 Overview of Credit Card Processing

Signature-based (non-PIN-based) credit card transactions are a two-step process, consisting of an authorization and a settlement.



3.1 Authorization

Authorization is a verification process that happens at the time of purchase that allows merchants to verify that the customer’s account is valid and that sufficient funds are available to cover the transaction’s cost.



The verification takes place using a credit card payment terminal or Point of Sale (POS) system with a communications link to the merchant’s acquiring bank. Data from the card is obtained from a magnetic stripe or chip on the card.

At this step, the funds are "held" and deducted from the customer’s credit limit (or bank balance, in the case of a debit card) but are not yet transferred to the merchant. Upon placing a hold, this amount will become unavailable either until the merchant clears the transaction (also called settlement), or the hold "falls off." In the case of credit cards, holds may last as long as 30 days, depending on the issuing bank.



3.2 Canceling an authorization hold

The merchant can cancel an authorization hold if the merchant uses an acquirer that supports a process known as authorization reversal. Different acquirers place different restrictions on the conditions that must be met for the merchant to make an authorization reversal, but it is typical that the reversal must be made very shortly (generally within a minute) after the original authorization. In cases where the merchant cannot perform a reversal, but wishes to cancel the authorization it is typical that the merchant would contact the acquirer by telephone. Alternatively, the cardholder may contact the issuing bank to request cancellation.



3.3 Batching

Authorized transactions are stored in "batches", which are sent to the acquirer. Batches are typically submitted once per day at the end of the business day. If a transaction is not submitted in the batch, the authorization will stay valid for a period determined by the issuer, after which the held amount will be returned back to the cardholder’s available credit. Some transactions may be submitted in the batch without prior authorizations; these are either transactions falling under the merchant’s floor limit or ones where the authorization was unsuccessful but the merchant still attempts to force the transaction through.



3.4 Clearing and Settlement

The acquirer sends the batch transactions through the credit card association, which debits the issuers for payment and credits the acquirer. Essentially, the issuer pays the acquirer for the transaction.



3.5 Funding

Once the acquirer has been paid, the acquirer pays the merchant. The merchant receives the amount totaling the funds in the batch minus the "discount rate," which is the fee the merchant pays the acquirer for processing the transactions.







3.6 Process Flow Diagram

Below we have depicted Authorization, Batching, Clearing and Settlement and Funding in a process flow diagram.





4 Chargebacks

A chargeback is an event in which money in a merchant account is held due to a dispute relating to the transaction. The cardholder typically initiates charge backs. In the event of a chargeback, the issuer returns the transaction to the acquirer for resolution. The acquirer then forwards the chargeback to the merchant, who must either accept the chargeback or contest it.

The card-issuing bank will investigate disputes, and will "charge back" the value of the original transaction directly from the merchant’s acquiring bank, which is obligated under card network rules to pay the card issuer. The merchant’s acquirer will then attempt to recover an equal value of the chargeback plus a processing fee from the merchant’s bank account. Chargebacks, are typically passed on to the merchant as a matter of acquirer policy unless the merchant can prove the transaction was legitimate, or goods and services have been rendered to a customer claiming otherwise.

Sometimes the consumer dispute is untrue, and their refund claim gets denied. In these situations, merchant might have to pay a processing fee.

In cases of credit card fraud, the merchant loses

• The goods or services sold.


• The fees for processing the payment


• Any currency conversion commissions


• The processing fee for chargeback

For obvious reasons, many merchants take steps to avoid chargebacks—such as not accepting suspicious transactions. This may spawn collateral damage, where the merchant additionally loses legitimate sales by incorrectly blocking legitimate transactions.





4.1 Process Flow Diagram Files







4.2 Some of the reasons for a chargeback

• Card holder requests a copy of the transaction receipt.


• Card holder did not authorize the transaction.


• Non-matching account number.


• Transaction was processed more than once.


• Refund not processed.


• No authorization.


• Customer never received services.


• Card not used within valid expiration date.


• Error in transaction amount.


• Transaction receipt is incorrect, incomplete, or illegible.


• Transaction processed for incorrect amount.


• Product different from what was described or promised.


• Transaction not processed within Visa or MasterCard time frames.


• Signature on receipt different from card.


• Card-holder claims merchant changed transaction amount without permission.


• Merchant knowingly participated in a fraudulent transaction.


• Incorrect Transaction Date.


• Card-holder claims invalid mail or telephone order transaction.


• Card-holder was denied ability to return item.


• Transaction was not cancelled successfully.


• Card-holder not satisfied with quality of product or services.

Buyer initiating a false chargeback after receiving goods or services; this is considered fraud.



Glossary of Terms

• Customer: A customer is the one who purchases goods or services.


• Cardholder: A person who is the owner of the card issued by the bank.


• POS: Point of sale or point of service (POS or PoS) can mean a retail shop, a checkout counter in a shop, or the location where a transaction occurs.


• Merchant: Merchant is the one who sells commodities to consumers (including businesses). A shop owner is a retail merchant.


• Acquiring bank: An Acquiring bank (or acquirer) is the bank or financial institution that accepts payments for the products or services on behalf of a merchant.


• Card Issuer: An issuing bank is a bank that offers card association branded payment cards directly to consumers.


• Card Association: A card association is a network of issuing banks and acquiring banks that process payment cards of a specific brand. Familiar payment card association brands include Visa, MasterCard, American Express, Discover Diner’s Club, and JCB

Cynergy Data "Stalkinig Horse" Asset Sale Approved

Stalking Horse Bid: "This method allows the distressed company to avoid low bids on its assets. Once the stalking horse has made its bid, other potential buyers may submit competing bids for the bankrupt company's assets. In essence, the stalking horse sets the bar so that other bidders can't low-ball the purchase price.



Long Island City, N.Y., Sept. 21, 2009 -- Cynergy Data announced today that it has received approval from the United States Bankruptcy Court for District of Delaware for its proposed bidding procedures and timetable for the sale of substantially all of its assets.



As part of its Chapter 11 sale process, Cynergy Data has entered into an asset purchase agreement with "stalking horse" bidder Cynergy Holdings, LLC, an investment vehicle that is managed by The ComVest Group, a private investment firm focused on providing debt and equity solutions to middle market companies. ComVest is a leading provider of capital to the financial technology markets and owns controlling interests in a number of companies in the electronic payment processing industry, including Pipeline Data, CardAccept, AirCharge, SecurePay and Northern Merchant Services.



Pursuant to the Bankruptcy Court approved procedures, other parties have an opportunity to submit bids on or before October 2, 2009 at 4:00 p.m. (EST). If no additional bids are received by the bid deadline, Cynergy Data will immediately seek Bankruptcy Court approval of its sale to Cynergy Holdings, LLC. If additional bids are received, an auction will take place on October 5, 2009, at the offices of the company's legal counsel Nixon Peabody LLP in New York. A hearing to approve the sale is scheduled for October 7, 2009, and Cynergy Data expects to close the sale shortly thereafter.



According to Cynergy Data's chief executive officer, Marcelo Paladini, "We are pleased by Judge Gross' decision to approve our proposed bidding procedures. This is an important step to ensure that we will be able to complete our sale process and restructuring as quickly as possible, and begin the next stage in our company's history. We intend to continue providing world-class products and services to our merchants and ISO partners during this process and beyond."



In addition to approving Cynergy Data's sale procedures, during the September 15 hearing the Bankruptcy Court granted other motions seeking various forms of relief, including the company's retention of professionals to assist it during its Chapter 11 proceedings and its continued use of postpetition financing. This relief will allow Cynergy Data to operate in the ordinary course during its Chapter 11 restructuring.



On Tuesday, September 1, 2009, Cynergy Data and two subsidiaries filed voluntary petitions for business reorganization under Chapter 11 of the U.S. Bankruptcy Code. The Honorable Kevin Gross of the U.S. Bankruptcy Court for the District of Delaware is presiding over Cynergy Data's chapter 11 proceedings. Copies of court documents are available at http://www.kccllc.net/cynergydata . Additional information regarding Cynergy Data's restructuring is available at www.cynergydata.com/restructuring .



About Cynergy Data



Launched in 1995, Cynergy Data is a merchant credit card processing service provider that gives business owners excellent customer support and unparalleled merchant services. The company emphasizes honest, service-oriented business practices and customer-friendly products and services. During the past 14 years, Cynergy Data has rapidly expanded from a two-person operation to one that employs over 130 service-oriented team members. Headquartered in New York City, Cynergy Data manages a portfolio of nearly 80,000 merchants processing in excess of $10 billion annually.



About The ComVest Group



The ComVest Group is a leading private investment firm focused on providing debt and equitysolutions to middle-market companies with enterprise values of less than $350 million. Since 1988 ComVest has invested more than $2 billion of capital in over 200 public and private companies worldwide. Through its extensive financial resources and broad network of industry experts, ComVest offers its portfolio companies total financial sponsorship, critical strategic support, and business development assistance. ComVest additionally owns controlling interest in Pipeline Data, CardAccept, AirCharge, SecurePay and Northern Merchant Services; all credit card merchant servicing organizations. For further information on ComVest, please contact Partner Daniel Nenadovic at 561.727.2070 or via e-mail at: danieln@comvest.com.

Dual PIN Functionality Fights Crime

PIN technology aims to foil criminals



Dual PIN functionality has been developed by BPC Banking Technologies that enables cardholders to notify both the bank and the police of robbery incidents.



The technology allows a cardholder to change their PIN code at an ATM. This can then be used to perform card transactions, while the original PIN is limited in its use and provides a mechanism to indicate an attempted or actual robbery.



As a result of its double PIN technology, BPC Banking Technologies, a provider of e-payment services, said that if a robbery is in progress, further ATM transactions will not proceed and an error message will appear on the ATM screen such as ‘card limit exceeded’. This is to help the cardholder avoid further losses.



Continue Reading

CHARGEAnywhere's Mobile Payment Software Application

South Plainfield, N.J., Sept. 21, 2009 -PIN Payments News Blog- CHARGE Anywhere®, a leading provider of secure Point-of-Sale (POS) solutions and electronic payment services and a BlackBerry® ISV Alliance Partner, is proud to announce a new release of its industry leading mobile card payment software application. Overall enhancements include a new user friendly graphical interface with large icons and a blue design theme.



CHARGE Anywhere specializes in secure mobile point of sale solutions that encompass software, hardware, security services and support for mobile merchants. With many secure PA DSS certified software applications and its top-of-the-line PCI DSS Level 1 secure payment gateway, CHARGE Anywhere provides end-to-end secure solutions that enable merchants to accept credit cards anywhere, any time. With the downloadable Mobile Payments Application, merchants will be able to use a Bluetooth Receipt Printer/Card Reader that will allow them to qualify for swiped rates.



"With the release of the new Mobile Payment Application for BlackBerry, CHARGE Anywhere maintains its leadership position in providing the latest in secure, mobile payment solutions to our valued customers and partners," said Paul Sabella, President and CEO of CHARGE Anywhere.



"CHARGE Anywhere works tirelessly to provide best-of-breed solutions to the market as evidenced by the completion of our software release and redesign," said Dmitriy Lerman, Director of Marketing at CHARGE Anywhere.



The CHARGE Anywhere team strives to be on the leading edge, providing continuous integration with the latest technologies, while maintaining award-winning iron-clad security. CHARGE Anywhere's existing customers will be able to upgrade to the new software free of charge as part of CHARGE Anywhere's Quality Assurance program. This software will be available to new customers starting today, September 21st at www.chargeanywheredirect.com on a Software as a Service (SaaS) platform.



About CHARGE Anywhere



CHARGE Anywhere is a leading provider of secure Point of Sale (POS) solutions and electronic payment services. Our proprietary Payment Card Industry (PCI) PA DSS Certified CHARGE Anywhere v2.0.0 Mobile Payment and POS software solution designed for QuickBooks®>, Smartphones and e-commerce environments, and the Web Terminal Payment Solution - ensures PCI Level 1 compliance via ComsGate® Payment Gateway. CHARGE Anywhere offers business partners and customers the most secure and robust selection of industry specific and customized POS solutions and services, including; IP/Wireless Payment Gateway, POS software, Encryption and Data Security Services, Custom Card Issuance, and Merchant Billing Services. For more information contact them at www.chargeanywheredirect.com , or (800) 404-2014.



Source: Company press release.

WhiteHat Security Simplifies PCI for Application Security

SANTA CLARA, Calif., Sept. 22 /PIN Payments News Blog/ -- WhiteHat Security, the leading provider of website risk management solutions, today announced the WhiteHat Sentinel PCI bundle. Combining industry-leading WhiteHat Sentinel vulnerability management solutions, customized reporting and website security training, the new offering delivers all the components necessary for achieving and maintaining application security compliance as specified in the Payment Card Industry Data Security Standard (PCI DSS) sections 6 and 11.



PCI compliance for application security has gained significant attention over the last year. Both internal and public-facing websites are covered under different sections of the PCI DSS and as new sections appear, companies need to ensure that their current website risk management program helps them meet the necessary requirements. With its in-house PCI experts and innovative training curriculum, WhiteHat can offer its customers everything they need to protect their websites and remain compliant.



The WhiteHat Sentinel PCI Bundle includes the following:

• WhiteHat Sentinel Premium Edition (PE) or Standard Edition (SE) -- WhiteHat Sentinel PE and SE exceed requirements 6.3.7b, 6.5 and 6.6 of the PCI DSS by providing ongoing, verified vulnerability assessments for both internal and public websites. In addition, Sentinel PE satisfies requirement 11.3.2 which mandates application-layer penetration testing.


• Customized PCI Reporting -- The Sentinel PCI report delivers both an overview and an in-depth look into the PCI compliance of each website under management. For each vulnerability class, the report details how the vulnerability is exploited, gives protection advice and lists links to reference information. Open vulnerabilities of each class on the customer's website are also listed.


• "Introduction to Web Application Security" training -- This course provides an overview of the fundamental principles of website security and meets PCI DSS requirement 6.5b which covers developer training on secure coding techniques. All participants will receive a certificate confirming course completion.
  
  

"Regardless of industry or size, all companies are faced with the seemingly overwhelming task of protecting their websites and meeting various compliance requirements such as PCI," said Stephanie Fohn, chief executive officer, WhiteHat Security. "We are offering the PCI Bundle to help make the whole process more palatable and easier to manage. Now customers have a single source for comprehensive, cost-effective PCI application security compliance that will also improve overall website security and developer performance."



WhiteHat Sentinel allows organizations to conduct the most complete vulnerability assessments -- as often as they'd like or every time a website is changed -- ensuring that all existing and new vulnerabilities are identified and assessed. WhiteHat's patented methodology exceeds the strictest industry standards as established by the PCI Security Standards Council, founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.



The WhiteHat Sentinel product family is composed of Software-as-a-Service (SaaS) website security solutions that deliver the visibility, flexibility and manageability that organizations need to take control of website security and prevent Web attacks. WhiteHat Sentinel was built from the ground up to assess the largest and most complex websites in the world on an ongoing basis, and today executes rigorous and ongoing security testing on thousands of the world's leading websites, including many Fortune 500 companies.



The PCI Bundle is available immediately and offers a 25 percent discount off the list price of the "Introduction to Web Application Security" class. The new customized PCI report is currently available to all Sentinel customers at no additional charge. Contact the WhiteHat sales office at (408) 343-8300 for more information or email at sales@whitehatsec.com.



About WhiteHat Security, Inc.



Headquartered in Santa Clara, California, WhiteHat Security is the leading provider of website risk management solutions that protect critical data, ensure compliance and narrow the window of risk. WhiteHat Sentinel, the company's flagship product family, is the most accurate, complete and cost-effective website vulnerability management solution available. It delivers the visibility, flexibility and manageability that organizations need to take control of website security and prevent Web attacks. Furthermore, WhiteHat Sentinel enables automated mitigation of website vulnerabilities via integration with Web application firewalls. To learn more about WhiteHat Security, please visit our website at www.whitehatsec.com.

Source: Company Press Release

ABA Survey: Consumers Prefer Online Banking

ABA SURVEY:  CONSUMERS PREFER ONLINE BANKING

Survey shows shift in consumer preference away from visiting bank branches

WASHINGTON – A new survey by the American Bankers Association shows that for the first time, more bank customers (25 percent) prefer to do their banking online compared to any other method.



The annual survey of 1,000 consumers was conducted for the ABA by Ipsos-Reid, an independent market research firm, on August 14-16-2009. A list of questions asked was designed to take a snapshot of current consumer trends.



“This marks a watershed change,” said Nessa Feddis, ABA senior counsel and retail banking expert. “It tells us that for the first time, more consumers prefer the speed and convenience of conducting their banking transactions on the Internet than visiting their local branch. It also tells us that consumers now have confidence in the accuracy and security of online banking,” she added.



Survey results showed that the popularity of online banking was not exclusive to the youngest consumers: it was the preferred banking method for all bank customers under the age of 55. Consumers over 55 still prefer to visit their local branch (26 percent), followed by ATMs (17 percent).



Among all consumers, the preference for online banking was followed by visiting branches (21 percent), and using ATMs (17 percent). The use of mobile banking (cell phones, PDAs, etc.) was preferred by one percent of consumers, primarily among 18 to 34 year olds. The popularity of ATMs was down in all age groups.



“Online banking may now be the most preferred method of banking but banks are committed to providing the best customer service to all consumers. Increasing competitive focus means bank customers will continue to have the choice between branches, ATMs, telephone, cell phone, or the Internet to conduct their transactions – whichever they find most convenient for them,” Feddis said.

See preferred banking method ages 18-34.

See preferred banking method ages 35-54.

See preferred banking method ages 55+.

           

The American Bankers Association brings together banks of all sizes and charters into one association. ABA works to enhance the competitiveness of the nation's banking industry and strengthen America’s economy and communities. Its members – the majority of which are banks with less than $125 million in assets – represent over 95 percent of the industry’s $13.3 trillion in assets and employ over 2 million men and women.



###



Source ABA Press Release

China's Household Spending to Rise: MasterCard

HONG KONG -- A survey by MasterCard shows that China's household spending will increase, thanks to the government's $586 billion economic stimulus.



A survey of 6,300 families shows that 41% of urban households and 59% of rural households intend to spend more during the next year than they did in the previous 12 months.



"The short- to medium-term income and employment stimulus may well develop into longer-term structural improvement that supports a higher level of household spending," said Yuwa Hedrick Wong, an economic adviser at MasterCard Worldwide.



China Post, The (Sept. 22 2009)

Apple and eBay Hit with Patent infringement Suit

Back in 1995, Telequip Corporation (TQP) was issued a patent for encrypted data transmission,  They had already filed lawsuits against 20 plus financial institutions and payments companies including: Barclays Bank, Prudential, Amazon,.com, Visa, and many more. TQP previously settled the matter with MasterCard back in June and with Amazon.com in July and American Express in August.

Now they have targeted Apple and eBay and have Ticketmaster, UPS, CVS, DHL, MetLife, PayPal and BillMeLate in their "sites."

Here's an excerpt from a report published at H-Security

For some time, Vendor TQP (Telequip Corporation) has been filing lawsuits against various US banks over its patent for changing keys during encrypted data transmissions. Now the list of defendants also includes Apple and eBay.



The claim is about the alleged violation of a patent which was applied for in 1992 and granted in 1995. It describes a method in which symmetric keys for a sender and a recipient are created using synchronised pseudo-random number generators and may be changed during transmission.

It would seem that TQP's claims aren't completely without merit – after all, the vendor has already achieved out-of-court settlements with American Express, MasterCard and Amazon. TQP filed earlier lawsuits against financial institutions including Merrill Lynch, the Bank of America and Capital One. The new lawsuit against Apple and eBay also accuses Ticketmaster, Fandango, Live Nation, UPS, CVS, DHL, MetLife, Broadcast Music, Half.com, MicroPlace, Viva Group, ProStores, PayPal and BillMeLater of violating the patent by using certain secure data transmission technologies between customers and servers.

Russia to Create an Alternative to Visa/MasterCard

Europe announced they are planning an alternative debit network to Visa and MasterCard, which should go live in 2010, (Monnet Should Be Ready for 2010 Launch) and the Russian Information Center claims that Russia is planning to do the same with a national payment system.



Russia to create an alternative to Visa and MasterCard



"The Russian ministry of Finance is going to introduce a draft bill on the national payment system in November 2009, reports the Kommersant newspaper. At the moment a group of experts engaged in development of the payment card system is working on the document.

The national payment system will probably be created on the basis of an existent Russian system in order to reduce dependence on the foreign market players.

Interestingly, the first attempt to set up a national payment card system was made in 1993 by the Bank of Russia, but it failed. Later some private companies ventured at running their own systems of that kind but never succeeded. In 2005 the Central Bank of Russia claimed the all-Russian payment system will be based on Sberbank's Sberkart system, which was renamed into the United Russian Payment System (URPC) in 2008.

Today, the major players on the Russian market are Visa and MasterCard accounting for more than 85% of all cards issued and transactions performed using payment cards. Besides, there are about 20 small payment systems operating in Russia, such as the URPS and Golden Crown (3% and 5% respectively).

By the 1 September 2009 Sberbank had issued over 35 million payment cards (3.5 million URPS cards, while the rest is Visa and MasterCard). The truth is that Visa and MasterCard systems are already a part of the Russian market, while expenses on creation of a solely Russian payment system are huge.



Source: www.lenta.ru



More Information: 

Russian Payments System



The State of the Russia's Payment Systems (PDF)

MasterCard Announces a 15 Cent Per Share Quarterly Dividend

MasterCard Board of Directors Announces Regular Quarterly Dividend

PURCHASE, N.Y., -PIN Payments News Blog- MasterCard Incorporated (NYSE: MA)  today announced that its Board of Directors has declared a quarterly cash dividend to holders of shares of its Class A common stock and Class B common stock. The cash dividend of 15 cents per share will be paid on November 10, 2009 to holders of record of its Class A common stock and Class B common stock as of October 9, 2009. About MasterCard Incorporated MasterCard Incorporated advances global commerce by providing a critical economic link among financial institutions, businesses, cardholders and merchants worldwide. As a franchisor, processor and advisor, MasterCard develops and markets payment solutions, processes approximately 21 billion transactions each year, and provides industry leading analysis and consulting services to financial-institution customers and merchants. Powered by the MasterCard Worldwide Network and through its family of brands, including MasterCard(R), Maestro(R) and Cirrus(R), MasterCard serves consumers and businesses in more than 210 countries and territories. For more information go to www.mastercard.com.

SOURCE MasterCard Incorporated

Senator Proposes Use of Internet Gambling Revenue to Help Fund Health Care Reform

WASHINGTON, Sept. 21 /PIN Payments News Blog/ -- An increased focus on the benefits of Internet gambling regulation are expected as the Senate Finance Committee considers a proposal introduced on Saturday to use Internet gambling revenue to offset the costs of health care reform. The amendment offered by Senator Ron Wyden (D-OR) would dedicate Internet gambling tax revenue generated through implementation of the currently pending Internet Regulation, Consumer Protection and Enforcement Act (H.R. 2267) to increase low-income subsidies provided through the America's Healthy Future Act of 2009. A PricewaterhouseCoopers analysis shows that collecting taxes on regulated Internet gambling would allow the U.S. to capture up to $62.7 billion over the next decade.



"We applaud Senator Wyden's proposal to collect and put to good use tens of billions in Internet gambling revenue that would otherwise be lost in the underground marketplace," said Michael Waxman, spokesperson for the Safe and Secure Internet Gambling Initiative. "The Senate Finance Committee should approve the resolution, finally putting to an end a failed prohibition on Internet gambling that leaves Americans unprotected and unlicensed offshore operators as the only beneficiary in a thriving marketplace."



The Internet Gambling Regulation, Consumer Protection and Enforcement Act of 2009 (H.R. 2267), introduced in May by House Committee on Financial Services Chairman Barney Frank (D-MA), would establish a framework to permit licensed gambling operators to accept wagers from individuals in the U.S. The legislation mandates a number of significant consumer protections including safeguards against compulsive and underage gambling, money laundering, fraud and identify theft. Additional provisions in the legislation reinforce the rights of each state to determine whether to allow Internet gambling activity for people accessing the Internet within the state and to apply other restrictions on the activity as determined necessary.



A companion to Chairman Frank's legislation introduced by Rep. Jim McDermott (D-WA), the Internet Gambling Regulation and Tax Enforcement Act (H.R. 2268), would raise revenue for the U.S. Treasury primarily through ensuring that applicable individual taxes, corporate taxes and license fees on regulated Internet gambling activities are collected. Without this legislation, this revenue will remain uncollected while millions of Americans gamble online without consumer protections.



About Safe and Secure Internet Gambling Initiative



The Safe and Secure Internet Gambling Initiative promotes the freedom of individuals to gamble online with the proper safeguards to protect consumers and ensure the integrity of financial transactions. For more information on the Initiative, please visit www.safeandsecureig.org. The Web site provides a means by which individuals can register support for regulated Internet gambling with their elected representatives.



SOURCE Safe and Secure Internet Gambling Initiative

Keeping Credit Cards Secure: Washington Times

"I think the U.S. is targeted because there's more and wealthier people on the Internet and we're more active in e-commerce," Avivah Litan - Distinguished Analyst at Gartner Research - Quoted in Washington Times 



Editor's Food for Thought:  If the U.S. did bite the bullet and decide to spend $8 Billion Dollars to switch over to Chip and PIN it is NOT going to reduce eCommerce Fraud one iota 



At least not until we start swiping the card itself.  (Replacing the Card Not Present Environment with a Card Present one.)  As long as there is a Card Not Present" environment, there will be fraud, because fraud, like water, finds the path of least resistance.   The path we are on (typing vs. swiping) makes it easy for the bad guys to steal our personal data and wreak havoc.   Wake up and smell the coffee!



Until we start "swiping our cards" it would make NO DIFFERENCE WHATSOEVER, in terms of eCommerce Fraud, whether the cards that banks issue are Contactless, Chip and PIN, Magnetic Stripe...or anything else.  



What difference does it make whether there is an integrated circuit built into the card if we don't swipe the card? It wouldn't matter if a card had the users DNA embedded onto the card if the card is not read.  Until  consumers stop entering their credit/debit card number by typing  it into a box on a website, there will be fraud.  Where am I wrong here?  Hint:  Nowhere!



Anyway, I thought  it important to make the distinction prior to you reading the Washington Times article below.  In regards to the "brick and mortar" space, I agree that switching over to Chip and PIN would greatly reduce fraud created by cloning magnetic stripe cards, but, again, until we start swiping and stop typing,  it won't matter if the card is Smart, Dumb, a Kindergartner or Einstein.





There is the only one "Smart vs. Dumb" argument when it comes to transacting on the web.   What's dumb is typing/entering our card information into a browser environment.   What's Smart is swiping the card in order to instantaneously "encrypt" the card information keeping it from the bad guys.  (in fact, it's such a simple concept, I got a Kinder-Gartner to draw it up for you...she's right!)



By the way, HomeATM's PCI 2.x certified personal point of sale terminal would not only enable consumers to swipe their magnetic stripe card, but we also have an EMV version which would enable consumers to swipe smart cards. 



So let's not confuse eCommerce transactions with brick and mortar.  In the brick and mortar world the card is swiped.  Until we convert the "card not present" methodology currently relied on for Internet Financial Transactions, into a "card present" environment, by providing consumers with a personal card reader and PIN Entry Device, the point is moot.



Here's the Washington Times Story: (excerpts only)

Keeping credit cards secure

By William Ehart



Next-generation security for debit and credit cards is on hold in the United States as banks and retailers argue over who should pay for a new system. Americans continue to use plastic for more and more transactions, at checkout counters, over the phone and on the Internet, despite increasingly frequent security breaches.



But the banking industry's losses have not been large enough to spur a consensus on financing the estimated $8 billion cost of moving beyond the aging magnetic-stripe technology now in use, analysts and consumer advocates say. "Up until now, it hasn't been that necessary, but in the last few years, hundreds of millions of cards have been compromised," said Avivah Litan, a Gartner Research analyst.

"The question is, how much more fraud do the banks want to tolerate?"

"The old formula that a lot of them are still using is, 'What is the cost of fraud or loss versus the cost of putting in a new system,' and it's the wrong formula.

"You have to consider what is your fraud loss, what is the cost of losing your customers, the decline of your stock price, what's the cost of your fraud resolution units and the loss of your reputation? - Linda Foley - Founder of Identity Theft Resource Center in San Diego



The industry is tight-lipped on fraud losses, although they are known to be in the billions each year.

"They don't ever reveal the exact numbers, so we don't know," said Ms. Litan. "All we know is there are a lot of breaches and there's a lot of money being spent on security in the wrong places." The "chip and PIN" system used for payment cards in much of the world greatly reduces the risk from cyberthieves. (Editor's Note: Again, it would NOT reduce "card not present" fraud until we stop typing)

Although this smart-card system isn't foolproof, in most cases a thief would need to physically possess your card in order to withdraw cash or make an unauthorized charge. With magnetic-stripe technology, hackers can reprogram a dummy card with your account information. (Editor's Note: A cyberthief would NOT need to physically possess your card until the card industry mandates a "card present" environment for the web...i.e. "Swipe...Don't Type!)

A microchip embedded in each smart card contains the user's account information, and some transactions also require a PIN number. The "chip and PIN" system is used in Europe, Mexico and elsewhere, Ms. Litan said. It will be rolled out in Canada next month. Everyone along the electronic-payments food chain agrees that more security is needed, from the banks that issue the cards to the retailers that accept them to the payment processors whose networks transmit essential information.

It's just that retailers think the banks should pay more and that banks think the retailers and payment processors should pay more.



Every consumer would need new cards — by some estimates, Americans hold more than a billion of them. Even more daunting, every card-swipe machine in the country would need to be replaced. Nagraj Seshadri, senior product marketing manager at security company Sophos, said it cost $1.6 billion to roll out "chip and PIN" in Britain. Since the U.S. poulation of 300 million is five times greater, it could cost $8 billion to do the same here, he said.

Yet the value of purchases made in the United States with Visa Inc.'s debit and credit cards alone exceeded $1.6 trillion last year. And this country is a big bull's-eye for hackers around the world.

Related articles by Zemanta

• Online Banking's Innate Security Flaws (information-security-resources.com)


• A Look at the Issues Associated with Mag Stripe Cards (paymentsnews.com)


• 'Both Sides of the Mouth' Security Analysis (information-security-resources.com)


• 3DES, DUKPT & E2EE Explained (information-security-resources.com)


• Comparing Apples To The "Real Deal" (information-security-resources.com)

Gartner: Security Software Market will Total $14.5 Billion in 2009

The worldwide security software market will total $14.5 billion in 2009, an 8% increase from 2008, according to Gartner. In 2008, it grew at 19 per cent, and Gartner anticipates the market to grow 13 per cent in 2010 as revenue will total $16.3 billion.



In Europe, the security software market will total €3.2 billion in 2009, representing 7% growth from 2008.



“Although the worldwide security software market is affected by the economic downturn, the growth will continue to be strong in 2009 as security remains a critical area where drastic cuts cannot be afforded,” said Ruggero Contu, principal research analyst at Gartner. “In the medium term, the greatest growth opportunities will come from software as a service (SaaS), appliance based offering and small and medium businesses (SMBs), which are in security catch-up mode compared with large companies and therefore spend a higher percentage of their budgets on security.”



In 2009, consumer security will remain the largest segment (in terms of total software revenue) in the security software market, representing 25 per cent of the total market. Gartner estimates it will account for $3.6 billion, growing 4 per cent in 2009. The enterprise security software market formed by a number of segments such as endpoint protection platform, email security boundary and user provisioning is predicted to account for $10.9 billion, reaching 9 per cent growth in 2009.



Continue Reading at  Net-Security.org 



Additional information is available in the Gartner report "Market Trends: Security Markets, Worldwide, 2007-2013." 

VerifySmart's New Card Fraud Prevention and Detection Technology Targets Multi-Billion Dollar Financial Fraud Loss Market; Lets Consumers Off The Liability Hook

TAGUIG, Metro Manila, Philippines, Sept. 21 /PIN Payments News Blog/ - VerifySmart(TM) Corp. (VSMR: OTCBB): VerifySmart, a global leader in secure and fraud free payment processing services, introduces a new 'no-fault' fraud protection solution technology (the "Technology") for credit and debit card holding consumers, and unprecedented fraud detection and prevention protocols for merchants and financial institutions.



VerifySmart's Technology comes at a watershed moment in the global financial community, when astronomical credit and debit card fraud losses make headlines with alarming regularity. While most financial institutions are hesitant to post actual credit and debit card fraud loss numbers, the figures are staggering as far back as 2005, when an FBI report indicated that credit card fraud represented the majority of the $315 billion US financial fraud loss for that year. A recent European study reported that more than 22 million adults fell victim to credit card fraud in 2006.



Financial institutions and consumers alike hoped that the recently introduced, so-called Chip and PIN technology, first introduced in the UK, would drastically reduce credit and debit card fraud, but a 2008 APACS (Association of Payment Clearing Services) report indicates a loss prevention gain of just 0.02%, after Chip and PIN technology was adopted (0.14% fraud losses as a percentage of card turnover pre Chip and PIN, versus 0.12% post Chip and PIN).



An unwelcome sidebar disadvantage of Chip and PIN, VISA, and other currently available so-called credit and debit card fraud prevention and detection technologies is the assumption of 'total card holder liability' made by many financial institutions. That is, the widespread practice, by banks and other financial institutions, of assigning loss liability to the cardholder on the assumption that the cardholder either wrote down or otherwise disclosed their PIN number and are therefore liable and accountable for the loss. The apparent growing lack of faith in Chip and PIN and other card fraud prevention technologies is evident in the fine print.



One of Canada's oldest banks introduces its faith in the new Pin and CHIP technology policy to credit card customers in writing as follows: "If a cardholder fails to comply with any obligation in the section entitled personal identification number (PIN) and someone other than the cardholder makes any PIN-based transactions on the Visa account, the cardholder will be liable for those transactions and any interest, fees and losses incurred...." The same national bank outlines debit card liability in their cardholder agreement: ""Contributing to unauthorized use: if someone uses your bank card or PIN without your authority but your actions (or inaction) contributed to that unauthorized use, you are responsible for all losses...."



All popular and available credit and debit card fraud prevention and detection systems have a single element in common, and that is the single element. Once a credit or debit card has been stolen, a seasoned criminal or fraud expert can quite easily breach required securities, assume an identity, and successfully execute several commercial transactions - at the expense of the card holder (fraud and theft insurance notwithstanding).



VerifySmart's Technology adds a second, hacker-safe layer of protection, and several levels of reassurance for consumers and financial institutions alike, by involving a second element, and with that second element, a secure 'double-check' to the transaction process.



How VerifySmart(TM) Technology Works



In smart contrast to Chip and PIN, VerifySmart(TM) provides a complete solution to lost or stolen cards, identity theft and cloned cards while putting control of the transactions directly in the hands of the card owner. VerifySmart(TM) has developed key technology that is simple yet effective. The cornerstone is an authentication model that decouples the verification and PIN process from the physical card or transaction medium offering the industry a new and proven fraud reduction mechanism.



VerifySmart's key benefit is a two-part authentication whereby a second source (mobile phone or PDA and a PIN) of identification which cannot be forged, is required to complete the transaction.



VerifySmart's credit and debit card fraud detection and prevention technology is patent and patent-pending (PCT approved) in 29 countries ranked by strategic importance and wireless penetration rates.



In addition, using VerifySmart's credit and debit card fraud detection and prevention technology, card transactions and other applications, such as internet transactions can be verified without requiring the banks and merchants to invest in new equipment and without major modifications to legacy systems.



VerifySmart(TM) Technology provides for verification through the end client's mobile device, such as a cell phone, with the transaction completely under the control of the card holder at all times. The process is simple and secure, uses technology that consumers and businesses alike are familiar with, does not require new hardware and only takes seconds to complete. VerifySmart's methodology uses a two factor system to verify both the transaction and unique owner credentials in real time creating a security model that is effectively impossible to breach.



VerifySmart's debit and credit card processing occurs in less than ten seconds, as follows:

- The merchant (or ATM machine) swipes the customer's card in the normal manner.
 - The debit signal transmits to the bank but before entering the bank's
 system it is directed by VerifySmart(TM) to the card holder's mobile
 phone;
 - The card holder's mobile device is unique as to its phone number and
 identity code so the transmission is secure to that one device;
 - The card holder receives a cell phone message that a transaction is in
 progress with their card for a named merchant and asks for
 authorization;
 - The card holder then enters their unique PIN number to authorize the
 transaction or refuses the transaction (if they do not acknowledge
 with their PIN the transaction will fail);
 - Upon receiving the authentication signal from the owner, the
 VerifySmart(TM) system allows the signal to complete its journey to
 the bank and the merchant receives the 'all clear'.

About VerifySmart(TM)



VerifySmart(TM) Inc designed and developed a Proprietary Hardware/Software Solution that solves Credit/Debit Card fraud by using two Factor Authentication. The Company's Core Technology is designed to meet the needs of the Security challenged Transaction Processing Industry. Present day solutions, such as Verified by Visa, Chip and Pin and CVV Code (all which can be compromised) have not reduced payment card fraud by any significant factor. The VerifySmart(TM) solution has reduced fraud to zero in earlier production pilots. the Company's proven and highly scalable solution is gaining worldwide attention and placing VerifySmart(TM) at the forefront of the fraud prevention revolution

Device Fingerprinting Worse than Passwords?

Are we going backwards instead of forwards in our fight against cybercrime?  Passwords are bad enough, but a study shows that people falsely believe that device fingerprinting will protect them.



I've been lamenting about the inherent weaknesses in "password" protection for well over 18 months.  Consumers know it is not safe.  But what they don't know, is that a possible replacement for passwords, something called "device fingerprinting" is just as lame. 



So I will LAMEnet some more...



Prior to bringing you the following article/study, let me provide you with  two quotes...one from Symantec and another from Avivah Litan, distinguished analyst at  Gartner Research. 

Then ask yourself.  If the problem is the browser, why introduce a so-called solution which relies on the browser?  Are we taking two steps backwards when it comes to online security?  Sure seems that way.   I think it's been proven that you don't plug a hole in a dyke by sticking your finger in it. 



Again, in order to provide a secure environment, financial transactions MUST be conducted outside the browser space.  It is NOT a recommendation.  It is FACT.  Read these two quotes, read the story and then take two steps backwards and see the forest through the trees...

"The truth is that 'fingerprint' security technology is no longer effective," said Rowan Trollope, senior vice president of product development at Symantec.   "The bad guys figured out how to get around our technology."

Speaking of device fingerprinting, Avivah Litan, a Gartner VP and analyst who focuses on financial fraud...said "the technology has limits...it's not foolproof at all," "If a cyber criminal takes over

your browser, it won't work." 

Editor's Note:  Got it?  Okay...here's the latest word on how we can secure online transactions!





Users Prefer Device Fingerprinting to Passwords

Study finds 70 percent of respondents say they'd be willing to have their PCs and mobile devices authenticated by an online merchant before completing a transaction.

The latest data protection and information security survey conducted by the independent Ponemon Institute suggests that consumers would be willing to let Big Brother encroach a bit on their individual computing devices in exchange for more online security and lot less memorization of pesky user names and passwords.



Of the 551 participants who responded the Traverse City, Mich.-based researcher's online survey, 70 percent said they'd be willing to have their computers authenticated by an online merchant before purchases are completed and 75 percent of those surveyed said that computer authentication is preferred because it's more convenient than remembering passwords or answering pre-selected questions.



According to a 2007 password study by Microsoft, the average person has 6.5 Web passwords, each of which is shared across almost four different Web site. The study also found that each user has about 25 accounts that require passwords and he or she types an average of eight passwords a day.

If this particular study and it's relatively small sample size is indicative of how the majority of consumers feel, so-called device fingerprinting software and technology developed by the likes of Los Altos, Calif.-based ThreatMetrix will soon find a much larger market with e-tailers, online payment processors and even social networking and e-dating sites.

Editor's Note:  Take a step backwards here...look up...see the forest?

"Actually, I did find the responses a little surprising," said Larry Ponemon, chairman and founder of the Ponemon Institute. "The responses were overwhelmingly positive and it's clear people are becoming more comfortable with technology that can authenticate their machines."

The idea of allowing a third-party Web site to use a software that would then report back the IP address, browser and physical location of a PC or mobile device still strikes some as an invasion of privacy.  However, the notion of divulging personal information such as a mother's maiden name or the last four numbers of a social security number apparently bothers Internet users even more.

"The thing I've learned over a number of years is that timing is everything," said Tom Grubb, vice president of marketing at ThreatMetrix. "I really feel like it's the right time for this technology.



The timing is right?  The only thing I see good timing for is to review Symantec's take on device fingerprinting one-more-time...

"The truth is that 'fingerprint' security technology is no longer effective," said Rowan Trollope, senior vice president of product development at Symantec.  "The bad guys figured out how to get around our technology."

Typhone Awarded Electronic Transaction Card Patent

PORTLAND, Ore.--PIN Payments Blog-- Tyfone (www.tyfone.com), a global provider 
of mobile financial services infrastructure and fully integrated mobile NFC payments
/secure transaction capabilities, today announced the company was awarded a second
patent for its innovations in smart card-based electronic wallet technology. 

This newest patent, US 7,581,678, is entitled "Electronic Transaction Card." 

Using time-varying magnetic fields, Tyfone`s patented technology enables the use of a memory card as an electronic wallet and/or the
ability to use that memory card for the secure transmission of financial information. This groundbreaking technology is used in the 
company`s u4ia® (euphoria) Mobile Financial Services platform, which completed successful beta testing in June of this year. 

In the growing contactless payment marketplace, Tyfone`s patented technologies and u4ia secure memory card platform enable a 
Trusted Service Manager (TSM) to bring scale to the ecosystem by enabling existing market-deployed handsets to
become NFC ready. This leads to significant benefits to consumers and the key stakeholders such as banks, transportation
companies, mobile operators and merchants, without change to the current ecosystem and without incurring significant cost to enable it. 

Unlike other software-only technologies that refer to their application as an electronic wallet, Tyfone`s platform includes a neutral secure 
element -- thereby making it a true electronic container or "wallet." This solution allows a TSM to securely manage different consumer credit, 
debit, transportation and pre-paid accounts for use in a wide range of payment and other secure transactions. 

A key application for Tyfone`s newly patented technology is using SideTapTM to conduct a contactless payment transaction. Using SideTap, 
consumers purchase goods at point of sale simply by tapping their mobile device at point of sale. 

"To Tyfone, this patent is the culmination of tireless work developing a neutral solution not only as a viable implementation of NFC that
can be broadly used today, but also as a truly game-changing technology," said Dr. Siva Narendra, chief technology officer at Tyfone. 
"As was demonstrated when initial testing was completed with the key stakeholders in the NFC value chain, Tyfone`s newly patented 
technology brings us one step closer to a ubiquitous contactless payment reality. Tyfone`s secure memory card technology is out of the 
R&D lab, has been tried and tested and is ready for the next stage in evolving the stakeholders` existing business models into new 
revenue opportunities." 

"Enabling near field communications without requiring design changes to the handset is the fastest way to proliferate contactless 
applications," said Patrick Gauthier, who launched Visa Paywave and is now CEO of SMC Advisors, a management consulting firm focused
on emerging payments, mobile and e-commerce businesses. "Tyfone`s technology is critical to jump start NFC by providing a packaging that
is familiar to the consumers, delivering a neutral secure element that is appropriate for banks and service providers, and enabling a new class
of use cases that can drive revenue for operators." 

About Tyfone:

Tyfone connects money and mobility via a highly secure, scalable and flexible Mobile Financial Services (MFS) infrastructure thaTt is tailored 
to meet the evolving needs of mobile network operators, transportation agencies, retailers and financial institutions. With its complete 
MFS platform and global alliance partners, Tyfone is uniquely qualified to deliver issuer-centric turnkey solutions with fully integrated 
contactless payments capabilities. To discover why Tyfone is becoming the partner of choice for MFS technologies to many of the
world`s leading organizations, please visit www.tyfone.com. 

Tyfone
Carol Grunberg, +1 503-546-9364
carol.grunberg@tyfone.com