Internet Retailer conducted a study via email participation of 92 "web only" merchants and other's participated and here are the findings:

Though 72 percent of internet retailers plan to purchase e-commerce applications or services this year, they'll be spending less than they expected to spend last year, according to Internet Retailer's latest survey on e-commerce technology spending intentions (via Retailer Daily).

A whopping 73.6 percent of respondents say they plan to increase those budgets 15 percent or less, compared with 49.4 percent of respondents last year who said so; moreover, about half (47.2 percent) say plan to increase those budgets 10 percent or less, the survey found. Below, additional findings from Internet Retailer's survey.

The top spending priorities of online merchants:

Replacing outdated e-commerce platform: 28 percent
Miscellaneous apps: 20.5 percent
Content management system: 11.9 percent
Web analytics: 11.8 percent
Order management system: 8.2 percent
Site search software: 6.8 percent.
Among the top new website features or applications to be implemented:
Customer reviews and ratings: 35.5 percent
Inventory availability tools: 34.2 percent
Blogs, forums or videos: 32.9 percent
Streamlined navigation using Web 2.0: 26.3 percent
Mouse-over tools: 25 percent


Most online merchants, however, intend to keep their current platforms and applications:

67.1 percent intend to keep their rich media applications.
61.7 percent don't intend to replace their web analytics software.
55.2 percent will continue to used their present content management system.
55.2 percent don't plan to buy site search software or service.
52.6 percent will stick with their current order-management system.
46 percent plan to keep their in-house or third-party platform.

Other highlights from the survey:

At two-thirds (67.1 percent) of e-retail companies, the official with the final word on tech purchases is the CEO; next are the CIO (9.2 percent) and CMO (6.6 percent).

The annual e-commerce tech budget is $50,000 or less at 51.4 percent of online retailers; that budget at 27 percent of retailers ranges from $50,001 to $200,000; 9.5 percent have budgets of $200,001 to $999,999; 5.4 percent have $1 million to $2.5 million; and 6.7 percent have budgets of more than $2.5 million.

51.3 percent of the surveyed retailers don't plan to hire a consultant or other third-party help for a major technology upgrade in 2008.

73.7 percent run their own internal fulfillment program. Among the remainder that do outsource fulfillment, 65 percent plan to keep their third-party provider.

About the study: The survey was emailed in early June to subscribers of IRNewsLink, Internet Retailer's e-newsletter; responses were collected and analyzed by Vovici Corp.; 92 web-only merchants, chain retailers, catalog companies and consumer brand manufacturers took part in the survey.

Related: Investment in the web by big retailers will increase even more as top executives at the largest retail chains become more aware of the power of the web in driving multi-channel sales, says Kasey Lobaugh, direct-to-consumer practice leader at consultants Deloitte LLP.

Many retailers today, he says, don’t realize that store sales preceded by visits to retail web sites account for about 20% of sales and online-only sales for another 7%, accounting for 27% of total sales in one way or another driven by the web.

“Today, most retailers only see it as a 93%-7% split, where the 93% of sales are in stores and 7% online; they don’t realize that 20% of store sales are influenced by the web,” Lobaugh says.

But that mindset is changing fast among senior retail executives, he adds, especially as the percentage of total sales driven directly or indirectly by the web grows to about 50% over the next few years. “CEOs will soon recognize that what they thought was 7% of sales driven by the web is actually about 50%, so there is going to be a big shift in investing in a web-focused multi-channel retailing environment,” Lobaugh says.

Posted by John B. Frank Friday, August 29, 2008 0 comments

Times...they are'a changing. In the past, telemarketers would call and try to get us to "buy" something. Now there's a group who wants to call you AFTER you "buy" something. Actually they plan to send an SMS to cellular phones or PDA's everytime a credit/debit/ATM card is registered with them and subsequently used for a transaction. They are essentially pitching what they have to offer as a Value Added Service Provider, (VASP) Rather than selling "ring tones", they are, instead, trying to "cell" notifications of credit/debit/ATM card use. Initially it sounds like it has a ring to it, but I don't know what to think of this idea quite yet.

What I do know is that the iPhone's OS has a security hole which can expose private information. (The flaw being a simple two-step trick which can be accessed directly from the iPhone's password protected interface, gives full access to a user's contact list, e-mail and text messages, including access to all SMS's.) see: Huge Security Flaw Puts All Private Information At Risk - Gizmodo

The other question I would pose, in order to determine the viability of the idea would be how much each SMS would cost the end-user. If it costs, for example 50 cents for each transaction notification, a $25 transaction would have effectively, a 2% discount rate. Here's a tip...for that money, banks could offer a "Transaction Insurance Protection Plan" (see, I told you I'd give them a TIPP...) Here's there press release:

MIAMI, Aug. 28 FL-CNSC-Debit Security Aug. 28 /PRNewswire

Ivan Ochoa and Daniel Davila, executive members of the newly-created company C.N.S.C. (Charge Notification Services Corp.) are launching their proprietary and patented credit, debit card and ATM transaction security service in the United States.

The premise of the C.N.S.C. service is to put the cardholders in control of their own identity security by instantly advising them via SMS (Short Message Service) to their cellular telephones or PDAs each time a charge or withdrawal from a C.N.S.C. covered card is made.

With the proliferation of cellular phones, this service is expected to reduce credit and debit card fraud significantly for individuals or companies who choose the coverage. Credit card fraud in the United States has increased in terms of total losses and is expected to continue growing, according to studies conducted byThe Nilson Report.

A Cybersource report indicates the same escalating trend ine-commerce transactions, surpassing the two billion dollar mark for 2007. Those affected by fraudulent activity include the card user, who may spend months trying to clear up an unauthorized transaction; the financial institution issuing the credit or debit card, as each time a fraudulent transaction is detected several time-consuming steps must be taken by staff, making it an expensive proposition for banks and issuers; and ultimately by the merchant accepting the fraudulent charge, as in most cases, the charge-backs are a direct loss to them. "The result of this is that society at large loses, even those who do not use credit or debit cards, since it makes every product and service more expensive. It is a zero sum game in which those who operate within the law lose out," stated C.N.S.C., E.V.P. and Chief Operations Officer Daniel Davila.

Referring to the most recent large-scale credit card fraud cases, C.N.S.C.Chief Executive Officer Ivan Ochoa comments: "We know that merchants have been slow to advise cardholders of fraudulent activity and that despite the existing firewalls and algorithms developed to detect abnormal usage patterns,the technology exists that allows criminals to access card numbers, as well as social security and drivers license information. Fraud has become everyone's problem, and consequently, everyone's responsibility. We are confident that with a minimal investment on the part of card issuers and the cooperation of cardholders, we can overcome this pernicious social and economic predicament affecting us all."

Messrs. Ochoa and Davila have a combined five decades of experience in the financial services industry. Mr. Davila's background includes 16 years at American Express where he was a Senior Director within the Global Network Services (GNS/Franchise) division and more recently, two years as Vice President and Chief Risk Officer of the credit card division at Russian Standard Bank (RSB) in Moscow. While at RSB, Mr. Davila launched a similar SMS credit card fraud protection service with great success, resulting in an overall significant reduction of fraudulent transactions. Mr. Ochoa's 25 years in the financial services industry include executive positions within American Express and MasterCard International, where he was Chief of Staff for Latin American countries. His areas of expertise include managing operationsfor multi-markets, re-engineering, quality control and technology. Mr. Ochoahas lead major innovative developments in products and systems.

SOURCE Charge Notification Services Corp.

Posted by John B. Frank 0 comments

There's been a lot of press relating to the 40 million card breach and the subsequent arrest of the Hacker's 11. In fact, I've done several posts on it myself.

It was all done by something called "wardriving," (
see WarDriving 101) which involves driving through areas with a laptop searching for accessible wireless Internet signals, and then tapping into those systems to install "sniffer programs" that capture credit and debit card numbers as they move through a retailer's processing networks.

Perhaps the worst part of this is that nothing can be done to prevent it from happening again. Members of the international stolen credit and debit card ring, which included some U.S. citizens, were locked up -- but you can't lock up a technique. As long as there's WEP, there's theft.

As I mentioned yesterday, the financial community is heavily regulated (
see yesterday's post "PCI, PCIDSS 101) to protect consumers' data, which is encrypted by law and industry agreement. No one "purposefully" shortcuts that process. But the crooks found a way to insert a data sniffer into the system so that by the time cards were swiped and the information was released from the point-of-sale device, the information already had been snagged.

The industry will devise a solution. But in what amounts to a digital arms race, criminals will figure out a way around it. The Center for Democracy and Technology advises consumers that, as more and more of their lives are processed online, they must take more responsibility as they are handing over personal and financial information.

Editor's Note: I personally, think the solution lies in "NOT handing it over at all" but instead, using HomeATM's Personal PIN Pad for online purchases. The fact is: Anytime you type in your credit/debit card number a consumer is ripe for hacking. Myriad methods to do it, and more and more on the way every day. Maybe we can get the environmentalists to go after the keyloggers or at least have the owls spot them... Seriously, though, entering your credit card information via a keyboard on a PC is asking for trouble. This is why I have spent a lot of time trying to make the case for a personal PIN Entry Device. (
See Reverse Matriculation, Bring the Device Home)

HomeATM is working vigilantly on creating and putting forth a program that will get their Personal PIN Entry Device into the hands of as many consumers as possible. We believe it won't be long before that happens and millions of consumers have one. However, in the meantime, if you absolutely feel the need to purchase something online, keep these two rules of thumb at the forefront of your awareness:

1. When typing in a credit card number, make sure the web page is secured (more secured), as indicated in the URL as https -- the "s" standing for "secure."

2. Do not enter your financial or personal information while using a wireless network. Someone could be sitting outside of Starbucks with a program that is sniffing the information typed into your keyboard and stealing that (and your buck$) right out of thin air.


Those crooks thank their lucky stars that your bucks don't stop there... thank yours that it won't be long before you can be the proud owner of your own personal HomeATM!

Posted by John B. Frank Thursday, August 28, 2008 0 comments

CheckFree released the results of an annual Consumer Banking and Bill Payment Survey that they sponsor and according to their release, "more Americans than ever, an estimated 63.1 million households or three-fourth's of those online, are paying their bills online rather than writing paper checks.

The Consumer Banking and Bill Payment survey has been conducted annually since 2002 by CheckFree Consumer Insights, a consumer research and data analytics unit of Fiserv focused on tracking the latest online banking, billing and payment trends. What follows is additional information – including charts, survey findings and a complimentary prerecorded webinar – about the 2008 Consumer Banking and Bill Payment Survey.

Additional Survey Findings

Among younger respondents under age 45, 57 percent considered the environment as an important reason why they use online billing and payment, compared to 44 percent among those in the 45-and-older age group.

Fifty-five percent of those living in the Western United States cited environmental concerns as a key motivation for online bill payment adoption versus 49 percent for other regions.

Major credit cards (48 percent) were the most frequently cited e-bills received and paid at online banking sites, followed by cable or satellite television (42 percent), cellular phone (41 percent), electricity (38 percent) and local telephone (34 percent).

Fifty-four percent of respondents who were aware their online banking site offers e-bills said they receive at least one e-bill, while 46 percent do not. The most appealing features of e-bills were due-date reminders, convenience and assurance that bills are never paid late.

E-bill recipients were 45 percent more likely to report being extremely satisfied with their bank or credit union than non-e-bill users. Fully half of e-bill recipients said their experiences with e-bill had made them less likely to switch financial institutions in the future. E-bills are electronic representations of paper bills that are securely delivered directly to a business or financial institution Web site. With e-Bills, consumers can review balances, transactions and all other details available in paper bills, and schedule payments with just a few clicks of the mouse.

Overall, 67.9 million households, or 80 percent of the estimated 85.1 million U.S. online households, use online banking services, up from 63.4 million in the 2007 survey. [See Chart: Consumers’ Online Banking Usage Mirrors Internet and Broadband Trends.]

Those living in Western (83 percent penetration) and Southern (81 percent penetration) states were more likely to adopt online banking than those in the Northeast (78 percent) and Midwest (78 percent).

Respondents identified 24/7 access to account balances, time savings and better organization of their finances as the most important benefits of conducting banking activities online.

Watch Recorded Webinar

In this complimentary webinar, "Consumer Billing and Payment Trends," senior researchers from CheckFree Consumer Insights discuss compelling findings from this year's Consumer Banking and Bill Pay Survey and David Baron, vice president of Financial Research Services for Harris Interactive, provides insights into what made the survey successful.

>> Watch Webinar

Posted by John B. Frank 0 comments

Here's a comprehensive article explaining the Payment Card Industry Security Standards Council requirements pertaining to protecting card holder data.   The article, written by Jeff Kress from NewsFactor.com does a good job putting, what many tend to consider to be a confusing subject,  PCI, into a better perspective.

 
"Any firm that stores, processes or transmits credit card data should comply with security standards or risk great losses. Whether we buy goods online or in a store, credit card purchases are a way of life.  Some may worry about transactions over the Internet, but they generally assume credit card data and related personal information with merchants are secure. But are they?

According to analysts, financial fraud surpassed all forms of computer losses in 2007. The most noted credit card loss was with TJX (parent company of HomeSense and Winners) in 2006. The security breach resulted in the loss of 45 million credit- and debit-card numbers. The TJX losses reportedly will exceed US$1 billion. The breach was due to inadequate security controls. In addition, TJX may have also lost customers' personal information such as drivers' license numbers. The problem is that TJX is not alone: many merchants have inadequate controls to protect credit card information.

To address financial fraud, major credit card companies created an organization, the Payment Card Industry Standards Council (PCI). Its goal was to set standards to enhance the security of credit card payment data. The result is the Payment Card Industry Data Security Standard. (PCIDSS)

Merchants that store, process or transmit cardholder data must comply with the PCI standard. Reports indicate that larger-merchant compliance is improving. On January 22, 2008, Visa reported that as of the end of 2007, 77 percent of large merchants and 62 percent of medium-sized merchants were PCI compliant.  These are big improvements compared with the previous year, when less than 20 percent of large and medium- sized merchants were deemed compliant. These two categories represent approximately two-thirds of Visa's transaction volume. However, smaller merchants and government agencies are slower in adhering to PCI requirements.

PCI requires merchants to verify compliance with the data security standard. A merchant's credit card transaction volume determines what compliance validation steps are followed. Larger merchants are required to have annual on-site audits and network scans performed quarterly by certified assessors. Smaller merchants may only be required to do self-assessments. The merchant levels differ between the credit card companies so one should refer to the merchant agreement for specific requirements. Although compliance validation requirements differ, all merchants that store, process or transmit cardholder data, regardless of size, are required to comply with all aspects of the PCI standard. Failure to do so may result in a merchant being fined and/or terminated from the processing services.

Not complying with PCI requirements can be costly. If a merchant's systems are breached, the merchant is responsible for all costs associated with inappropriately used credit cards. The merchant is also required to pay all costs associated with informing consumers, canceling outstanding credit cards, issuing new credit cards and forensic audit costs. Analysts have set the costs of credit card breaches at between $100 and $300 per credit card record. A breach can result in a loss of merchant reputation, lost customers or customer lawsuits. Credit card companies can also issue fines for noncompliance even if no breach is detected. To prevent such costs, merchants need to comply with the PCI standard.

PCI Standard's Objectives


Build and maintain a secure network. Most merchants think their credit card systems are secure. But in the context of PCI, what is a credit card system? The PCI standard considers any network, server or application connected to the systems that store, process or transmit to be the credit card systems. PCI compliance on such a large scale can be difficult to achieve. The solution is to set up the credit card systems so they are isolated from other merchant systems.

The PCI standard identifies two primary requirements for building and maintaining a secure network. The first is to install and maintain a firewall configuration to protect cardholder data. Firewalls must protect all credit card systems from external access. In addition, the PCI standard identifies the need to change vendor-supplied defaults for system passwords. Systems that have not changed default settings and vendor-installed passwords are common compliance violations.

Protect cardholder data: Keep cardholder data stored to a minimum. Stored credit card information needs to be protected using strong encryption standards. A common violation occurs when merchants store the magnetic stripe data from a credit card. The data contains all the information a criminal needs. Such information should never be stored. PCI information suggests that most merchants are unaware that their systems were storing the complete magnetic stripe data.

Maintain a vulnerability management program: It is important to protect systems against such threats as a computer virus. Also, follow appropriate processes for making changes to systems. Merchants that collect credit card information from e-commerce Web sites need strong security processes to develop and monitor the Web sites. Weaknesses include missing and outdated security patches. Also, Web applications often have weaknesses that are accessible by anyone on the Internet.

Implement strong access control measures: Limit access to cardholder information on a need-to-know basis. Bad practices such as group sharing of user accounts, not changing passwords regularly or not having minimum password standards are not acceptable. Other weaknesses include inadequate access controls due to improperly installed merchant point-of-sale equipment. While credit cards are typically stored on systems, the PCI standard requires strong physical controls in merchant facilities.

Regularly monitor and test networks: Merchants need to track and monitor all access to network resources and cardholder data. This requires logging and monitoring systems on a timely basis. All credit card systems need to be regularly tested. The requirements in the PCI standard are explicit and detailed. For example, perform vulnerability assessments at least quarterly or after any significant change to the network. Test credit card systems annually. This includes annual penetration testing on both the network and application layer. The standard also requires effective intrusion detection systems to alert staff to possible security breaches.  A lack of effective monitoring is a weakness. Merchants often find it difficult to meet the PCI standard requirements for monitoring and testing its network. Segmenting the network to isolate the credit card systems will reduce the time and costs associated with meeting these requirements.

Maintain an information security policy: Merchants need a strong security policy that sets the tone for the whole company. Staff awareness processes need to ensure employees are aware of their responsibilities. Many security breaches are caused by staff who are unaware of their role in keeping the company's data secure.

So what happens if a merchant can't meet a specific PCI requirement? The standard allows merchants to implement compensating controls. Merchants need to show that the compensating control effectively mitigates the risk addressed by the PCI standard.

The PCI Data security Standard sets security and monitoring requirements that far exceed some merchants' existing capabilities. Smaller merchants would like to have the standard reduced to reflect their size. However, for now, merchants that store, process or transmit cardholder data must comply with the standard.

There are many articles on PCI and the Data security Standard. However, the best source for guidance and materials is the Payment Card Industry Security Standards Council Web site at: https://www.pcisecuritystandards.org/index.htm. Merchants should also refer to their respective merchant agreements for guidance.

A common misconception is that smaller vendors are not required to be PCI compliant. Some think not being compliant is OK as long as they continue to make progress. That's what credit card firms reportedly told TJX before it was breached. That did not prevent TJX from facing losses that could reach billions of dollars. So make sure you and your clients take steps to protect credit card data before harm occurs to your firm or clients' reputation, before customers are lost and before fines and litigation start."

Posted by John B. Frank Wednesday, August 27, 2008 0 comments

There's PCI, and then there's just plain ole' PC.  What are several million records doing on a laptop in the first place?  And why would the National Bank of Scotland employ a "third party" archiving company that sells it's used laptops containing personal data on eBay?  I found a good article on PCI and I'll post it next, but first this amazing faux pas...
  
When Andrew Chapman bought a PC on eBay for about $150, he didn't expect the added bonus -- the personal records of millions of customers of a major international bank.

Chapman says he found "several million" personal records on the PC. The records, which belonged to the National Bank of Scotland, its NatWest subsidiary, and American Express, had been stored on the machine by a third-party archiving company, according to news reports about the eBay purchase of the National Bank of Scotland data. 

The data includes account details, and in some cases, customers' signatures, mobile phone numbers, and mothers' maiden names, Chapman says.  Chapman said anyone with a basic knowledge of computer software would have been able to find the data fairly simply. "The information was in back-up CDs and in ISO files, so it would have been possibly quite easy to find if you know something about computers," he said.

A spokeswoman for data processing company Mail Source, which is part of the archiving firm Graphic Data, said it was investigating how the computer equipment had been removed from a secure location. "The IT equipment that appeared on eBay was neither planned nor instructed by the company to be disposed," she said.   Spokespeople for Graphic Data, the banks, American Express, eBay, and U.K. law enforcement agencies all expressed concern about the incident and said they would begin an investigation as soon as Chapman gives the computer back to Graphic Data.

Posted by John B. Frank 0 comments

In what looks to be an unabashed plug of Verified by Visa, the payments industry behemoth recently polled online shopping plans of Canadiens and found the following:

TORONTO, ONTARIO, Aug 27, 2008 (MARKET WIRE via COMTEX)

Almost one-third of Canadians in need of books, computers and back-to-school supplies will avoid the hustle and bustle of traditional shops in favour of the World Wide Web this year.

According to an August 2008 survey commissioned by Visa Canada(i), 13 percent of Canadians are planning to shop online between now and Labour Day and, of those, 40 percent plan to spend more online than in the same period last year.

With the average estimated online spend before Labour Day totalling $881, survey respondents said they were turning to the Internet because of its convenience (41 percent), better prices (41 percent) and superior selection than brick-and-mortar retailers (31 percent).


While restocking backpacks and lockers is one reason to turn to the computer, Canadians shopping online also planned to purchase travel (45 percent), computers or electronics (41 percent) as well as fall and winter clothing (32 percent).

"It's interesting to see the variety of goods Canadians plan to buy online," said Zack Fuerstenberg, Director, New Channels, Visa Canada. "Last year when we conducted similar research, half of respondents were only planning to purchase books."

Fuerstenberg continued by pointing out that the categories of merchandise most attractive to online shoppers are mirrored by the types of merchants that participate in the Verified by Visa(R) program. "Air Canada, Dell, Best Buy, Future Shop, West Jet, Via Rail, Telus and Aldo are all participating in the program along with 2,000 other participating Canadian merchants."

The Verified by Visa service, which is supported by Visa-issuing financial institutions and participating merchants, works through the use of a personal password and helps ensure that purchases made online with a Visa(R) card are made by the actual cardholder. Free for consumers, the Verified by Visa program has been adopted by more than 200,000 merchants and 378 million Visa cardholders around the world. Canadian Visa cardholders can sign up for this program at their Visa card issuer's website, through visa.ca or when shopping at participating merchant websites.

The Verified by Visa service is just one of Visa's multiple layers of security in the eCommerce channel. Another layer that helps protect online merchants and cardholders shopping via the Web is the "three-digit code," or CVV2, which is the number printed on the signature panel on the back of a Visa card. It helps to prove to the merchant that the cardholder has the card in his or her possession when ordering online or over the phone. AVS, or the Address Verification Service, helps ensure that the person making a purchase with a Visa card is the same person who receives the Visa card's monthly statement. Merchants begin the process by matching the address provided by the cardholder during check-out to the billing address the Visa card issuer has on file.

(i)For the Visa Back-to-School Shopping Survey, a total of 1005 respondents were interviewed during the period between August 6th - 10th, 2008. The margin of error is +/-3.09% at 95%.

Posted by John B. Frank 0 comments

Finds No Conspiracy Between Visa and MasterCard

Purchase, NY. - MasterCard Worldwide said  it is pleased that Judge Barbara S. Jones narrowed the scope of Discover’s antitrust case against MasterCard by granting certain aspects of MasterCard’s summary judgment motion.

In particular, Jones found that despite Discover’s assertions, there is no evidence of a conspiracy between MasterCard and Visa. She also dismissed Discover’s debit-related claims against MasterCard.

In dismissing Discover’s claims of an inter-association conspiracy between MasterCard and Visa, the court’s decision recognizes the intense competition between MasterCard and Visa, which benefits consumers in the form of innovative products and programs.

Further, Judge Jones limited the scope of the trial by dismissing Discover’s debit-related claims against MasterCard. In granting MasterCard’s motion, the Court recognized that Discover failed to establish that MasterCard’s Competitive Programs Policy (CPP) somehow excluded Discover from offering debit cards. This is not surprising since, the CPP only applied to credit and charge cards, not debit cards.

MasterCard said it is disappointed that the Court granted aspects of Discover’s summary judgment motion seeking to apply collateral estoppel in its claims against MasterCard, but pleased it rejected Discover’s attempt to obtain broader findings. Collateral estoppel is the application of certain findings in one lawsuit to a subsequent one. 

However, in no way does Judge Jones’ ruling change the fact that Discover will have to establish that MasterCard and Visa, rather than its own business decisions, caused the damages it alleges. The jury will be able to fully evaluate all evidence concerning Discover’s damages claims, and MasterCard looks forward to demonstrating the weaknesses of those claims in court.

For example, public results of Discover’s business performance after the CPP was withdrawn show that Discover has not seen any increase in its overall percentage of the credit card volume share from third-party issuance. This real world evidence highlights the weakness of Discover’s claim that the CPP damaged Discover by preventing Discover from entering into third-party issuing relationships. Indeed, the most recent results show that Discover’s overall credit card volume share—including both Discover-issued and bank-issued Discover cards—actually declined from 5.46% in 2006 to 5.33% in 2007.

A further demonstration of the weakness of Discover’s damages claim is the testimony of Discover’s own executives, who had testified before and during the DOJ case that the repeal of the CPP would hurt their company, and create a situation where Discover would not be able to build volume by attracting third-party issuers.

Visa responded to Judge Jones ruling as well with the following release:
 
"Visa is pleased that the court resolved several disputes in this case at this stage. Among other things, the court:
  • Dismissed Discover's claims of debit monopolization against Visa; and
  • Rejected Discover's allegations of an inter-association antitrust conspiracy between Visa and MasterCard.

"As a consequence of these summary judgment rulings, Discover cannot challenge the legality of the agreements Visa has signed with its debit issuance partners. As such, it is unlikely the Discover litigation will have a significant impact on Visa's ongoing business operations.

"In addition, the court granted collateral estoppel on a limited number of issues that were determined in an earlier, related lawsuit. This ruling, however, does not establish all the elements of Discover's claims. Discover must still prove the remaining elements of its case and any damages at the upcoming jury trial.

"Visa believes it will be clear to a jury that it is Discover's own business model and decisions - not the actions of competitors - that have limited its options in the marketplace. Discover has been free to engage in bank issuing partnerships since 2004, but has yet to demonstrate that it can do so in a meaningful way.

"Although we expect Discover will be unable to prove the level of damages that it seeks in this case, Visa remains committed to resolving legal challenges in a manner that allows us to remain focused on our business activities. To that end, as part of the Visa Inc. restructuring process, the company developed a retrospective responsibility plan that addresses potential liability in certain U.S. litigation ("covered litigation"), including the Discover case. Additional information regarding the company's retrospective responsibility plan is available in the company's Final Prospectus, dated March 18, 2008, at http://www.sec.gov/."

Posted by John B. Frank Tuesday, August 26, 2008 0 comments

This year US travel sales booked online will reach $105 billion, up 12% from 2007 according to http://www.emarketer.com/
According to the graphic, illustrated on left, it will continue to grow.

eMarketer forecasts that US online leisure and unmanaged business travel sales (including airline, hotel, rental car, vacation package, intercity rail and cruise) will reach $105 billion. Furthermore, from 2007 to 2012, sales will increase at an 11.6% average annual rate. Even though online travel sales are growing, fewer travelers are booking their trips online.

"The fact that fewer travelers are booking online is not due to economic concerns—online travel bookers are an affluent demographic—it is caused by frustrations related to the planning and booking capabilities of online travel agencies," says Jeff Grau, senior analyst at eMarketer and author of the new report, US Online Travel: Planning and Booking. "This, in turn, is spurring a renewed appreciation for the expertise and personalized services offered by traditional travel agents."

In other words, online travel sites are steering customers back to offline travel agents—a complete turnaround of what has been happening in the category for the last decade.

"Not so long ago industry observers cast traditional travel agents as has-beens," says Mr. Grau. "Perhaps this has helped them to focus on what they do best: provide travel expertise and personalized service." Customer dissatisfaction with online travel agencies (OTAs) stems specifically from unfriendly booking engines and navigation tools. With few points of differentiation, OTAs have a hard time building customer loyalty and have driven travelers right into the open arms of traditional travel agencies—and new online competitors.  "Mired in old technology, the OTAs have failed to keep pace with a newer and more innovative breed of travel Websites built around user-generated content," says Mr. Grau.   Online travel communities are emerging to carry the torch of innovation.

"In addition, a new breed of matchmaking travel sites is bringing traditional travel agency talent online," says Mr. Grau. "Sites like Zicasso and Tripology help travelers to exotic locales find travel agents tailored to their interests and needs."

Posted by John B. Frank Monday, August 25, 2008 0 comments

Eight million people at risk of ID fraud after credit card details are stolen by hotel chain hackers


Security breach: A Best Western Hotel in Amsterdam

Up to eight million people are at risk of ID fraud after a hacker breached the security system of the world's largest hotel chain.  An Indian hacker broke into the IT system of Best Western Hotel Group and stole personal details of everyone who has stayed there in the past 12 months.  The details, which included home addresses, phone numbers, place of employment and credit card details, were sold on through an underground network controlled by the Russian Mafia.

The information is thought to be worth up to £2.8billion. Experts say that if it falls into the wrong hands it could spark a 'major crimewave'.   'They've pulled off a masterstroke here,' said security expert Jacques Erasmus, an ex-hacker who now works for the computer security firm Prevx.

He added: 'There are plenty of hacked company databases for sale online but the sheer volume and quality of the information that's been stolen in the Best Western raid makes this particularly rare.  'The Russian gangs who specialise in this will have been exploiting the information from the moment it became available. In the wrong hands, there's enough data there to spark a major European crimewave.'  

Best Western became aware of the theft on Thursday night. It instantly disabled the log-in account from which the information was stolen, but not before the details of millions of people had been removed.   Tim Wade, head of marketing for Best Western in Britain, said it was 'unlikely' the thieves got details of every booking in Europe because of the way their system worked. He added: 'We are investigating further and working with our credit card partners to ensure the interests of our guests are protected.'  Last night a statement on the Best Western website said it did not believe British customers had been affected.

Posted by John B. Frank 0 comments

Fraud has taken it's toll on the Public Transportation Industry which has seen a flurry of actvity regarding recent hacks on their RFID based card programs. 

First there was the Oyster Card Hack in London,  followed by  the Massachusetts Bay Transportation Authority's "Charlie Card." which was hacked by 3 MIT students.  ("Sorry Charlie...You'/ve Been Hacked!") Now it appears that the RFID based FasTrak, I-Pass and E-Z Pass Tollway systems are easily hackable as well.   

Here's a story published in MIT's Technology Review:

Drivers using the automated FasTrak toll system on roads and bridges in California's Bay Area could be vulnerable to fraud, according to a computer security firm in Oakland, CA  Despite previous reassurances about the security of the system, Nate Lawson of Root Labs claims that the unique identity numbers used to identify the FasTrak wireless transponders carried in cars can be copied or overwritten with relative ease.

This means that fraudsters could clone transponders, says Lawson, by copying the ID of another driver onto their device. As a result, they could travel for free while others unwittingly foot the bill. "It's trivial to clone a device," Lawson says. "In fact, I have several clones with my own ID already."

Lawson says that this also raises the possibility of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. The toll system's logs would appear to show the perpetrator driving at another location when the crime was being committed, he says.

So far, the security flaws have only been verified in the FasTrak system, but other toll systems, like E-Z Pass and I-Pass, need to be looked at too, argues Lawson. "Every modern system requires a public security review to be sure there aren't different but related problems," he says. Indeed, in recent weeks, researchers announced flaws in another wireless identification system: the Mifare Classic chip, which is used by commuters on transport systems in many cities, including Boston and London. However, last week, the Massachusetts Bay Transportation Authority (MBTA) filed a lawsuit to prevent students at MIT from presenting an analysis of Boston's subway system.

The Bay Area Metropolitan Transport Commission (MTC), which oversees the FasTrak toll system, maintains that it is secure but says it is looking into Lawson's claims. "MTC is in contact with vendors who manufacture FasTrak lane equipment and devices to identify potential risks and corrective actions," says MTC spokesman Randy Rentschler. "We are also improving system monitoring in order to detect potentially fraudulent activity."

In the past, authorities have insisted that the FasTrak system uses encryption to secure data and that no personal details are stored on the device--just two unique, randomly assigned ID numbers. One of these is used to register the device when a customer purchases it, while the other acts as a unique identifier to let radio receivers at tolls detect cars as they pass by.

But when Lawson opened up a transponder, he found that there was no security protecting these IDs. The device uses two antennas, one to detect a request signal from the toll reader and another to transmit its ID so that it can be read, he says.

By copying the IDs ­­­of the readers, it was possible to activate the transponder to transmit its ID. This trick doesn't have to be carried out on the highway, Lawson notes, but could be achieved by walking through a parking lot and discreetly interrogating transponders.

What's more, despite previous claims that the devices are read only, Lawson found that IDs are actually stored on rewritable flash memory. "FasTrak is probably not aware of this, which is why I tried to get in touch with them," he says. It is possible to send messages to the device to overwrite someone's ID, either wiping it or replacing it with another ID, says Lawson.

"Access to a tag number does not provide the ability to access any other information," says MTC's Rentschler. "We also believe that significant effort would need to be invested in cloning tags." He adds, "If any fraudulent toll activity is detected on a customer's account, the existing toll-enforcement system can be used to identify and track down the perpetrator."

Lawson says that using each stolen ID just once would make it difficult to track down a fraudster. A better solution, he believes, would be to require toll readers and transponders to carry out some form of secure authentication. But this would require changes by MTC. As an alternative, Lawson is working on a privacy kit to let drivers turn their transponders on and off so that they are only vulnerable for a brief period as they pass a toll.

There is another way, he says. "It's probably in the user's best interest to just leave it at home." This is because FasTrak uses license-plate recognition as a backup.

Ross Anderson, a professor of security engineering at Cambridge University, in the U.K., says that "very many embedded systems are totally open to tampering by anyone who can be bothered to spend some time studying them."  Competent use of encryption is the exception rather than the norm, Anderson adds, and the situation is unlikely to change soon. "One industry after another is embracing digital technology, and none of them realize that they need computer security expertise until it's too late and they get attacked," he says.

Bruce Schneier, chief security technology officer at BT, based in Mountain View, CA, says that it is too easy for companies to get away with lousy computer security. "Honestly, the best way is for the transportation companies to sue the manufacturers," he says. "Then they'll think twice about selling shoddy products in the future."

Posted by John B. Frank 0 comments

European Payment Council clears up Sepa for Cards confusion


The European Commission and the European Central Bank have welcomed a document published by the banking industry-backed European Payment Council that paves the way for a competitive single market for card payment card schemes by 2010.

The document, which takes the form of a Q&A, clarifies key aspects of compliance with the Sepa Cards Framework (SCF) for payment card schemes and banks, as well as the conditions for geographical coverage of card schemes within the Euro zone.

In particular, it rules that any national card scheme can be deemed to be compliant with the SCF if the cards it issues are technically and commercially capable of being accepted everywhere in the Sepa territory. Earlier interpretations of the Framework appeared to imply that a card scheme could only be deemed SCF-compliant if it covered all 31 Member states.

The ECB and Commission had expressed fears that such an interpretation would create a "de facto monopoly" for Mastercard's Maestro debit card system and had been encouraging banks to set up an alternative scheme in competition.

The ECB had become particularly concerned about moves by some banking associations to ditch domestic schemes in favour of internationally-accepted programmes by MasterCard and Visa.

The new guidance from the EPC clarifies the situation and makes it clear that the Sepa provisions for cards will allow many - possibly national and regional - schemes to develop into 'SCF compliant' schemes.  Nonetheless, the Commission warns that work is still needed by the EPC to develop a full set of technical standards allowing any card to be used, for payments in euro, potentially anywhere in the Sepa area.

"This is a precondition for the expansion of existing domestic debit card schemes across the Sepa countries, for the emergence of (a) new European card scheme(s), for pan-European processing and certification, and for market consolidation," says the Commission in a statement.

"More competition would be very welcome," the Commission continues. "The success of new initiatives will depend crucially on banks not simply selling the national debit card scheme to the existing schemes."

The European Payment Council's Q&A.

Posted by John B. Frank 0 comments

In an article pubished in ComputerWorld last week, Avivah Litan, distinguished analyst at Gartner shared her thoughts on the summary of changes of PCI 1.2. 

Here they are:

The new version is a "definite improvement" on the existing PCI standard, said Avivah Litan, an analyst at Gartner Inc. But, she added, the PCI council appears to have missed a chance to introduce some other long-needed changes. 

According to Litan, one of the biggest issues with the PCI standard is that it makes very little distinction between networks belonging to large companies that process large volumes of card transactions and those belonging to businesses with much smaller transaction volumes. In large, complex network environments, it's often hard to say what exactly is covered by PCI and what isn't, she said. The standard, Litan claimed, allows for too much interpretation and leaves it entirely to PCI assessors to determine the scope of what needs to be protected.

Moreover, the standard is targeted primarily at e-commerce systems and isn't always clear on how the requirements should be applied in highly distributed brick-and-mortar environments, Litan said. For instance, many retailers continue to connect servers at each of their stores to systems in other locations but thus far, at least, the PCI standard has provided little guidance on that risky practice.

Litan said there also is considerable ambiguity surrounding the requirements for third-party service providers, such as call centers that might be processing cardholder data on behalf of retailers. "What are your obligations," she asked, "if you are taking in card numbers and phone numbers and entering them into systems that are not yours?"

Another key missing element is guidance on how end-to-end encryption of cardholder data would affect a company's compliance obligations, Litan said.

To Litan, the new version of the standard would have been an ideal opportunity for the PCI council to have incorporated language clarifying such issues. "The questions that come up every day are not addressed at all by this upgrade," she said. "This is just really more of tinkering around the edges."

Posted by John B. Frank 1 comments


Check This Out:         


I saw this on CNN this morning and thought it would make for an amusing post.  A Texas company uses a bank's processed checks for packing material.  Some of the checks are not even fully shredded and contain drivers license numbers, routing numbers, addresses and bank account numbers.  The video clip above, if nothing else is entertaining.  Here's an excerpt from the video story...

"I was just in shock. I couldn't believe they were using shredded up checks as packing material," said Michelle McBride.  So Michelle and her step daughter Amelia started piecing it all together and found out they were right.  WHH Ranch uses its local bank's shredded checks to cushion their jars. They're checks from hospitals, medicare, schools, businesses, personal accounts, even government agencies.  WHH Ranch Company owner Billie Hamzy says, "We've been doing it so long. We are all out of sorts about it because it's so out of place for something like this to happen."  Hamzy says in the roughly 20 years his company's used the bank's shredded paper, the McBrides are the first customers to notice.  "That he knows of. How does he know he doesn't have a particular customer who is doing this to get this information," Michelle said.

It's information the McBrides found is not too hard to unravel. Michelle says, it's "very easy. You look at the colors, then you get the routing numbers and the bank information."

"We didn't piece any of this together. We just taped it to hold it all together. None of this is torn through at all," Amelia said."You get the wrong people getting this information, they could have a hay day with one box, a hay day and a shopping trip. It's scary." Michelle said.

Posted by John B. Frank Saturday, August 23, 2008 0 comments


New Contactless Payment Technology Showcased at Democratic National Convention

First Data Gives Attendees a Glimpse into the Future of Paying "On the Go"


DENVER, August 22, 2008 /PRNewswire/ — During this year's Democratic National Convention (DNC), Denver's Pepsi Center will serve not only as a focal point of American politics, but also as an arena for the future of how people will pay for goods and services.

Next week, First Data will introduce a new payment technology to thousands of select media and delegates attending the DNC. Beginning August 25 through August 28, media and delegates receiving a limited edition pin from First Data can use the commemorative pin as a payment device to purchase refreshments up to $10 in value at participating Pepsi Center concession stands.

The First Data® GO-Tag™ Solution behind the limited edition pin utilizes contactless payment technology that is easy to use and makes the shopping experience quick and convenient. Its flexibility allows for many different forms such as stickers, attachable to personal items like mobile phones or employee badges, wristbands and novelty key chains. This new technology provided by First Data eliminates the need to carry cash, credit or debit cards.

"First Data, as a leader in electronic and mobile payments, gives you a glimpse into the future where cash is not needed and purchases can be made simply by the tap of your mobile device," said Michael Capellas, chairman and chief executive officer of First Data. "Consumers will be able to make purchases faster and easier—no more waiting in long lines—and better yet they can leave their wallets at home."
Consumers will experience the technology first as a contactless sticker, like the GO-Tag Solution, and then directly inside their mobile phones. Merchants will benefit from the ability to offer more value through faster speed of service and increased customer loyalty.

"Contactless is a key mobile commerce technology especially well suited for fast payment applications at quick service restaurants, theme parks, event concessions and even vending machines," said George Peabody, director of emerging technologies, Mercator Advisory Group. "As contactless continues to gain traction, the GO-Tag Solution helps both merchants and consumers become familiar with the benefits of this technology."

First Data is distributing a limited number of commemorative pins while supplies last. Credentialed media attending the Democratic National Convention may pick up a pin on August 25 and 26 between 9:00 a.m. and 8:00 p.m. at the First Data-hosted media lounge located in Pavilion 5 outside the Pepsi Center.

For questions about obtaining a limited edition pin or for images and b-roll please contact:

First Data Media Relations
303-967-6323
mediarelations@firstdata.com

For more information about First Data, please visit www.firstdata.com/dnc.

About First Data
|
First Data is a global technology leader in information commerce. The company processes transaction data of all kinds, harnesses the power of that data and delivers innovations in secure infrastructure, intelligence and insight for its customers. With operations in 37 countries, First Data serves more than 5.4 million merchant locations and more than 2,000 card issuers and their customers. It powers the global economy by making it easy, fast and secure for people and businesses around the world to buy goods and services using virtually any form of payment. The company's portfolio of services and solutions includes merchant transaction processing services; credit, debit, private-label, gift, payroll and other prepaid card offerings; fraud protection and authentication solutions; electronic check acceptance services through TeleCheck; as well as Internet commerce and mobile payment solutions.

The company's STAR Network offers PIN-secured debit acceptance at 2.1 million ATM and retail locations. Through First Data's centers of excellence, such as security, analytics, customer loyalty and mobile payments, it offers data-driven commerce solutions for customers around the globe. For more information, visit www.firstdata.com.

Posted by John B. Frank Friday, August 22, 2008 0 comments

The headline might be a bit dramatic, but it's true that more and more merchants in Europe and elsewhere will not accept credit cards without the "Chip and PIN" system — The term is "chip and PIN" (or EMV, for Europay, Mastercard and Visa). Most European banks and merchants are switching to it. Canada's switching too. By 2010, you'll have trouble using a standard American credit card at many Canadian merchants.

Banking officials say the chip-and-PIN method has reduced credit-card fraud substantially in Europe, where the problem grew exponentially when former Soviet bloc countries joined the European Union.  Sure...blame it on the bloc heads.

Chip and PIN has an embedded chip in the card along with a PIN number (similar to that you are probably accustomed to with your ATM card).  What's that you're thinking?  You don't have a PIN associated with your credit card right?  That is correct, and, unfortunately, as this L.A. Times article reports, it's not an easy problem to fix:

If you don't have a credit card with an embedded ID chip and accompanying PIN, you may be limited in the number of transactions you can make.  Here's the catch: Americans cannot get such a card through U.S. card issuers.


So what do you do? Well, one way to be sure you always can get by is if your bank offers a combination ATM / debit card with the Visa or MasterCard logo. That has a PIN, so you're OK. But of course this means the money will come straight out of your checking account, so you'd better have enough in there to cover your purchases.

Of course, that's not really credit, it's plain ole PIN Debit.  What about acquiring a chip-and-PIN "credit" card?  Neither American Express nor HSBC, despite their global scope, offers such a product for U.S. customers.  So I guess credit cards really ARE useless overseas.

But hold on...there is another alternative that the Times article does not address!


HomeATM ePayment Solutions has come up with a way to solve this problem.  We call it PIN my Card.  It allows consumers to create a PIN for their "credit card" and was initially designed to increase the security of an online "credit transaction" and reduce the cost for internet retailers to accept online credit card transactions.  (The transformation redefines the "card not present, or CNP transaction as a "card present" one, which makes the transactions more secure thus lowering interchange fees for online retailers).  It also appears that PIN my Card would solve the dillemma of Americans traveling abroad with their credit cards.  Just attach a PIN and you're good to go!

HomeATM is currently awaiting approval and issuance of global patents regarding "attaching a PIN to a credit card."  I'll provide more on this process as it develops, or you can search this blog using the keywords "PIN my Card" to find out more right now.

For now, it's certainly not impossible to get by with your American credit card, but it's becoming more work to do so, so take this into consideration if you're hitting Europe any time soon. (or going to Canada in the near future)  Why chip and PIN in the first place?  If your credit card requires a PIN, the reasoning goes, it's useless to a thief.   So...for American's that means no stays at a fabulous luxury suite or a night on the town or a pair of Gucci shoes, courtesy of your "credit" card  unless you "PIN your Card"!  Stay tuned.

Posted by John B. Frank 0 comments

Britons going abroad this summer are warned levels of card fraud overseas has shot up by 77 per cent between 2006 and 2007. Fraud on credit and debit cards cost Brits £207.6 million last year, insurer CPP found, with France, Italy and Spain the top spots for card crime

Four in five of Brits are worried about possible fraud if they use their cards overseas with many (60 per cent) choosing to carry cash instead.

Card cloning tops the list of fraud worries (46 per cent) followed by card not present fraud (42 per cent) among a sample of 1,700 Brits quizzed on behalf of marketing and travel assistance services firm CPP earlier this month. The survey follows recent figures from banking ssociation APACS that show fraud abroad accounts for 39 per cent of theft and fraud on UK-issued cards. International fraud losses rose from £117.1m in 2006 to the £207.6m level in 2007, a big rise that helped push overall losses up to £535.2m.

In the period from June 2007 to June this year, no less than 7000 cards were reported stolen from Brits abroad, according to the research.    Kerry D’Souza, card fraud expert from CPP, said: "We are urging Brits to be particularly vigilant when they travel abroad this summer.  When relaxing on holiday, people can be less aware of their belongings and more prone to card fraud and mugging scams. We are encouraging people to contact their banks before travelling, to keep their valuables out of sight once abroad, and to be especially careful when they use their credit and debit cards."

According to card and payments association Apacs, paying with plastic is very popular abroad – in 2007, card purchases accounted for 50 per cent of all overseas spending.  However, Apacs highlights the fact the introduction of Chip and Pin technology in France and Spain have cut card fraud.  Sandra Quinn, director of communications at APACS, added: "As a nation we are all using our cards more frequently abroad so it pays to be aware of any extra costs that may be incurred for using them overseas, as well as taking steps to protect them from fraud. "Card thieves are hoping to catch us relaxed and off-guard when we are overseas, so we need to take the same sensible precautions with our cards abroad as we would in the UK."

However, the majority of card fraud occurs when card details are stolen in the UK, and used fraudulently abroad.  Fraudsters copy the magnetic stripe details, typically by skimming cards, then create fake magnetic stripe cards that they use overseas in countries that do not have chip and PIN.  CPP advises travellers taking their cards to keep them in a safe if they are in your hotel room and keep your eye on them when you are out and about. The firm also recommends telling your bank if you are away – some will stop your account if they see 'suspicious activity', which may include overseas transactions.

Posted by John B. Frank 0 comments

SAN ANTONIO, TEXAS, Aug 22, 2008 (MARKET WIRE via COMTEX) -- As Stated by SmartCard Marketing Systems Inc. (PINKSHEETS: SMKG) "Management is pleased to announce that we have signed an agreement to provide 4000 Pin debit and Prepaid cards to a Canadian Financial service provider in Canada with online and retail services, this is additional from the 9000 with Kiyss.com.


The agreement includes the use of the Velocitymoney.com loading network, HomeATM's Pin Debit solution and instant issue prepaid cards for money remittance services.

The agreement established is over a period of 2 years to fulfill delivery giving access to their members, which will double our existing number of accounts and make the Velocitymoney.com a service leader in the online payment segment. The price established per customer implemented is $27.50 for a total of $101,000.00 dollars with an estimated number of 8 transactions per month of $150.00 to $240.00 range. This does not include email money transfers, card to card transfers or multi-currency settlement between clients once funds in transit.
Velocitymoney.com continues its strong growth through 2008 and believes strongly that 2009 will see more aggressive growth as more merchants and financial institutions continue to realize the benefits of our services online worldwide.

Posted by John B. Frank 0 comments

Payments Industry News Blog

Search the PIN Debit Blog by Subject

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers