coin summit

Here Comes CoinSummit! [2023 Update]

Today marks the start of CoinSummit San Francisco, a two-day event ”connecting virtual currency entrepreneurs, angel and VC investors, hedge fund professionals and others who are looking to learn and network in the virtual currency industry.” CoinSummit will take place on March 25-26 2014 at the Yerba Buena Center for the Arts in San Francisco.  Many in the bitcoin community have been waiting for this event for a while.

The event with feature notable entities in the virtual currency community that include Marc Andreessen of Andreessen Horowitz, Brian Armstrong of Coinbase, Nic Cary of Blockchain.info, and Tony Gallippi of BitPay.

The Official Merchant Services Blog has been tapped into the ongoing saga of Bitcoin since this article in November — delving into the fascinating gimmick of Bitcoin mining. Traversing the ups and downs of this unstable and chaotic currency led to the crazy month of February and then the fall of Mt. Gox. Since that fateful day, the virtual currency industry has been scrambling. And now we have this much anticipated summit of industry experts discussing the details and potential future of BitCoin and its competitors.

Don’t Miss a Moment of the Action

For those interested, a live stream of the event begins at 9 AM Eastern time today, and can be viewed here.

Points of Interest

So some of the things we’ll be hoping the Summit delves into are: The Mt. Gox crisis, its aftermath and the future of the currency exchange. Of course industry insiders are all going to be sharing their thoughts, rants and frustrations about MtGox. Many will be raging about the losses incurred by the public and so many bitcoiners, and how badly Mark Karpeles has handled this debacle. But more importantly the issue of malleability will be explained and also how the currency and its exchanges can survive well into the future.

Which leads right into the fact that the crisis didn’t imply a complete price crash for BTC, even after hundreds of millions of dollars in permanent losses. How will exchanges guaranty transparency? Audits? Open balance sheets? These are critical issues if Bitcoin is to be adopted by mass markets. So let’s hope the summit dives right into the answers for those questions.

And then there’s the heavyweight presence to consider. The “big 4″ (Coinbase, Blockchain.info, Bitstamp, and BitPay) will all be present at this summit through its founders. Let’s see if the industry leaders explain their current strategies and growth trends.

The competitors also have some spotlight. Ripple, DogeCoin, Litecoin, and Ethereum will be pitching the advantage of alternative options, but also talking about the future of Bitcoin through smart contracts and smart property, two functionalities many think will catapult BTC prices to new levels.

That’s a quick roundup of what to expect at CoinSummit San Francisco.

Terminal Retirements

Following up on our recent blog about terminal of the future, the VX 520, today we’re going to let the other shoe drop. With the payment processing industry thrusting its spotlight onto security in the wake of the Target Data Breach, the PCI DSS and its upgraded protocols are getting a lot of attention.

Host Merchant Services has been ahead of the curve on PCI compliance, having instituted a PCI Compliance Initiative years ago. But the Payment Card Industry Security Standards Council is in a continuous state of refining their security requirements and best practices so we here at HMS have to remain agile and adept at navigating these changes.

EMV smart cards, a topic we’ve discussed in depth here, are prompting PCI DSS to reorganize large swaths of its standards, and as a result, retire various terminals. As more and more POS hardware adapts to support EMV chip cards and end to end encryption, manufacturers and software developers will have to put their older equipment out to pasture. With the release of EMV/Contactless terminal applications, many of the legacy terminal devices/applications do not have the memory capacity required in order to support the association mandates. As a result, TSYS has provided a preliminary end of life schedule for credit card terminal applications that will be fully retired.

This is something the PCI DSS has been preparing for, and as such they have a schedule implemented for the retirement of older equipment. Coming up next is the VX 510 Terminal and its VDID300 Application, scheduled for retirement on June 3, 2014. Also the VX 510 and VX 570 and its VXGFT02 Application will be retired that day.

Prior to this date, Host Merchant Services has terminal upgrades available for our merchants. While we will continue to honor merchant boarding for these devices until the effective end of life date, once that occurs these devices/applications will no longer be an option available within our internal systems and downloads will no longer be available for terminal updates, swaps or technical support. So upgrading should be a priority, and Host Merchant Services will make the process seamless and trouble-free.

The VX 520 Embraces the Future

Sometimes the future just sort of sneaks up on you. Even if you’ve given yourself reminders, sticky notes, calendar alarms, and the proverbial string tied around your finger, the future still has a way of creeping up on you unawares.

Which is why Host Merchant Services is happy to offer its customers a payment processing terminal that comes with a reminder built in. Verifone with its VX 520 Terminal is here to prevent any memory lapses about the future from happening to your business and its PCI compliance needs. The VX 520 is PCI PTS 3.0 compliant right out of the box and is a forward thinking terminal designed specifically to be prepared for the PCI compliance mandates that are changing the rules of the industry.

Verifone terminals use end-to-end encryption with SSL v3.0 and 3DES to maintain the highest levels of security. This encryption, coupled with Master/Session and DUKPT key management, provide maximum protection from fraud and misuse of the terminal. The VX 520 terminal is also certified with PCI PED 2.0 approval.

All About Security

Security and secure transactions have been a hot button issue in the payments processing industry for the past few years. Everything from the Global Data Breach to Bitcoin to the Target Breach has people wondering about how secure their payment information really is. This is the root of the creation of PCI and its standards. In the ten years since the PCI DSS emerged as a consensus industry standard for the major credit card vendors, PCI DSS succeeded wildly in some areas – such as the use of endpoint security, encryption and network monitoring technology.

The Clock is Ticking

However, the success of PCI DSS in some areas highlighted others in which the standard had little to say or created perverse incentives—rewarding “compliance” over real security. Subsequent updates have attempted to right those wrongs. And the VX 520 is on the cutting edge of those PCI updates.

In January 2012 the PCI DSS released version 2.0 of their standards. And the VX 520 was built to be compliant to those standards and more.

In November 2013, the PCI DSS released version 3.0 of their standards. And again the VX 520 was compliant.

The 520, offered by Host Merchant Services, is a nimble processor that is ahead of the curve on security standardization. This is helpful because by December 2014, changes are coming from the credit card companies where older terminals will no longer be valid. Host Merchant Services offers a free terminal to new customers that sign up and are available 24x7x365 to help upgrade existing customers to terminals that will be PCI compliant.

Getting Secure and Staying Secure

Host Merchant Services knows that your business needs secure transactions to function. And we’re here to make the process of PCI Compliance easy, understandable and consistent for you each year. We offer the lowest PCI Compliance fee in the industry, at just $4.95 per month. PCI Compliance is essentially the process of adhering to the standards set forth by the Payment Card Industry Data Security Standards Council (PCI DSS). Essentially the standards are a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.

Secure transactions are important for merchants and a key element of the customer service Host Merchant Services provides. As part of our commitment to our Merchants and their transaction security, HMS offers a PCI ComplianceInitiative to anyone interested in processing with us. We are happy to offer this initiative as well as our free resources to help our merchants see what needs to be done to become compliant … and stay PCI compliant.

Mt. Gox

The Doom of Mt. Gox [2023 Update]

February was the month that the all-seeing eye of the media turned its lidless gaze upon Bitcoin and the craggy peaks of Mt. Gox, the Japanese Bitcoin exchange site. Almost half a billion dollars went missing from Mt. Gox, the exchange was rocked, Bitcoin was scorched, and the site went bankrupt.

The Official Merchant Services Blog has been tapped into the ongoing saga of Bitcoin since this article in November — delving into the fascinating gimmick of Bitcoin mining.

Wait, What is Bitcoin?

Bitcoin is a virtual currency introduced in 2008 by a programmer or group of programmers under the name Satoshi Nakamoto. It has no central issuing authority and uses a public ledger to verify encrypted transactions. The flashy shiny aspect of it is it’s a currency that can be bought, sold and mined electronically. The famous internet comic strip Penny Arcade defines Bitcoin for its readers here.

Wrapped Bitcoin

In 2013 the currency captured the imagination of the virtual and business worlds by soaring in value, rising from $10 to $1,200 per coin. It surpassed the value of gold at its peak. And then i crashed down to $500.

The currency was also embroiled in the huge Silk Road scandal as federal authorities seized millions of dollars worth of Bitcoins when it shut down the notorious black market web site the Silk Road.

The real trick of Bitcoin and why it’s so fascinating to payment processors is that it’s a cryptographic protocol, or crypto-currency. The protocol creates unique pieces of digital property that can be transferred from one person to another. It’s essentially the legitimization of microtransactions linked to actual monetary value. Each Bitcoin is defined by a public address and private key, both long strings of numbers and letters giving it a unique identity in virtual reality. In addition to its digital fingerprint, Bitcoins also have a place in a public ledger. This blockchain gives the Bitcoin a physical identity. So Bitcoins bridge the virtual and the physical.

Mt. Gox: Hackers Gonna Hack

Hacker

But no matter how elegant and ingenious the actualization of Bitcoin is, the currency apparently can be hacked.

  • On February 25, Mt. Gox, the leading Bitcoin exchange located in Tokyo Japan shut down. It had discovered that hundreds of thousands of Bitcoins had gone missing, and more than $400 million had been stolen.
  • On February 28, Mt. Gox filed for bankruptcy and said it was under orders not to pay its debts. The exchange publicly apologized to users for “causing so much inconvenience.”

February was actually filled with problems for Mt. Gox and Bitcoin, as we reported previously.

Everything from Russia banning Bitcoins to China half embracing it just piled onto the Bitcoin craze. And then the hack and the bankruptcy happened. Since then, pieces of code showing parts of Mt. Gox’s Bitcoin source have cropped up around the web according to VentureBeat. Mt. Gox set up a phone support line but that got blitzed. Two other sites vied to fill the void of Mt. Gox, with BitStamp edging out BTC China for the title of largest Bitcoin exchange — for now. And then things got funny weird.

Virtual Theft

Mt. Gox

The authorities are now tasked with investigating the crime. And well, there’s this book, Halting State by Charles Stross, written in 2007. The premise of the book seemed so novel back then: A police officer is called to the offices of a big corporation because a robbery was reported. The robbery as it turns out took place in a virtual world, as the company runs a video game system with virtual currency. And then the novel goes on to explore technology, and how it is quickly evolving to affect the physical world from the virtual world. It was set just a few short years in the future.

And here we are, a few short years into the future, and authorities are investigating the theft of real value currency stolen from a virtual environment.

The amount of coins hacked and stolen from Mt. Gox amounts to about 6 percent of the entire Bitcoin market in circulation. And law enforcement is now tasked with trying to find the identity of the perpetrators — which may seem like an obvious and standard step in the investigative process. But it’s Bitcoin, which is famous for its anonymity and unregulated status. So authorities are filing subpoenas to Mt. Gox to gather information about how the virtual currency is transferred and converted into dollars. While stuck investigating even the basics of how the model works, authorities haven’t even gotten to the stickier situation of how Bitcoins are designed to be untraceable and finding the phantom thieves who stole the strings of encrypted numbers may not happen.

Leaving a half billion dollar hole in an industry that’s already proving to be volatile and susceptible to hacking.

pay pal

PayPal President Hacked [2023 Update]

Twitter, the modern equivalent of Mad Libs and the yellow journalism of the late 19th century, has revealed to us a gem of irony that makes the whole Target getting hacked story seem that much more poignant.

No one is safe in this bold new era of credit card hackers and identity thieves. Not even the president of a major payment processing company.

PayPal President David Marcus has been the victim of credit card fraud, he said on Monday. The leader of the online payments company revealed via Twitter that his credit card information had been stolen on a trip to the United Kingdom and he’d racked up a “ton” of fraudulent transactions on his account.

Smart Chip Didn’t Help

Marcus speculated that thieves probably skimmed the info from the magnetic stripe on his card, even though his card had an EMV chip, a technology that makes cards in Europe more secure than the ones commonly used in the U.S.

EMV® chip technology– or EMV — is a worldwide standard for credit and debit card payments based around the use of chip card technology. The acronym stands for Europay, MasterCard, and Visa, who collaborated to create the technology. The goal of this project was to create a card that worked based off of a microprocessor chip that is read by the payment terminal. Because the U.S. has yet to widely deploy embedded chip technology, the nation has increasingly become the focus of hackers seeking to steal such information. The stolen data can easily be turned into phony credit cards that are sold on black markets around the world.

Is it Just a Marketing Ploy?

Marcus adroitly used the incident as an opportunity to plug his own company, suggesting that the fraud wouldn’t have happened if the merchant had accepted PayPal. His company is currently trying to expand its presence as a payment option in physical stores, putting it in direct competition with platforms like Square and Google Wallet.

It also comes right when data breaches are major news in the payment processing industry. On December 19 2013, Target confirmed a sophisticated data breachoccured. In their press release they stated: “Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts.  Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.”

So Marcus’ misfortune happens right at the time identity theft, credit card fraud and hackers are on everyone’s mind. With EMV chip cards being touted as one of the best solutions to the hacking problem, Marcus’ mishap even taps into that buzz.

The Bitcoin Roller Coaster

Back in November, The Official Merchant Services Blog dove into the Bitcoin currency craze with an in-depth look at Bitcoin mining.
Bitcoin, introduced in 2008 by a programmer or group of programmers under the name Satoshi Nakamoto, has no central issuing authority and uses a public ledger to verify encrypted transactions. It is a virtual currency that can be bought, sold and mined electronically.

The Hammer is Dropped

We focused on the technological gimmick that is Bitcoin mining – essentially powering multiple computers to create the virtual currency from virtually nothing. The rest of the media since then has been concentrating on the other aspects of Bitcoin, including its use as a money laundering tool. In that same month of November, Federal prosecutors in New York filed charges against Ross William Ulbricht for running the Silk Road website, where customers allegedly used Bitcoins to buy and sell drugs.

And on February 9, Florida stepped into the spotlight concerning virtual currency and money laundering. Bitcoin traders. Florida prosecutors have charged three men, saying that their use of a site called localbitcoins.com violates laws against unlicensed money transmitters, according to a report in the Krebs on Security blog.

Bitcoin Banned in Russia

More bad news for Bitcoin came from Sochi Olympics host country Russia. The country banned Bitcoin altogether. Russia’s Prosecutor General’s Office recently made its stance on Bitcoin abundantly clear. “Systems for anonymous payments and cyber currencies that have gained considerable circulation — including the most well-known, Bitcoin — are money substitutes and cannot be used by individuals or legal entities,” the office said in a recent press release reported by Reuters. Any use of Bitcoin will be considered “potentially suspicious,” as the Russian government has linked Bitcoin usage to illicit activities.

Russia is only the latest country to release a statement detailing its position on Bitcoin. In early December, China barred financial institutions from using Bitcoin, though it didn’t ban the currency outright. In late January, Canada released a statement that said Bitcoin is not legal tender in the country. Countries like these have expressed skepticism in Bitcoin not only because of its links to money laundering, but also for its overall volatility.

Market Troubles

Bitcoin has plunged more than 8 per cent after a Tokyo-based exchange halted withdrawals of the digital currency, citing technical malfunction. Mt. Gox, a popular exchange for dollar-based trades, said in a blog post it needed to “temporarily pause on all withdrawal requests to obtain a clear technical view of the currency processes.”

It promised an “update” – not a reopening – on Monday, February 10, Japan time. Bitcoin exchange Mt. Gox said customers can take out cash “as normal” and it’s working to resolve technical issues that prompted it to halt withdrawals of the digital currency.

“It’s not about cash at all, only about Bitcoin,” Michael Keferl, a communications officer for Tokyo-based Mt. Gox, said. “There is a problem in the way transactions are verified.”

Things then rebounded. The price of Bitcoin rose 0.3 percent to $683.66 at 9:07 a.m. London time, according to the CoinDesk Bitcoin Price Index, which averages prices from exchanges including Mt. Gox.

Bitcoin App Dropped by Apple

On February 5, Apple struck a blow against Bitcon. The Blockchain app, downloaded 120,000 times during its two years in Apple’s iTunes App Store, was the most popular way for people and companies to transfer bitcoins from one another. Apple removed it from the store on February 5. Blockchain immediately shot back with a statement, accusing Apple of getting overly aggressive with future competitors. Apple is rumored to be developing its own mobile payment system.

And Speaking of …

With the crazy ups and downs of Bitcoin, one thing is undeniable: Virtual currency is a profitable new marketplace. Which means Apple isn’t the only group trying to develop their own alternative. An untraceable currency called Zerocoin is being designed by Johns Hopkins University researchers to compete with other virtual moneys such as Bitcoin. The researchers say that if virtual currencies are going to exist, there should be one that provides the same kind of privacy that people have when exchanging traditional forms of money.

What Does This all Mean?

The virtual currency movement has the potential to be the next stage in the evolution of payments and transaction processing.
Advocates say such digital currencies, made possible by complex computer formulas, will eventually be widely embraced by users who want to exchange money instantly and directly, without a bank as middleman.

While it may seem like the wild west in terms of security and long term viability, the concept of virtual currency is actually well in line with what we’re already surrounded with as consumers. By and large we continually swipe plastic through card readers when we buy everything from a coffee at Wawa to a down payment on a new automobile. So a paperless and coinless world is already one in which we exist. It’s not hard to envision a next step where the currency itself is virtual.

But that does leave security issues which are relevant and real. Relying on even the best encryption still leaves risk and susceptibility to fraud.

However, it seems governments are still playing catch up to the technology itself. Focusing on money laundering and the instability the anonymous exchange of currency brings to the banks themselves, as well as the sale of illegal goods and services. All of which are certainly part of their purview. It’s just a weird transition period as the infrastructure of the old school banking system doesn’t seem all that prepared to deal with the fluidity of a virtual currency snaking through the world’s consumers.

In short, it’s an interesting time to bear witness to the evolution of money and the marketplace. Governments will catch up with virtual currency. And consumers will embrace convenience more and more until we face a world that may actually give up on paper and coins completely, in favor of your PIN numbers and some encryption codes that store the value of you.

Heartland Payments Sues Mercury

According to a story in the payment processing industry periodical Digital Transactions, Heartland Payment Systems Inc. filed a federal lawsuit on Wednesday against Mercury Payment Systems LLC. The suit alleged deceptive pricing by Mercury allowed Mercury to lure scores of merchants — well, 30 — away from Heartland and attract prospects to Mercury that had been weighing the two companies for payment-processing services.

Heartland filed  suit in U.S. District Court for the Northern District of California, San Francisco. The suit charges Durango, Colo.-based Mercury with false advertising, unfair competition, and intentional interference with contractual relations under the Lanham Act and related California law.

Specifically, Heartland alleged Mercury used inflated network fees to more than compensate for acquirer pricing that undercuts pricing from Heartland. This practice, Heartland alleged, made Mercury’s overall pricing appear to merchants to be lower than Heartland’s, when in fact it is higher. The practice has caused some 30 merchants to abandon Heartland in favor of Mercury over the past six months, Heartland said in the suit.

Heartland  examined roughly 300 Mercury merchant statements and found what it claims is deceptive pricing in 75% of those statements, the company said in its complaint.

In response to Heartland’s allegations, Mercury issued this statement on its website: “Mercury will vigorously defend against the lawsuit filed by Heartland. Mercury Payment Systems’ rapid growth in the electronic payments market is directly attributable to the value and flexibility we provide our merchants and partners, and we stand by our business and pricing practices. We are proud of our consistently high satisfaction rates and low merchant attrition rates among merchant acquirers over the past 10 years.”

Mercury chief executive Matt Taylor told Digital Transactions News Mercury does not engage in deceptive practices.

The Heart of the Matter

Here’s one example Heartland used in their complaint: A restaurant chain, compared pricing from various payment processing companies, including Heartland and Mercury.

Heartland indicated it would charge interchange fees at cost, plus seven (7) cents per transaction plus 0.02% of the dollar value of transactions and a $7.50 monthly service fee – all competitive or standard industry rates. Mercury’s bid indicated the same except for a 6.5 cents per transaction fee, half a cent below Heartland’s bid.

As a result, 50 of the chain’s 57 outlets switched from Heartland to Mercury for payment processing. Review of a 2013 merchant invoice from Mercury clearly demonstrates that Mercury was charging a falsely inflated interchange fee of four (4) cents per transaction, making their effective per-transaction fee 10.5 cents instead of their contractually agreed rate of 6.5 cents.

What Are Network Fees?

Network fees are assessed by Visa, MasterCard, and other card networks. Unlike interchange, which is set by the networks but flows from acquirers to card issuers, network fees flow to the networks themselves. In so-called interchange-plus pricing, both interchange and network fees are commonly understood to be pass-throughs to merchants.

When markups on network fees occur, merchants are often unaware of them because of the complexity of merchant statements, which discourages close analysis.

The Bottom Line

Heartland’s suit asks for relief in the form of three times damages as determined by the court as well as three times lost profits. It also asks for an injunction to stop Mercury’s alleged pricing tactics.

Remember When?

This revelation about Heartland comes at a time when the payment processing industry is still reeling from the news of the Target Data Breach.

The major hack of discount retailer of Target that stole credit and debit card data from 40 million accounts right smack dab in the middle of the holiday shopping season.

The sophisticated hack reportedly took place over several weeks — starting on Black Friday and possibly extending all the way through December 15th — and is said to involve nearly all Target stores in the United States. News of the hack was initially reported by noted security blogger Brian Krebs, who also broke the news in 2012 of the Global Data Breach.

Which is a reminder of Heartland itself, because in 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

Hacker

Hackers find new target: Mariott [2023 Update]

hackers

Holiday Inn, Marriott Hotels Suspected Targets of Data Breach

The Official Merchant Services Blog has breaking news regarding the ongoing series of credit card data breaches. One the heels of the major hack of discount retailer of Target that stole credit and debit card data from 40 million accounts right smack dab in the middle of the holiday shopping season, there’s yet another target of hacker greed: Holiday Inn. Lodgers at Holiday Inns, Marriott and Renaissance hotels may have had their payment card details compromised for much of 2013 as revealed a hotel management company  on Monday.

White Lodging Services, a hotel management company, warned in a news release it suspects point-of-sale systems at restaurants and lounges on 14 of its properties were compromised between March 20, 2013 and Dec. 16, 2013. Guests who did not use their card at restaurants and lounges, as well as those who used their room account for purchases from those outlets, were not affected, the press release revealed.

The Merrillville, Indiana-based company said it manages hotels like Holiday Inn under agreement with hotel owners. The company is a separate entity from the specific hotel brands it operates. White Lodging Services said it has contacted federal law enforcement and initiated a forensic review of its properties. It runs more than 169 hotels in 21 U.S. states.

databreach1

The Full List

The full list of the food and beverage outlets affected by the suspected breach were located at the following hotels:

  • Marriott Midway, Chicago, IL
  • Holiday Inn Midway, Chicago, IL
  • Holiday Inn Austin Northwest, Austin, TX
  • Sheraton Erie Bayfront, Erie, PA
  • Westin Austin at the Domain, Austin, TX
  • Marriott Boulder, Boulder, CO
  • Marriott Denver South, Denver, CO
  • Marriott Austin South, Austin, TX
  • Marriott Indianapolis Downtown, Indianapolis, IN
  • Marriott Richmond Downtown, Richmond, VA
  • Marriott Louisville Downtown, Louisville KY
  • Renaissance Plantation, Plantation, FL
  • Renaissance Broomfield Flatiron, Broomfield, CO
  • Radisson Star Plaza, Merrillville, IN

 

White Lodging last week told the New York Times it was investigating a potential security breach, covered in a report from security writer Brian Krebs. The same Krebs who broke the news on the Target Data Breach as well as the Global Data Breach.

What Was Hacked?

The unlawfully accessed data may have included names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates.  Guests who used or visited the affected businesses during the nine month-period and who used a credit or debit card to pay their bills at the outlets might have had such information compromised and are encouraged to review their statements from that time period.

One idea posited on how this happened is RAM scraping. Attackers are planting malicious software, known as “RAM scrapers,” on POS devices, which capture unencrypted card details after a customer has swiped a card, defeating other security measures in place intended to protect sensitive details. White Lodging said customers’ names as printed on credit or debit cards, the card numbers, the cards’ security code and expiration dates may have been unlawfully accessed.

What’s Next?

Financial institutions have reissued some payment cards and are monitoring other credit and debit cards for unauthorized activity, the company said. White Lodging is also arranging to offer one year of complimentary personal identity protection services to all affected cardholders.

The unfolding disclosures have drawn the attention of the U.S. Congress. The House Energy and Commerce Committee is scheduled on Wednesday to hear from senior executives from Target and Neiman Marcus along with the U.S. Secret Service about how data breaches can be prevented.

Host Merchant Service’s PCI Compliance Initiative

Looking at the threat of a data breach, Merchants must wonder what the solution can be. Is there protection available? PCI Compliance is a great foundation for transaction security. The standards and protocols set up by the PCI-DSS Council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.

Also, one thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

 

Credit Cards

Can Chip Cards Stop the Hax? [2023 Update]

The massive data breach at Target is a big shining beacon illuminating exactly how behind the times the United States remains when it comes to credit card security — namely EMV® chip technology.

EMV is a worldwide standard for credit and debit card payments based around the use of chip card technology. The acronym stands for Europay, MasterCard, and Visa, who collaborated to create the technology. The goal of this project was to create a card that worked based off of a microprocessor chip that is read by the payment terminal. Because the U.S. has yet to widely deploy embedded chip technology, the nation has increasingly become the focus of hackers seeking to steal such information. The stolen data can easily be turned into phony credit cards that are sold on black markets around the world.

In fact, KrebsOnSecurity, the website that broke the news of the Target hack, has reported that the card information stolen in the Target Data Breach has been showing up on the black market. Credit and debit card accounts stolen during the security breach have reportedly flooded underground black markets, going on sale in batches of one million cards. The cards are being sold from around $20 to more than $100 each.

Over the last decade, most countries have moved toward using credit cards that carry information on embeddable microchips rather than magnetic strips. The additional encryption on these aptly named smart cards has made the kind of brazen data thefts suffered by Target almost impossible to pull off in other countries. Which is why as of Q4 2012, there were roughly 1.62 billion EMV cards in consumers’ hands and 23.8 million terminals deployed throughout Europe, Asia, and Africa. About 80 countries have adopted the technology as a standard. By comparison, about 1% ofcredit cards issued in the U.S. contain such technology, making the United States a tasty target for hackers.

“The U.S. is one of the last markets to convert from the magnetic stripe,” Randy Vanderhoof, director of the EMV Migration Forum told the LA Times. “There’s fewer places in the world where that stolen data could be used. So the U.S. becomes more of a high-value target.”

The credit card industry reports the U.S. accounted for only 24 percent of global credit card payments by volume in 2012, but it accounted for 47 percent of the fraud.

So Why No Chips in the U.S.?

According to experts the reasons the U.S. lags so badly in adopting smart cards are complicated. In part, there hasn’t been the political will to demand that businesses and financial institutions make the change. One might think the Target data breach would spur politicians to action or at least get consumers to light a fire under those politicians. But the Target hack is just one in a growing list of data breaches, and the 40 million compromised cards are rather mundane.

In April of 2011, the Playstation Network was hacked, compromising the vital information of 77 million accounts, and 24.5 million Sony Online Entertainment accounts. This has been touted as one of the largest personal data heists recorded in history, and prompted Sony to shut down its services for a month. In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

If neither of those data breaches could spur on the adoption of EMV cards, it’s unlikely the Target hack will move the needle. The inertia built up against the smart cards then must be due to some other reason Analysts also say the payment processing system in the U.S. is more complicated, with merchants, credit companies and banks reluctant to spend the big bucks it would take to convert a system with 1 billion credit cards to EMV from magnetic stripes. But that’s still too murky.

The primary reason such technology has taken so long to make its way into the U.S. is far more simple: Chip-embedded cards are more expensive to produce. Each merchant would have to purchase new equipment to hand them.

What the Future Holds …

The good news for consumers is that the U.S. is indeed moving to embrace smart credit cards. The Official Merchant Services Blog reported almost two years ago that the United States was moving slowly but surely toward adopting chip cards. Visa took the lead in the U.S. push, reporting that as of December 31, 2011, the credit giant had issued more than 1 million credit cards that use “chip” technology to store consumer payment information. Visa made an announcement in August 2011 hat it planned to start issuing more EMV — Europay, Mastercard, Visa — smart cards to push the industry toward better security and an easier transition to mobile payments.

In the last couple of years major card issuers have laid out road maps for upgrading the card technology, and many have set out to achieve this by October 2015.

TransFirst, Host Merchant Services’ acquirer and one of the premier providers of transaction processing services and payment processing technologies in the U.S., issued a mandate in response to the EMV push. TransFirst said that Visa will require U.S. acquirer processors and sub-processor service providers to be able to support merchant acceptance of chip transactions no later than April 1, 2013. Visa also intends to institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-of-sale transactions effective October 1, 2015, and for fuel-selling merchants by October 1, 2017.

Ocotber 2015 was chosen because at that point major credit card companies will change their rules about who is liable for fraudulent purchases caused by security breaches. Under the new rules, the entity in the payment chain — merchant, credit card, banks — deemed to have the weakest security will be liable. Credit card companies can’t make anyone adopt the technology, but they’re giving them a hard nudge.

The Bottom Line

While the Target Data Breach once again brings up the topic of credit card security, it seems like the U.S. is still poking along with its slow adoption of EMV chip cards. Hackers will still continue to target the low hanging fruit that the largely magnetic stripe based U.S. credit card industry still works with. But EMV chips and increased digital security of cardholder information is coming. October 2015 looms closer and closer.