In recent weeks, Visa Europe has begun to receive notification of a number of attacks against eCommerce merchants using hosted payment page solutions.  A hosted payment page describes a method of processing card transactions in which a merchant outsources payment processing to a third party web application designed to accept card payments.  Using this method, a merchant simply installs a small piece of code onto their website which will immediately allow the merchant to accept payment card transactions.

When it comes time for a customer to checkout and pay for goods, the code on the merchant’s website will automatically redirect the customer’s browser to the third party payment application where the customer will enter their payment card details.  The third party then transmits or processes the transaction on behalf of the merchant, while the merchant and merchant’s web server or website hosting provider never sees card data in the normal course of events.

Merchants using this type of configuration are being targeted by criminals who gain unauthorised access to the merchant’s website by directly exploiting vulnerabilities in either a merchant’s website or in the merchant web server.  Once compromised, hackers will modify the merchant’s code which links to the hosted payment page, redirecting customers to a counterfeit page that looks identical to the third party’s authentic hosted payment page.  As customers often cannot tell the difference, customers will be tricked into revealing their card details. The hacker will either immediately transmit this captured data to themselves, typically through email or FTP (file transfer protocol) or will create a temporary file (e.g., log file, output file, etc.) on the compromised web server where they will store captured payment card data until they can periodically retrieve it. This attack can be difficult to detect as the merchant and customer may not notice that anything suspicious has happened since the hacker’s code modification may also complete the transaction as normal.

Recommended Mitigation Strategy

§         eCommerce merchants should ensure that regular checks of their website are carried out for any new or unknown web-pages or files.  In particular, merchants should regularly check the code that redirects their customers to the third party hosted payment page is the same code that was provided to them by the third party and has not been modified.

§         If the code that links to the hosted payment page is integrated into a merchant’s shopping cart, eCommerce merchants should ensure that their shopping cart application is patched with the most up-to-date version available.

§         eCommerce merchants should discuss security with their web hosting provider and ensure they have secured their systems appropriately.  Web and database servers should be hardened to disable default settings and unnecessary services.  Many international system hardening standards exist such as those provided by the centre for Internet security - http://www.cisecurity.org/benchmarks.html and merchants should encourage their web host provider to adopt these standards.

§         eCommerce merchants that utilise web hosting providers or third party payment providers that store, process and/or transmit cardholder data MUST maintain on-going compliance to the Payment Card Industry Data Security Standard (PCI DSS).  eCommerce merchants should ensure that data security language is present in all contracts with entities that store, process and/or transmit cardholder data on their behalf and should clearly identify roles and responsibilities for cardholder data protection.

Please find attached some newly published Visa Europe fact sheets that we hope you find useful.  They go in to more detail with regards SQL Injection Attacks and also Default & Shared Credential.

If we receive any further updates with regards to this threat we will notify you as soon as possible.  If you suspect that your business has suffered an Account Data Compromise you should contact your acquirer immediately.  For further advice and contact information please go to http://www.rbsworldpay.com/pcidss/index.php?page=data&l=1.

PCI Security Standards Council: Release of PTS V3.0

The PCI Security Standards Council have announced, as of 12th May 2010, the release of PIN Transaction Security (PTS) Point of Interaction (POI) security requirements V3.0.

A culmination of the three-year lifecycle review process, incorporating feedback from hundreds of constituents, this latest version is designed to streamline and simplify testing and implementation by providing a single set of modular evaluation requirements for all Personal Identification Number (PIN) acceptance Point of Interaction terminals. It also includes three new modules for device vendors and their customers to secure sensitive card data. Version 3.0 is effective immediately, and version 2.0 will sunset on May 12th 2011.

Until now there were three separate sets of requirements for Point of Sale PIN Entry Devices (PED), Encrypting PIN Pads (EPP), and Unattended Payment Terminals (UPT). Version 3.0 simplifies the testing process and eliminates overlap of documentation by providing one modular security evaluation program for all terminals and a single reference listing of approved products.

The PCI SSC also invites Participating Organisations and the public to a webinar that covers the new PTS security requirements in greater depth, to be held on May 18 at 3:00 p.m. ET / noon PT, and May 19 at 11:00 a.m. ET / 8:00 a.m. PT. Registration details can be found here:

May 18: http://register.webcastgroup.com/l3/?wid=0800518105190
May 19: http://register.webcastgroup.com/l3/?wid=0800519105191

For further information, and for access to the new version of the standard, please go to https://www.pcisecuritystandards.org/security_standards/ped/index.shtml.

TrustWave webinar: Common PCI Failures and How to Avoid Them

The requirements of PCI DSS are varied and complex, making the compliance process for small merchants seem like an overwhelming task. But some requirements are more difficult than others, as discovered by the compromise investigations conducted by Trustwave’s security team in 2009.

May 19, 2010 11:00 am
Access code:          356 580 854
Event password:    S3cure!
Event address:       https://trustwave.webex.com/trustwave/onstage/g.php?t=a&d=356580854
Call number (UK):  +44 (0) 207 365 1860

The Q2 2010 edition of the full ‘Payment Security News’ is now out.  If you have not already seen please visit our website to view a copy - www.rbsworldpay.com/pcidss.

DOWNLOADS
Default & Shared Credential factsheet
SQL factsheet

RBSWorldPay
Global Transaction Services

Maybe you have one, maybe you know somebody that has one or maybe you’ve never heard of them before; whatever your situation, there is a new type of credit card technology amongst us and it’s something I think we should all be aware of.  It’s called the Emue card and, although a card that disappears when you spend too much money might seem like a good idea, Emue cards are not designed to bury their heads in the sand when you go overdrawn or any such cleverness.  In fact, despite the financial crushing many of us are receiving, the Emue card has little or nothing to do with helping people rebuild poor credit ratings or consolidate debt – as most “new” cards claim to do.

Instead, Emue cards are aimed at reducing credit card fraud – something that is rising during the depression.  Although the introduction of Chip and PIN technology helped reduce credit card crime in shops, the amount of card-not-present fraud (phone, internet and mail order fraud) has actually risen since the introduction of Chip and PIN; now making up over 50% of all credit card fraud, or over £324,000,000 in 2008 alone!  This is not surprising, given how easy it is to commit this kind of fraud; online and phone transactions simply required the buyer to enter the card number, expiry date, start date or issue number and the security code printed on the back of a card.  Obviously anybody in possession of any card can find this information within seconds and the card it to buy anything - irrelevant of whether they are the legal card owner or not.

The idea behind Emu cards is quite simple; they work in general just like normal credit or debit card except that they also require the user to enter a PIN code into the card - like a credit card terminal.  The Emu card, which is a battery-powered microcomputer, then creates and displays a different unique four-digit code every time it is used.  This code is then used during the transaction process, meaning that fraudsters cannot use the Emue card without knowing PIN code required to generate the code!  Trully a new age of credit card technology may have arrived!

In prehistoric times, man built tools from stone in a time we cunningly refer to as the Stone Age.  As time progressed, man started using bronze and eventually iron to shape the world around in, bringing about the Bronze and Iron Ages respectively.  Nowadays, many consider that we are living in the Plastic Age due to the abundance of uses for the oil-based material that we see all around us; on this desk alone the telephone, stapler, calculator, laptop and power-pack are all made, in part, from plastic!  However, as accurate a term as Plastic Age may be, I do wonder if we have misjudged just which kind of plastic is responsible for the world in which we currently find ourselves…  I wonder if the Plastic Age wouldn’t be more aptly named the Credit Age…

For it is true that we have built our new world on plastic; the plastic in our wallets that has allowed us to live outside of our means for so long that we have come to take our country’s incredible economic growth for granted.  It is this credit that has allowed us to build our lives; by all buying things that we can’t afford, we have created a land in which everybody has a lot of things, but still has no money.  Of course the economy is going to boom for a bit in such a situation; when everybody goes around buying things all the time, the economy grows – simply put.  Normally this is a sign of a prosperous nation and is something to be pleased by, but in the case of our latest boom, it is essentially down to the fact that we have been pretending that we are all very wealthy for so long that we have forgotten that, in actual fact, we are not.

But maybe the Plastic Age is a more suitable name after all; maybe it actually embraces the way in which we put things “on plastic” as a way of forgetting that we actually cannot afford them.  By calling this age Plastic, perhaps we are paying homage to the deceptive credit-based plastic that we have used to build the oil-based plastic word that we live in…

Last time we discovered that banks are cutting back on the amount of credit cards they issue and who they issue them to.  We also found out that consumers, especially in the USA, are using their credit cards more for small transactions, but less overall.  This seemed like a good move; small purchases are easier to repay on time and help cut down on the amount of interest and debt that consumers accumulate, allowing them to rebuild shattered credit ratings and continue to use their cards within their means.  However, is this enough to save the credit card industry?

With banks holding back credit and consumers starting to live more within their means, I wonder whether we could already have lived through the Credit Age?  Certainly the economic recession is terrifying to many of us, but I wonder whether this fear won’t just fade away when the dawning light of financial stability reappears – however many years in the future that may be.  For we should not underestimate just how great a change it would be for us to move away from living outside of our means.  The commonplace use of credit cards is not simply something that could disappear overnight; it is a lifestyle for so many that credit card spending is practically part of our cultural identity!  Should we expect this depression to teach us a hard lesson from which we will learn and grow, or should we be realistic and assume that the financial crisis will simply lead to a new system of credit into which we will all gratefully plunge ourselves?

We cannot deny the fact that most of us would rather live outside of our means and pretend that everything is fine when it really isn’t.  Our history of irresponsible borrowing and masses of ever-growing debts are tribute to these facts.  Perhaps the credit crunch will teach us a valuable lesson; maybe it is time for us to put our credit cards down after all…

As this blog has mentioned, credit cards have been around since . and have become a very large part of our lives.  However, the next two posts question whether we may have been witness to the peak of the credit card industry…

As the financial crisis worsens, anybody within the credit industry could be forgiven for pondering the future of credit cards.  Although we have come to take credit for granted, could the increased paranoia about lending and spending mean that banks have to reconsider just how many credit cards they are willing to provide to money-strapped public?  They are already raising interest rates and imposing strict rules on just who can and cannot get which kinds of credit cards, yet many think this is just the very start of the financial crisis!  Who knows what the overall impact on credit cards will be by the time things start to brighten up.

It’s not just the banks that may cut back on credit cards either; we, the people, may very well start leaving our credit cards at home as the financial situation worsens.  After all, the economic depression was caused by our reckless spending and has already consumed many a job, retirement plan and house; it should be obvious why even the most addicted credit consumer might start thinking twice about reaching for their plastic in times of need.  In fact, bank executives in America have confirmed a change in spending behaviour, claiming that more customers have started using their credit cards for small purchases like food and fuel, whilst holding back from purchasing expensive items altogether – this seems like a step in the “right” direction, doesn’t it? 

Chip and PIN is something we have all heard of, but I wonder how many of us really know what it is, how it works and why it is meant to be better than the old method of signing for your purchases.  For your convenience, I shall outline the subject now:
Chip and PIN is the implementation of the EMV (Europay, Mastercard and Visa) standard for secure payments, designed to make transactions more secure and reduce credit card fraud.  It involves embedding tiny microchips into credit and debits cards, which are automatically authentically using a PIN security number.  By inserting the card into a credit card terminal, a customer has to insert the correct PIN number to authenticate the payment.  If a customer does not know their PIN number, the verification fails and the transaction does not go ahead; making the system secure, yet also very swift and simple.
Until it was introduced, all credit and debit card transactions required a signature for verification after the account data was read off the magnetic strip or an imprint was made of the raised text of the card.  The problem with this system was that people could easily steal cards from people and forge a signature, or steal cards from the post, write their own signature on the card and go about using it as if it was their own.  More advanced methods of card fraud involved technology that was used to clone cards by reading the magnetic data from one magnetic slip and writing it to another.  With the new system, another person may have your card but, without also knowing the correct PIN number, they cannot use it for face-to-face sales.  At the same time, these PIN numbers are entered in very public spaces, where somebody could easily observe and remember them.  All it would then take would be for the same person to steal the relevant card and cashiers have no reason to suspect them for using it.  Even so, it would seem harder for another person to get hold of both your card and secret PIN number than to steal your card and forge your signature.
Despite the growing popularity of the Chip and PIN system – over 1.1 million machines in the UK are Chip and PIN compatible – many small businesses are reluctant to upgrade, due to the cost of purchasing a new credit card terminal, or point of sale system.  Nevertheless, all major banks now issue cards featuring both magnetic strips and chips.  Cashiers can still instigation PIN Bypasses, allowing customers to sign for their purchases if they forget their PIN number, however this is strongly discouraged and card issuers and banks can choose to decline transactions that are made in this way.

As I have already explained in my previous post, there are myriad advantages to purchasing things on credit cards, in the form of multiple protection schemes, insurance and the ability to withhold payments until you are happy with the service you have been given.  But these are not the only advantages of using credit cards for each and every purchase, as I will now explain.

Convenience

It is no secret that credit cards are a convenient method of payment, but it is not just their usability that is an advantage.  In the modern world it is not uncommon for hotels and car rental services to ask for credit card numbers for reservations and rentals and, although debit card numbers do suffice, it is especially convenient to be able to book and pay all on one card.  What’s more, there is a peace of mind that comes with keeping companies away from checking accounts – again due to the protection offered by credit cards.

What’s more, unless you keep very detailed records of everything you purchase with cash, credit cards offer a far superior summary of your financial activity over the year, as well as over individual months and weeks.  Credit card summaries make it far easier to keep tabs on what you are spending, as well as when and where you are spending it!  Paying your bills by credit card will also combine all your outgoings into one monthly payment – your credit card payment – which is provided with a break-down of what you have spent on what.  As daunting as it may seem to have every payment coming out at once, it is a sure-fire way to ensure you don’t let the other bills mount up!

One of the most convenient aspects of paying by credit card is that they are accepted almost everywhere – Visa especially.  Anywhere you can pay on card, you can pay on Visa or Mastercard – unlike those poor fools who are tied down with a useless Solo card that can’t even be used to buy train tickets (I am one of these fools).  Putting all your purchases onto a credit card will also greatly bolster your credit rating; although most payments are very small, the overall charge to your credit card will mount up and, providing you pay it off, you will accumulate thousands of pounds of paid expenses on your credit card – the key to a badass credit rating!

So that concludes my brief insight as to why we should all use credit cards.  I believe it goes without saying that credit cards are only a good idea if you are capable of sticking to a budget; if you overspend and don’t pay off what you accumulate, credit cards will ruin you and your life.  But if you can keep tabs on what you are spending and are capable of holding back when you can’t afford to spend, credit cards are a great way of protecting yourself, you finances and your purchases, whilst paying in the quickest and most convenient manner available.

Credit cards have taken a lot of indirect flak in recently months, mainly due to the turmoil in the world of finance that is blamed largely on irresponsible spending and lending, helped – in part – by our use of credit cards.

However, it should not be forgotten that it was not the use of credit cards that got us into trouble, but the irresponsible use; like so many things in the world, credit cards are great when used sensibly and with some foresight. In this post I will outline some advantages to using credit cards within merchant services, with regards to the protection they offer the comsumer.

When you make a purchase on a credit card you are essentially letting the credit card provider pay for the purchase and agreeing to pay them back within a a grace period. This method of delaying payment acts as a protective buffer against fraud, dodgy dealings and good old fashioned incompetence. Because it is the credit card provider that has made the payment, you have invested nothing until you make the repayment - giving you time to ensure that the product arrives if it is being sent, that you have not been charged twice or been otherwise messed around. If it turns out that something has gone wrong, you are actually under no obligation to pay the credit card fee until the issue has been resolved. In fact, you have the right to refuse to pay and leave it up to the credit card provider to claim their money back and, let’s be honest, merchants are more likely to bend over backwards for Visa than they are to appease you!

To give you a personal example; my band and I spent two months in California this summer and purchased our plane tickets online with debit card. Just before we were due to return home we got the news that Fly Zoom had gone bankrupt and taken our tickets with it! Had we paid on credit card, we would have been entitled to a refund; as it was we were forced to accept the loss of hundreds of pounds-worth of tickets and buy new tickets home from Virgin! In cases like this, there is no substitute for the protection offered by credit cards!

It’s not just when the merchant goes wrong that you are protected with a credit card either; in the cases of loss, for example, purchases made on a credit card can be replaced, repaired or even fully refunded, usually within 90 days of purchase. Naturally this does not cover the simple misplacing of an item, but loss through fire, floods, theft and so on – the specifics are variable. Nevertheless, free insurance for a few months is definitely not to be sniffed at! What’s more, you can actually register your purchases with the warranty management service and get an extra year of warranty protection on your purchases as well!

The key to getting the most out of the protection offered by your credit card provider is knowing the services on offer as well as your own rights. The delayed payment offers a means by which you can argue your case without having your money taken from you.

In the next post I shall cover other advatanges of using credit cards - namely the massive convenience!

Credit card fees are similar to the statues involved in Mount Rushmore; most people know they exist but not so many understand the details – who are the people involved, exactly how large are they and, more importantly, just why?!

Well, here are some answers for you.  The people that benefit most from credit card fees are the credit card issuers themselves; each business that accepts credit cards as a form of payment pays a fee and, of this fee, approximately 85% goes to the issuing bank!  The rest of the money goes mainly to the credit card processor – which is normally Visa or MasterCard since they own 75% of the market!

75%!

Considering that almost every merchant service – and certainly every big business – accepts payment in the form of credit or debit card, it doesn’t take the financial genius of Michael Martin to realise that there is lot of money to be made on these credit card fees, rightly or wrongly.  After all, what is it that these companies are actually doing for their money?

Well for starters, using a credit card is meant to help protect you from fraud, entitles you to refunds and includes other protective methods.  Furthermore, they provide customer service and, of course, pay for everything you buy before the money is taken from your account.  The biggest expenditure, however, is the rewards schemes that credit cards offer; around 40% of all fees generated by credit card issuers are the direct product of the rewards schemes that they use to lure people in to start with!  Examples of these rewards include air miles, free balance transfers and reward points that can be collected and spent on a variety of lovely things, like money-off car insurance!

So, despite the fact that only Marvin the Paranoid Android has a chance at understanding the “complimentary” monthly statements and transaction reports; all these things have to be paid for – and apparently Visa needs to make an average of $0.07 for every transaction made in the world in order to provide this service…  After all, their quarterly net income in April was a mere $536 million!  As for the credit card providers and banks; how else can they afford to give out so many generous bonuses without charging everybody else for it?

In conclusion, despite the fact that credit cards are almost a necessity in modern life, the ridiculous fees that we end up paying are essentially there to make more money for the people that pressure you into needing them in the first place.  But that’s the way of the world eh?

Oh and finally; Mount Rushmore National was created by Gutzon Borglum, and comprises of 4, 18-metre high heads of George Washington , Thomas Jefferson, Theodore Roosevelt and Abraham Lincoln.  Apparently the entire memorial covers 5.17 km2!  It was created as a memorial because 150 years is quite a lot of history in the States!

It

Despite the recently released fraud statistics showing that card fraud has increased, as a percentage of the overall turnover of card transactions card fraud has decreased. This is due to more card transactions being made today than were made a few years ago, showing that card payments are becoming evermore popular and that confidence in using cards for transactions is increasing. This highlights the success that chip and PIN has had on increasing security since its introduction and this has resulted in the general public’s increased confidence in merchant services and making payments on plastic.

Read the rest of this entry »