Hypercom Equinox Credit Card Terminal Problems

Recently, Hypercom or Equinox credit card terminals have come to their EOL or end of life, due to firmware needing to be updated, when possible.  The firmware version is no longer able to allow processing.  If the Hypercom  Equinox credit card terminal will allow for a firmware update and it takes the update, one is in the clear.  The terminal typically stops processing after a restart or power cycle.  If one receives an error it may say something like, “Security Error” or “CA signing expiration in 0 days call for service”.  Call you processor immediately to see if the firmware can be updated.  Holds times have been lengthy for all processors, as this firmware/EOL affects all providers of credit card processing.

If one has a hypercom or equinox credit card terminal, please consider upgrading to an EMV machine, unless you are a hotel/motel with a folio processing file “check in/check out”.

EMV is more secure than magnetic stripe processing, provides fraud protection for the merchant, and allows for additional forms of payments to be accepted, such as Apple pay.


If you are considering upgrading to EMV, you may consider contacting us at DonUp.  We have been using the EMV credit card terminals since 1/1/2013 and have gathered valuable experience that we can pass along to help avoid any pitfalls for your business.  We have the right EMV credit card terminal solution for your business, whether you are a retail business or a restaurant.  Give us a call at 877.651.1655 and we will help discover what EMV solution is best for your business.

Protect Your Business from Retail Fraud- EMV

Fraud losses totaled $5.2 billion in the US or 7% of transactions according to a CNBC article from July 2015.  There is a proven way to help stop most of this fraud, EMV.  EMV stands for Euro, Mastercard, Visa and was the organization formed in Europe to bring EMV to Europe.  The organization includes all major card brands, today, and it is called EMVCO.

EMV Contactless Card on Ingenico 1CT

What is EMV?  Emv is a chip in credit cards.  That chip, instead of the magnetic strip on the back of cards, is used to communicate with the host to generate authorizations for sales.  The chip uses dynamic numbers to communicate with the expecting host.  If the dynamic number is different than the host expects, the transaction is declined.  It is a much more secure way to process transactions verses the magnetic stripe.

How does it help business owners?  In a retail environment, where cards are presented in a face to face environment, there is a liability switch happening and the deadline is October 1st, 2015.  Generally speaking, if the business has an EMV enabled device and accepts EMV payments, they have zero liability for in person or face to face transactions for reasons including, fraud, lost, stolen, non-activated.

Reasons for upgrading to EMV:

  1. Liability switch, 10/1/15- SAVE on Fraud
  2. More secure transactions
  3. Ability to add new forms of payment, such as NFC (Apple Pay)
  4. Reduction of PCI compliance requirements

The rush has been on to upgrade to EMV.  With the liability switch deadline October 1st, 2015, we have been extremely busy helping businesses understand their options for EMV and additional forms of payment.  We have excellent rates, that save you more money with our exclusive RATE LOCK and our equipment is protected by our Infinite Warranty.  Donup has been working with EMV terminals since January 2013.  Put our EMV expertise to work for your business and get peace of mind for your payment processing.  Give us a call today, 877.651.1655.

Jeremy Ochsner, ETA-CPP

NFC on the new iPhone 6 & 6 Plus + Apple’s Mobile Wallet Apple Pay

Apple takes NFC mainstream on iPhone 6; Apple Watch with Apple Pay

Apple will help consumers say buh-bye to plastic credit cards with the NFC-enabled iPhone 6, iPhone 6 Plus, and Apple Watch using its new mobile payment service Apple Pay.

Apple introduced its NFC-based mobile payment system Apple Pay for the iPhone 6.

Apple wants to turn your iPhone 6 and Apple Watch into a virtual wallet that could eventually replace the old plastic card sitting in your real wallet.

Apple announced Tuesday at its September 9, product launch in Cupertino, Calif., that it is finally joining the ranks of companies, such as Google, that have tried with lackluster success to get consumers to buy things with their phones, by introducing its own mobile payment offering.

After years of speculation, the company is finally including the short-range wireless technology known as near field communications or NFC into its latest smartphone, the iPhone 6 and the bigger iPhone 6 Plus. It also announced a new digital wallet called Apple Pay, which can be accessed securely using its fingerprint Touch ID technology introduced in the iPhone 5S.

Apple’s new Apple Watch will also be equipped with NFC, which will enable older generations of the iPhone, specifically the iPhone 5, iPhone 5s and iPhone 5c to work with Apple Pay.

Apple announced Tuesday it’s partnering with Visa, Mastercard, and American Express along with several issuing banks to allow iPhone users to store their credit card accounts. Apple Pay will be available in 220,000 US merchant locations that already take mobile payments via the NFC’s short range, secure wireless capabilities.

Apple has also worked with other retailers, including Macy’s, Walgreens, Duane Reade, Staples, Subway, McDonald’s, Disney, and Whole Foods, among others to bring Apple Pay to physical store locations. At McDonald’s it’s even adding Apple Pay to the drive-through, Eddy Cue, senior vice president of Internet software and services, said during the presentation. Disney is expected to have all of its retail locations outfitted with Apple Pay by Christmas.

Apple’s Cue also said that Apple Pay will be integrated with several apps including, the car service Uber, a food app from Panera, Major League Baseball’s app, which will allow you to order tickets from your phone, and Open Table, which will allow you to pay your bill from your iPhone 6 or iPhone 6 Plus. Apple will also be making an API available in iOS 8 to allow other app developers to integrate Apple Pay into their applications.

Users will be able to fund the Apple Pay mobile wallet using the credit cards and debit cards they already have on file in iTunes. To add additional cards, users can take a photo with the phone, go to bank to verify that it’s your card, and it’s added right to Passbook, Cue said.


Mobile Payments

Mobile payments, or paying for things using a mobile phone or a mobile app, is a natural progression for Apple, as the company expands its business beyond the traditional smartphone and tablet market into new areas. Apple already stores credit card account information for 800 million customers to allow them to easily buy digital music, books, TV shows, movies and apps via its iTunes store. Expanding this payment process into a digital wallet, which virtually stores these credentials and can be accessed to buy physical goods, can be viewed as an extension of this capability.

Apple CEO Tim Cook said during the presentation that Apple’s vision is to replace a wallet, and more specifically to replace antiquated, plastic credit cards. Cook noted that there are more than 200 million credit card and debit card transactions processed per day in the U.S. with consumers spending more than $12 billion every day between credit cards and debit cards.

“That’s over $4 trillion a year,” he said. “And that’s just in the US.”

He went on to explain: “This whole (payment) process is based on this little piece of plastic,” he said. “We’re totally reliant on the exposed numbers and the outdated and vulnerable magnetic stripe interface, which is five decades old.”

Apple hinted at a mobile payment solution earlier this year. On an earnings call with analysts in January, Apple CEO Tim Cook said he was intrigued by the idea of a mobile payment service using Apple’s Touch ID feature as part of the implementation to secure access to the credit card information.

“Apple isn’t trying to get rid of credit cards entirely,” said Jason Oxman, CEO of the Electronics Transaction Association “But what they are are trying to do is disrupt is the plastic credit card with that magnetic strip. Using NFC tied to your iTunes account, you can simply pay by tapping your device.”

How it will work

The way Apple Pay will work is that users will be able to simply tap their devices outfitted with a small NFC chip that stores its payment credentials on a payment terminal in the checkout aisle at a number of different merchants. This will allow the store to access the customer’s credit card payment credentials so the credit card account can be charged.

When iPhone 6, iPhone 6 Plus and Apple Watch users make a payment, these credit card accounts will be charged, just as a credit card account is charged when someone makes a purchase in Apple’s iTunes music store. Following an already emerging trend in the payments industry, Apple will be using what’s known as tokenization technology to add another level of security to the transaction.

The way tokens work is that they replace the static 16-digit card numbers that appear on the front of a credit card and indicate a customer’s account number with a dynamically changing and complex code that is transmitted between devices to identify accounts. The benefit of using tokens is that even if they are intercepted by a fraudster, they are rendered useless in the next transaction, because they are constantly changing.

It’s not surprising that Apple would see potential not just in payments but in the mobile payments market specifically. According to Gartner, the global market for mobile payments is forecast to be about $720 billion worth of transactions by 2017. This is up from about $235 billion last year.

Still, other big companies, such as Google and three of the four major wireless operators in the US, have launched mobile payment services using the hardware-based NFC solution that have seen mediocre success at best.

Google was first to market three years ago with its Google Wallet service, which also uses NFC-enabled handsets to securely transmit credit card information between the device and a point of sale terminal in the check-out line of a retailer. The idea behind Google Wallet was to not only store credit cards but also store loyalty cards and coupons as well as leverage location information to send offers and promotions to customers. While the idea itself sounded great, a year after launch Google Wallet only worked with one credit card and bank combination. And it was only available on one wireless network: Sprint.

Meanwhile, three of the four major US wireless carriers — Verizon Wireless, AT&T, and T-Mobile — formed a joint venture to offer a similar kind of NFC-powered mobile-payment service. After a year-long trial period, the service, named Isis, launched across the nation in November with help from high-profile partners such as Coke and Jamba Juice, which offered freebies for early adopters. In July, Isis had to go dark to change its name, which too closely resembled the terrorist group Islamic State of Iraq and Syria, also known as ISIS. It’s now known as Softcard.

The mobile payment solutions offered both by Google and the wireless carriers has been stymied by a few issues. For one, the NFC technology used to enable Google Wallet and Softcard must be available on the mobile device as well as at the point of sale terminal used at the merchant. And second, in order to even store these credentials on phones, the companies enabling the wallets needed to have arrangements with credit card companies and banks.

For Google, the hurdles were difficult to get around since it does not manufacture its own devices. This meant it not only needed to convince merchants to upgrade their terminals, but it had to get device makers to include the NFC technology in the devices. This wasn’t so hard given that companies like Samsung saw other uses for NFC. But even when handset makers included the NFC chip on their devices, it was up to the wireless carriers whether that functionality would be enabled. And AT&T, Verizon, and T-Mobile shut out the Google Wallet functionality.

As a result, Google shifted gears and revamped the service, turning it into a cloud-based app that stores credit card and loyalty card credentials in a secure Internet based service rather than on the device itself. Google Wallet still uses the NFC tap-and-pay functionality to access the cloud-based credentials, but because the information is stored remotely it also means that Google Wallet users can also access it through other password-secured Google services, such as Gmail.

Apple: In a class all its own

Just because other companies have failed to make a splash with mobile payments doesn’t mean that Apple will meet the same fate. Apple’s strength has historically been taking technologies that have been invented and used by other companies and refining them. The company then packages those technologies in such a way that the service is easy to use and appealing to millions of users.

“Apple didn’t invent the smartphone or the tablet,” Oxman said. “They weren’t the first to offer mobile apps. But they raised consumer awareness of these products and services and they packaged it better than anyone else.”

Apple’s golden touch could do the same for mobile payments and the beleaguered NFC technology that Apple will use to deploy the service. For one, Apple is using its existing base of iTunes accounts to allow people to fund their “wallets” using any credit card. This is a huge advantage since that was a major stumbling block for Google as well as the wireless operators.

“Consumers that have used NFC mobile payments have liked it,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “But they haven’t liked not being able to use any payment card they want in their mobile wallet. Apple’s wallet overcomes this challenge by letting consumers’ use the card of their choice through their iTunes account. It’s a smart move and a big win for NFC.”

Apple is also launching this new service at just the right time. In addition to getting consumers to buy devices that are NFC-enabled and making sure that they can access the service and link it to any credit card, another important piece of the puzzle is ensuring that merchants have the right equipment at check-out to accept the payment.

Apple may have chosen to launch its solution now since the payments industry is in the middle of a major transition to upgrade merchants’ point-of-sale machines, so that they can accept the more secure token-based EMV (Europay, MasterCard and Visa) chip technology. Credit cards that use the EMV chip technology have an embedded microchip in them that the scanner reads instead of a magnetic strip. It’s this chip that generates the unique tokens that are used to route transactions instead of static account numbers that are offered in the older magnetic strip cards that most US consumers currently use.

The move to EMV requires that merchants replace their point of sale terminals. In an effort to speed the process, the payments industry has put a deadline of October 2015 for this upgrade.

“From an acceptance perspective, the timing is really good for merchants,” Vanderhoof said. “Many are already looking to install new POS terminals to accept EMV chip cards, so they can also look at enabling NFC acceptance at the same time. Both features are available on most POS terminals shipped today.”

New life for NFC

The fact that Apple is using NFC to enable mobile payments, instead of another technology, could give mobile payments a big boost, analysts say. The company has a massive user base of iPhone users as well as the 800 million credit card account numbers stored in iTunes. It has also quietly built the foundation to its mobile-payment service in Passbook, an app introduced two years ago in its iOS software and released as a feature with the iPhone 4S. Passbook has so far served as a repository for airline tickets, membership cards, and credit card statements. While it started out with just a handful of compatible apps, Passbook works with apps from Delta, Starbucks, Fandango, The Home Depot, and more. But it could potentially be more powerful.

And the iPhone’s fingerprint sensor, which Apple obtained through its acquisition of Authentec in 2012, could serve as a quick and secure way of verifying purchases, not just through online purchases, but large transactions made at big-box retailers such as Best Buy. Today, you can use the fingerprint sensor to quickly buy content from Apple’s iTunes, App, and iBooks stores.

“No one can change consumer behavior like Apple,” Vanderhoof said. “This move will make the market for mobile payments explode. And it is a great endorsement of NFC technology as the best way to secure mobile payments.”


Read More: http://www.cnet.com/news/apple-adds-nfc-to-iphone-6-with-applepay/

Credit Card Security and possible card breach being investigated for..

Home Depot Investigates a Possible Credit Card Breach

If the evidence proves to be valid, the Home Depot hack could top the record-setting breach of Target’s network last December. 

So far, all roads point back to Home Depot. And if the evidence uncovered so far proves to be valid, the hack could top the record-setting breach of Target’s network last December.

Investigators are searching for what they call “a common point of purchase” among the cards.

Bank employees are able to identify stolen cards simply by examining the first six digits of the card, which are known as the Bank Identification Number, or BIN number. They are buying back card numbers and cross-referencing the transactions of those cards in search of one common retailer.

Fraud detectives, meanwhile, who do not have access to transaction data, are able to exploit a recent innovation in the underground. In the last few years, carding sites have been selling the city, state and ZIP code of the store from which each card was stolen in addition to the account number and expiration date, said Ron Sadowski, the director of technology solutions at RSA, the security division of EMC.

Hackers can charge a higher price for that location data because it allows criminals and counterfeiters to fool fraud-detection controls, which often flag purchases from far-flung places, Mr. Sadowski said. Investigators will try to match those ZIP codes to a list of store locations for a particular retailer.

On Wednesday, Brian Krebs, the security blogger who first reported the potential breach of Home Depot, said that there was a 99.4 percent overlap between ZIP codes listed in a collection of stolen account numbers on an Eastern European carding site, called Rescator, and Home Depot’s store locations.

Mr. Krebs said that out of 1,822 ZIP codes listed in the stolen card data on the Rescator carding site, only 10 did not correspond to a Home Depot store location.

That means the breach could affect most of the retailer’s 2,200 stores, which is about 400 more than the Target breach.

Mr. Krebs, citing bank sources, said fraudulent activity indicated that the breach on Home Depot began as early as late April. If that is confirmed, criminals would have had unfettered access to Home Depot’s payment systems for some four months. By comparison, Target’s breach was detected after three weeks.

Home Depot, based in Atlanta, has not confirmed that it was the victim of a cyberattack, only that it was investigating “unusual activity.”

Paula Drake, a spokeswoman for Home Depot, said the company’s forensics and security teams “have been working around the clock since we first became aware of a potential breach Tuesday morning.” Ms. Drake said Home Depot had engaged Symantec and FishNet Security, two cybersecurity firms, to look into a possible breach.

If a breach is confirmed, Ms. Drake reminded customers that they would not be responsible for fraudulent charges and said Home Depot would offer free identity protection services, such as free credit monitoring.

Retailers are not the only businesses being targeted by hackers. Last week, JPMorgan Chase was the victim of a sophisticated breach that security experts say has affected as many as five financial institutions. The identity of the other institutions is still unclear.

“Underground criminals are going after all manner of businesses, large and small, that they think are vulnerable,” Mr. Sadowski said. “But the good news is there is more information than ever on how criminals are trying to perpetrate these attacks.”

Read More: http://www.nytimes.com/2014/09/04/technology/path-of-stolen-credit-cards-leads-back-to-home-depot.html?_r=0

Banks and Retailers Move on the Chip for Credit Cards

Banks, Retailers Speed Up Drive to Add Chips to Credit, Debit Cards

Data Breaches Spur Effort to Boost Security; End of the Swipe?

GLEN ALLEN, Va.— Morgan Montgomery inserted a credit card into a device, pulled it out and tried to pay for her groceries. But the transaction failed because she didn’t realize the card was supposed to stay in the machine while she signed for the purchase.

“I don’t like letting go of it,” she said of the card. “I’m worried about leaving it behind.”

Ms. Montgomery, a 30-year-old business owner from Richmond, Va., was one of 10 consumers who swiped, dipped, tapped and fiddled their way through imaginary purchases earlier this month as part of research being conducted by MasterCard Inc.MA +1.98% into new credit cards that are coming to American wallets in an attempt to combat fraud.

EMV Contactless Card on Ingenico 1CT

The push for the new cards is taking on greater urgency following a number of high-profile data breaches in recent months that have exposed millions of consumers to potential fraud. Just last week, grocery chain Supervalu Inc. SVU +2.15% disclosed that it was investigating a breach that could affect shoppers at roughly 1,000 supermarkets.

Major lenders, regional banks and credit unions are rolling out the new cards, which contain a computer chip in addition to the traditional magnetic strip on the back. Merchants, too, are installing new terminals at the cash register to accept the cards.

The Supervalu incident follows a rash of other breaches, from the massive hack atTarget Corp. TGT +1.51% during last year’s holiday shopping season to smaller ones at restaurant chain P.F. Chang’s China Bistro Inc. and Goodwill Industries International Inc. thrift stores.

In all, U.S. lenders will issue more than 575 million chip credit and debit cards by the end of 2015, representing roughly half of the one billion cards now in circulation, according to an industry-group projection.

Chip cards have been used widely in Europe, Asia and Canada for years. But they have been slow to take hold in the U.S., in part because of a “chicken-and-egg” battle between the card industry and merchants. Businesses didn’t want to invest in new technology until the card companies issued the plastic to consumers, while the card companies didn’t want to give them to customers until there was a place where they could be used.

Now, the breaches are making both sides eager to roll them out. Bank of AmericaCorp. BAC +1.45% , the nation’ second-largest credit-card issuer after J.P. Morgan Chase JPM +0.80% & Co., and regional lender SunTrust Banks Inc. STI +0.94%are among the institutions now putting chips on plastic sent to new customers or existing customers whose cards are expiring.

“By the time we get to holiday shopping, there will be a good base of chip cards in the market,” said Carolyn Balfany, who is overseeing MasterCard’s transition to chip cards.

Merchants, too, are upgrading the computer terminals at the cash register to accept the new cards. Wal-Mart StoresInc. WMT +0.74% is using the technology at more than 4,600 of its nearly 5,000 stores in the U.S. and expects to have the rest upgraded by the end of the year, according to a company spokesman.

Each transaction made with a chip card has a unique code attached to it, reducing the chance that stolen card data can be used to make counterfeit plastic. Such cards likely wouldn’t have prevented the hacking at Target, but the card data would have been useless to thieves, experts say.

U.S. credit-card-fraud losses totaled roughly $18 billion last year, according to Javelin Strategy & Research, a consulting firm that is a unit of Greenwich Associates. About a third of those losses are attributed to the counterfeit cards, according to consulting firm Aite Group.

The new cards come with changes to the basic way people are accustomed to paying for purchases. Although the cards still have a magnetic strip on the back to be used at merchants that haven’t upgraded their technology, the computer chips don’t work with a swipe at the register. Instead, shoppers slide the card into the bottom of the terminal and leave it there while the purchase is processed.

“It’s going to take some patience and time with the merchants’ staff and the customers that are making the purchases,” said Mike English, executive director for product development at Heartland Payment Systems Inc. HPY +1.55% The Princeton, N.J., company, which processes transactions on behalf of merchants, is training its customers to use the new equipment.


Some of the new credit cards also may require shoppers to enter a personal identification number instead of a signature. That was one of the trickiest changes for Canadians who weren’t accustomed to having a PIN for their credit cards, said Ellen Richey, vice chairman of risk and public policy at Visa Inc. V +1.92%

“Consumers aren’t used to it, they don’t remember it and they don’t think they need it. Then all of a sudden, they are at the cash register and can’t remember their PIN,” she said.

To ease the way for U.S. consumers, the card industry will be flooding mailboxes and websites in coming months with information about how to use the new cards. Some card terminals at the cash register will prompt shoppers through the transaction process and issue a series of beeps to remind them to remove the card at the end.

MasterCard recently tested consumer reaction to the cards at focus groups in St. Louis and Towson, Md. At the focus group earlier this month, consumers were escorted into a conference room to test a number of ways to use a chip card.

Ms. Balfany and a few members of her chip-transition team watched and took notes on consumers’ reaction from the other side of a two-way mirror.

After answering questions about how they typically pay for purchases, the consumers were given a chip card and led to two terminals where they were guided through a series of imaginary purchases. A few were initially uncertain about where to insert the card or how long to leave it in the device, but sailed through the process on the second or third try. Nearly all of them liked a process in which they tapped the card on the terminal’s screen.

Said Jerry Greenway, 67 years old, from Richmond, Va.: “If it helps make the cards more secure, I’m all for it.”

Read More: http://online.wsj.com/articles/banks-retailers-speed-up-drive-to-add-chips-to-credit-debit-cards-1408377051?KEYWORDS=ROBIN+SIDEL

2 New York-area men arrested with 60 counterfeit credit cards, Westfield police say

By Dan Warner 
on August 13, 2014 at 11:33 AM

WESTFIELD – Two men were arrested this week in Westfield with dozens of counterfeit credit cards and more than 50 gift cards that they purchased as part of a scam, police say.

Felix Santos, 22, of Brooklyn, and Michael Gilbert, 22, of Dunellen, New Jersey, face charges in Westfield District Court, and at their Tuesday arraignments Judge Philip Contant held each on $500 bail.

Santos is charged with unlicensed operation of a motor vehicle, receiving stolen property of more than $250, possession of a counterfeit credit card press and attempt to commit a crime. Gilbert is charged with receiving stolen property, attempt to commit a crime and improper use of a credit card of more than $250.

Police say Gilbert was attempting to purchase $300 worth of prepaid visa cards at Rite Aid in Westfield when a manager recognized the ruse that had been plaguing other Rite Aids. The manager canceled the transaction and called police.

Officers encountered the men driving in the Big Y parking lot, the police report said. Santos was driving, but he only had a New York learner’s permit and Gilbert’s license was expired, the report said.

Santos was carrying two credit cards in his name, and police found 23 more in the vehicle, the report said. Gilbert had 10 cards on him, and 25 others bearing his name. Officers discovered they were counterfeit because they had incorrect customer service numbers on the back and the card numbers were not issued by the banks on the cards, the report said.

The report said there were 51 $25 pre-paid Visa and American Express cards in the vehicle.


Chipped Cards still need security…

Payment cards with chips aren’t perfect, so encrypt everything, experts say

Lucian Constantin PC World Aug 8, 2014 6:30

There’s a push to adopt chip-equipped payment cards in the U.S. following high-profile breaches at large retailers and restaurant chains during the past 12 months, but experts warn that switching to this payment system will not make fraud disappear.

The EMV (Europay, MasterCard and Visa) standard is widely deployed around the world, and for the past 10 years or so it has been the de facto payment card system in Europe, where it’s also known as chip-and-PIN. The cards authenticate with ATMs and payment terminals using the combination of a customer PIN and information stored securely on an integrated circuit.

In order to drive EMV adoption in the U.S., the credit card brands plan to shift liability in October 2015, after which parties that haven’t deployed the system will be held liable for fraudulent transactions.

However, the EMV specification suffers from both regulatory and security issues, some of which have already been exploited in real-world attacks, according to Ross Anderson, a security engineering professor at Cambridge University with 25 years of experience in payment systems security.

During a talk on Thursday at the Black Hat security conference in Las Vegas, Anderson highlighted some of the attacks that are possible against existing EMV implementations. Banks have tried to downplay these as impractical or too complex for cybercriminals to launch, he said.

The “preplay” and “no PIN” attacks are two examples. In a “preplay,” a card inserted into a rogue payment terminal can be charged for a transaction that’s done with a fraudulent card at a terminal somewhere else in the world. In the “no PIN” attack, a criminal uses a stolen card that’s wired to a portable device with a rogue card inserted into it. That lets the attacker bypass PIN verification at POS (point-of-sale) terminals in order to authorize rogue transactions.

More recently, Anderson’s team at Cambridge discovered that many EMV-capable ATMs and payment terminals generate random numbers in a predictable manner. This allows someone with temporary access to a credit card, such as a waiter, to calculate authentication codes that then can be used for transactions in the future. Worse, a rogue or compromised POS terminal can generate authentication codes for a card inserted into it, and those codes can later be used to authorize additional rogue transactions.

Some of these attacks don’t stem from issues in the EMV standard itself, but rather from the poor implementation of it by payment terminal vendors, according to Anderson. Banks don’t have enough incentive to act, because liability for fraud shifts to the merchants if EMV is not used in a transaction and to consumers if EMV is used with the correct PIN number, he said.

That tendency to blame the card owner is based on the premise that since EMV cards—or rather their chips—cannot be cloned, if a fraudulent transaction is done with such a card and the correct PIN, the card owner has been negligent.

Whether U.S. banks will try to shift liability to consumers for PIN-authorized EMV transactions remains to be seen, as consumer protection in the U.S. is better than in Europe, Anderson said. EMV adoption in the U.S. will be an interesting experiment because some banks want to implement chip-and-PIN cards, while others favor a chip-and-signature model, Anderson said.

The EMV specification as it exists today is vastly complex, and vendors have made additions on top of it, which means that it’s easy to make mistakes when implementing it, Anderson said. Depending on how much attention you pay, you can design a secure system using EMV or an awful one, he said.

Lucas Zaichkowsky, an enterprise defense architect at AccessData whose previous jobs involved investigating credit card breaches and assessing compliance with payment card security standards, agreed with Anderson.

“People think that if we switch to EMV, these breaches will go away, but that’s not true,” said Zaichkowsky, who also held a presentation about POS system architecture and security at Black Hat. During an EMV transaction, RAM-scraping malware can steal the same data that’s on the magnetic stripe if the chip is not implemented correctly, and several banks don’t do it properly, he said.

That data can then be used to create counterfeit magnetic stripe cards to conduct fraud in most countries, even those already using EMV because most EMV readers are also configured to accept the magnetic stripe in “fallback mode.”

In addition, most EMV-enabled POS terminals support both chip cards and traditional magnetic stripe cards. When you attempt to swipe an EMV card, the payment terminal should refuse it and ask you to insert it in the smart card reader instead. That doesn’t always happen, according to Zaichkowsky.

As an example, he said that his credit card was swiped at a POS terminal in Italy because the cashier was used to U.S. cards not having chips, despite his card having one. There was no error and the transaction went through, he said.

Even if everyone in the world would switch to chip-enabled cards and traditional magnetic stripe ones would disappear, fraud would most likely shift from card-present transactions to card-not-present transactions, such as those done online or over the phone, he said.

Fraud statistics up to 2012 actually show that this has happened in Europe since the deployment of EMV, Anderson said.

With an EMV transaction, a compromised POS terminal can still get the credit card number and expiration date, Zaichkowsky said. There are many places where this is all you need to place an order, because they don’t ask for the three-digit security code or verify the billing address, he said.

This means that cybercriminals will continue to have an incentive to compromise POS terminals, even with widespread EMV deployment.

The sophisticated EMV attacks that Anderson and his team at Cambridge identified aren’t widely used yet, partly because criminals have easier ways to abuse EMV cards today. That’s because they’re currently designed to also work with ATMs and payment terminals in countries where the system is not deployed, such as the U.S. Information captured from the magnetic stripe of a chip-equipped card can be used to create a counterfeit copy that doesn’t have a chip. That cloned card cannot be used in Europe but works in the U.S., where the chip isn’t needed anyway.

The fewer places in the world where cybercriminals can use such cards, the harder it will be for them to steal money from them. That might lead criminals to start using EMV attacks like those described by Anderson.

One technology that has a much better chance of preventing attackers from stealing card data is point to point encryption from the card reader to the payment processor, according to Zaichkowsky.

Security experts have recommended point to point, or end to end, encryption for card-present payments for years. Adoption has been slow because it requires replacing card readers and PIN pads with new ones that support the technology, a significant investment that most merchants were not prepared to make.

However, now that many of them will have to change their terminals anyway in order to support EMV, it would be better if they also took the opportunity to choose terminals that encrypt the card data at the reader, Zaichkowsky said.

Credit and Payment Security: a cycle of good news and bad news

It was good news. In July 2013, federal prosecutors in the United States brought indictments against members of a sophisticated Russian syndicate. The gang members were charged with stealing and selling more than 160 million credit card numbers from JCPenney, 7-Eleven, JetBlue, Heartland Payment Systems, Carrefour (in France), and one of the world’s largest credit and debit processing companies. The thefts could be tracked back to 2005, according to The New York Times, and had resulted in hundreds of millions of dollars in losses. Unfortunately, th e indictments were not effective and the same group is suspected of participating in the security breaches of Target, Michaels, and Neiman Marcus companies just a few months later.

Adopting the Europay, MasterCard, and Visa Standard

The continued and very public success of hackers and the ever-increasing cost of fraud losses, fraud management, and fraud-related expenses spurred the United States credit payment industry to change the way it does business. After decades of resisting the Europay, MasterCard, and Visa (EMV™) standard for credit payments, which is generally believed to be more secure than our current payment system, the industry is adopting it. It’s an action many believe is long overdue. According to a BusinessWire.com article in August 2013, it stated The Nilson Report, a leading payment industry newsletter, provided an overview of card fraud around the world:

“The U.S. accounted for 47.3% of global card fraud losses but generated only 23.5% of total volume… The absence of EMV cards and terminals in the U.S. also contributes to fraud losses. The U.S. is the only region where counterfeit fraud continues to grow consistently… EMV adoption would not only help U.S. issuers but also issuers in other parts of the world that must continue to put mag-stripes on their cards to accommodate point-of-sale terminals in the U.S…”

The good news is change in finally on its way. The bad news is it may take longer than expected. Some estimates project the majority of U.S. merchants will be EMV compliant by 2016, but many analysts believe that goal will be reached closer to 2018.

What is EMV?

EMV was developed in the 1990s after a study commissioned by the European Council for Payment Systems, and conducted by Europay International, determined the most effective way to reduce credit card fraud was to eliminate magnetic stripes (mag-stripes) and embed chips in credit and debit cards. In a Capgemini document, published early 2014, it stated:

“…Magnetic stripe cards, which store sensitive customer data unencrypted on the rear magnetic stripe, have been found to be vulnerable to various frauds such as skimming and counterfeiting. Chip-based EMV cards store customer data on a chip in encrypted format and are less vulnerable to fraud. This led to increased EMV adoption in several regions across the world.”

In the United Kingdom, the introduction of EMV cards is credited with helping reduce fraud significantly. Counterfeit card fraud fell by 75 percent after peaking in 2008, and fraud losses have fallen by 75 percent since 2004.

Eighty countries around the world already have implemented or currently are implementing EMV technology. For instance, about 95 percent of card readers in Europe; 79 percent in Canada, Latin America, and the Caribbean; 77 percent in Africa and the Middle East; and 51 percent in the Asia Pacific region are EMV compliant. In fact, if you’ve traveled overseas recently, you may have encountered the EMV standard. It’s a source of frustration for American travelers who find their mag-stripe credit cards won’t work in train station kiosks and are not accepted by some retailers.

Ironically, even criminals prefer the EMV standard. The going rate on the black market for an American credit card number is $10. A European card number, on the other hand, will fetch about $50. According to The Washington Post, there are two reasons for this. First, American card numbers are easier to get. Second, when used in the United States, European cards are no more secure than mag-stripe cards because American retailers do not adhere to the EMV standard. Couple this with the fact European banks are slow to process transactions on weekends and criminals can enjoy a spending spree.

An Evolving Industry

The good news is EMV should make card payments in the United States more secure. The bad news is payment systems are not static. As the popularity of mobile devices has grown so has the popularity of mobile banking and commerce. Some consumers already have embraced mobile applications that allow them to use smart phones or tablets to pay for goods and services.

The growth of mobile payments is expected to accelerate and change the way business is done around the world. Gartner, the world’s leading information technology research and advisory company, estimates global mobile transaction volume will grow by 35 percent on average from 2012 to 2017. The company’s forecast suggests the mobile payments market will comprise 450 million users and will be worth more than $720 billion – a number that was reduced during 2013 because of lower-than-expected growth in North America and Africa – before the end of the decade.

Protect Yourself Against Fraud

Of course, a new payment system means new hardware and security solutions. Mobile payment security will depend on application configurations as well as security measures taken by smart phone and tablet users. If you use or plan to use your mobile device for banking or commerce, make sure you take basic safety precautions:

• Protect your mobile devices using complex passwords

• Download an app for finding a lost device and/or disabling it

• Only download apps from trustworthy sources

• Check app reviews and ratings before downloading them

• Only bank or shop over secure Internet connections (not public Internet connections)

• Make sure the web address begins with https (indicating you have a secure connection) before sending data

The good news is American consumers will have lots of choices when they want to make purchases. The bad news is it can be challenging to stay abreast of new technology and the security measures it requires.

Posted on July 16, 2014  shelburnenews.com



What Do Our Clients Think?

Money shows up the next day.
High ticket transactions are run with no issues or holding of funds.
If an issue arises, it is handled quickly- excellent customer service.
The money we saved, pays for our delivery truck.

Alan R.Nevada

Credit Card Processing Companies | Merchant Credit Card Processing | Non Profit Credit Card Processing | Credit Cards For Travel | Credit Card Equipment | Next Day Funding