E-paynow.com

EMV smartcards are the card standard in Europe, many countries in Asia and most recently in Canada. U.S. issuers have been reluctant to adopt the technology. But now, the prospect of widespread adoption of smart cards in the US is finally gaining some traction, indicating a desire to offer the greater security of smart cards and align itself with the rest of the world. Most recently, MasterCard Worldwide unveiled its EMV roadmap, five months after Visa, Inc. announced their guidelines and deadlines. A handful of U.S. issuers are piloting EMV chip cards, albeit to very select group of customers. Large retailers, most notably Wal-Mart, which pushed for EMV conversion two years ago, are supporting the effort.

Since many view the growing fraud dangers as the weakest link in the U.S. payments chain, the impetus to move EMV along could only grow stronger.

But many questions remain.
•Are the compliance dates from the major networks realistic?

•MasterCard’s plan explicitly states that the party–the issuer or merchant–offering the least secure method would be held liable for a fraudulent transaction. A liability shift by Visa and MasterCard has worked elsewhere in the world. Will it work in the US?

•Will there be any interchange rate relief? Will the Fed consider the cost in its bi-annual review of Durbin pricing for debit cards?

•Large merchants may be behind the conversion, but will smaller merchants follow? Can the smaller merchants afford the technology upgrade?

•Are there other technology enhancements (like NFC) that , if included, might strengthen EMV’s value to merchants, issuers and consumers?

•Will the move to the EMV standard at the POS speed-up or slow down the adoption of mobile payments?

•How will the EMV standard impact the growth of prepaid?

Stay tuned on this one…

If your PC is riddled with infections, they probably came in through files you installed yourself.

If your computer is infected, it’s probably because of something you did, according to a Microsoft study released this week.

In its semi-annual Security Intelligence Report, the software giant found that the largest group of malware attacks on its Windows operating systems — 44.8% — occurred because of some kind of action taken by the computer’s operator. It may have been as simple as clicking a link or downloading an infected file, but a human was the culprit.

But let’s not be too hard on ourselves — we were most likely duped into doing it. According to Microsoft’s report, one of malicious software’s primary entry mechanisms is through phishing schemes.

Phishing schemes come in many forms. Often they are spam e-mails sent to thousands and sometimes millions of recipients, typically with the intention of getting the user to click on and open an infected file. They can be very rudimentary or incredibly sophisticated, depending on the skill of the attacker.

They’re also hard to escape: Most of the e-mail messages sent over the Internet are unwanted, Microsoft said. It can also be difficult to discern phishing scams from wanted e-mails. Overall, 47.8% of phishing attacks sent in the first half of this year posed as legitimate e-mails from social networks like Facebook, according to the report. Banks and other financial institutions were also popular camouflage for bait e-mails.

0:00 / 2:46 Phishing made simple

When malware, or malicious code, is installed as a result of a clicked-on link or downloaded file, it can give hackers any number of capabilities, including complete control of an infected computer. If a computer infected with malware is connected to a network, attackers can often access other connected systems and servers.

Since humans are behind such a large chunk of computer infections, Microsoft suggested that security professionals rethink the way they approach security.

“IT professionals are accustomed to thinking about the technical aspects of security; however, as this report has shown, the human element has become just as important for attackers as the technical element, if not more so,” the report’s authors wrote.

“By implementing effective technical safeguards, programs, and processes designed to defend against social engineering, you can help your users avoid being taken advantage of by attackers,” they continued.

How they hack you

Of course, the technical side of security remains important. Microsoft reported that 43.2% of PC attacks were automatically installed by taking advantage of Microsoft Windows’ AutoRun function in the XP and Vista versions of the operating system, which automatically executes certain files and programs. As a result, Microsoft in February released an update to make the AutoRun feature more secure. Windows 7 already had the more secure AutoRun feature set up as its default option.

About 6% of attacks on Windows PCs were attributed to other kinds of exploits — malicious codes that attempt to take advantage of known vulnerabilities in applications or operating systems.

Exploits of Oracle’s (Java software, which runs rich applications on the Web, was responsible for between 33% and 50% of all exploits during each of the past four quarters, Microsoft said. Nearly all document exploits this year targeted Adobe Acrobat and Reader.

Despite alarm bells and widespread coverage in the media, only about 0.1% of successful attacks were from so-called “zero-day” exploits. Zero-day exploits are attacks on a newly discovered security problem in an application or software, which the vendor had not had time to patch before the attack.

Those attacks, while extremely rare, capture a lot of attention because they’re theoretically impossible to defend against, leaving consumers and security professionals at the mercy of attackers.

Though zero-day exploits “continue to capture the imagination,” Microsoft found that those fears are mostly misplaced. The vast majority of zero-day vulnerabilities are immediately patched once discovered and are never exploited.

Newer protections baked into the Windows operating system can also help mitigate attacks.

The newer the version of Windows you have, the less likely it is to get infected. About 1% of computers running Windows XP were found to have infections, according to Microsoft. That dropped off to roughly 0.5% with the latest Windows Vista software and just 0.15% of machines running the latest Windows 7 version.

“We definitely hope one day you can walk out of the house with your phone in your hand — and nothing else,” said Marc Freed-Finnegan, the company’s product manager for Google Wallet. It aims to digitize everything in your pockets in coming years by collapsing all that paper, plastic and metal into one device: the smartphone.

The idea of using the mobile phone as a credit card, driver’s license, transit pass, digital coupon collector, house key, hotel key, corporate ID and more probably sounds pretty
sci-fi-futurey. But it’s almost practical when you consider the history of the smartphone.

Since the Apple iPhone
debuted in 2007 (it’s considered by most tech analysts to be the first true
smartphone, running apps and functioning as a pocket computer), technologists
have been cramming ever more functionality into these Swiss Army Knife-like
gadgets.

Our phones have replaced many other once-common tools, from GPS devices (remember those?) to handheld gaming consoles, point-and-shoot cameras, calendars, notebooks, newspapers and portable music players.

Now they’re conquering new territory, most notably the wallet.

From there, who knows?
Analysts expect phones to get so smart that they could delay your alarm clock
if an airline delays your morning flight. Apple’s new “humble personal
assistant,” named Siri, is a step in that direction. And technologists are
working on phone prototypes that could be built into clothing, could project
their screens on your skin or, in the way-off future, would have flexible and
stretchable screens.

“Mobile phones are definitely becoming a center of all of our lives, I think,” Freed-Finnegan said. “When you’re carrying around this small computer, you can do all
kinds of things with it.”

The phone-as-wallet trend started in South Korea and Japan about five years ago, and it’s been talked about in the U.S. for some time. But it only became a reality September
19, when the Google Wallet app went public for Nexus S smartphones on Sprint’s
network. That’s a relatively small subset of people (Google wouldn’t say how
many), but the company says it’s just an early implementation of what’s to
come.

Here’s how it works at checkout:

Instead of pulling out a credit card to pay for your purchase, you get out your phone. Then you tap it on an NFC reader (these are becoming more common in stores and are usually
labeled “PayPass” along with a little radio-wave icon) to log the payment. You have to enter a PIN for security.

Google Wallet currently works only with Citi MasterCard. Google also has a prepaid card of its own that you can load up with money from a bank or credit card account.

Some reviewers say the service is clunky.

“Other forms of payment are easier and quicker,” said Jeff Blyskal, a senior editor at
Consumer Reports, who tested Google Wallet in San Francisco.

“I don’t think the Google wallet or any of these digital wallets are going to replace your leather wallet,” he said. “I just don’t think it will happen.”

The phone-wallet technology is promising and probably will be a significant part of the mobile future, but it has to get easier to use, said Will Stofega, director of mobile
device technology and trends at IDC, an analyst firm.

“I think the phone as wallet is a good place to start, and one of the things that has to happen is it has to be easy … and it has to be accepted all over,” he said.

Google says Google Wallet will continue to develop. The company hopes that, at some point, this smartphone app will carry loyalty cards and digital coupons so someone could
just tap their phone and, all at once, also get discounts from a grocery store loyalty program or spend a Groupon deal they had in the queue.

In the longer term, the company and others hope to jam the rest of the contents of your pockets — identification cards, transit passes, keys and the like — into your phone,
too. The details are far from worked out, but a phone with an NFC chip could be
used to unlock doors and to identify a person. (Here’s one reason Google Wallet
isn’t all that popular yet; only a handful of smartphones in the U.S. have such
a chip in them, including the Google Nexus S and two BlackBerry models, which
don’t work with Google Wallet.)

For a hotel key, a clerk could transfer a key permission to the guest’s phone upon check-in. Then the phone would communicate with a door lock in the same way it would with a
cashier: by passing identifying information back and forth and unlocking the
door.

Lots of hardware and industry standards might need to be changed to make something like that happen. And there will probably be security issues as well.

Even more complicated would be the phone-based drivers’ license, since state governments would need to approve that. Google said there would obviously also have to be some form of authentication technology employed so the digital license couldn’t be faked. That’s a long way out, Freed-Finnegan said.

But the company thinks the digital wallet is a smart place to begin.

“We’re really just getting started,” he said.

Services from Google, Square and Intuit are already simplifying consumer credit. But it’s the long-term changes that will redefine how merchants, banks and consumers interact.
This is the second in a series of articles leading up to the Fortune Brainstorm Tech conference, which will be held from July 19-21 in Aspen, Colorado. Fortune Brainstorm Tech will round up many of the best and brightest thinkers in technology. Our coverage in this series will examine the progress of companies that presented last year and give an idea of what to expect this year.

FORTUNE — As companies like Google (GOOG), Square, Intuit (INTU) and, reportedly, Apple (AAPL) place their bets on some form of mobile payments, the technology’s long-term potential becomes clear. What’s harder to envision is exactly how this nascent industry will evolve.
Each company’s service manages to transform mobile devices into a credit-transaction device, although their approaches vary. Google Wallet lets Android smartphones make payments simply by swiping or tapping them in front of compatible readers. Meanwhile, Square and Intuit’s GoPayment services rely on credit-card readers that plug into audio jacks. Square in particular is thriving: Jack Dorsey’s two-and-a-half-year-old startup made headlines again this week when it raised $100 million at a $1 billion valuation.
At this point, it’s easier to glean the broader, more immediate benefits of such services. With Square and GoPayment, any merchant can handle digital payments without having to shell out hundreds of dollars for a traditional credit card transaction machine. And services like Google Wallet may mean you never have to carry around plastic again. Beyond that, however, there are longer-term possibilities for mobile payments that are especially tantalizing:
1.) Real-time feedback.
It can take up to two weeks for merchants to receive feedback as to how well a plain-old paper coupon performed with customers. With Near Field Communications (NFC), feedback from smartphones could be instantaneous, richer and more detailed. Lars Skari, who heads Infosys’ banking and capital markets group, said merchants and marketers can parse through available data on coupon purchases hour-by-hour, examining overall coupon adoption rates over time. That information would allow them to adjust coupon discounts on the fly.
2.) Tapping the GPS
Assuming consumers can opt in and tweak privacy settings to their hearts’ desire, the smartphone’s GPS could add a new level of location-sensitive features.
Earlier this year, Stephanie Tilenius, Google’s VP of Commerce, suggested that NFC could make every day life easier: If you find some jeans in a Gap (GAP) store but they’re out of your size, a scan of your smartphone can make sure a pair will be sent to you.
Skari offers a more detailed example. When a shopper walks into the supermarket, his smartphone could receive a customized shopping list based on his shopping history there. As he walks down an aisle looking for say, frozen pizza, he’ll receive coupons for them. Other supermarkets could try to entice him through their doors by modifying their coupons and offering deeper discounts. If users plug in their social accounts, they get even more information, such as what their friends recently purchased or which brands they recommend.
3.) An easier banking experience
Services like Google Wallet likely won’t upend the business models of commercial banks, but could alter the way customers interact with them.
Already, Google Wallet promises to make plastic obsolete. Skari suggests the next logical step would be for such services to handle billing payments as well, acting as an intermediary between banks and customers and providing a simple, clean user interface that lets them intereact seamlessly.
Sound far fetched? Maybe, but given that these companies all excel in providing painless user experiences, it’s a possibility. “Companies like your Google, Mint, Square and others are coming from more of a true retail environment,” says Skari. “They’re starting to make inroads into that very important customer segment” of consumers under 30.
Square COO Keith Rabois supports that assertion — as least with regards to his company — claiming that the startup has a 95% chance of one day becoming more valuable than eBay’s (EBAY) PayPal and a 50% chance of becoming more culturally relevant.
“We are not limited to just e-commerce,” he said. “We enable real world payments, which is a much bigger market and is more valuable.”

Most consumers never think about the complex world of payment processing when they swipe bankcards at the POS. As long as transactions are approved, that’s good enough for them. Most merchants are probably the same way. They don’t want to be bothered with all that jazz about network routing and clearing functions; they just want to see that money end up in their bank accounts.

A seven stage journey

The typical electronic transaction undergoes seven stages from the time a payment is initiated at the POS to the time the merchant’s account gets credited for the purchase. The seven stages are: authorization, merchant balancing, capture, clearing, interchange, settlement and merchant payment/automated clearing house (ACH).

To understand the process, it is helpful to picture a transaction as a train traveling over various sets of tracks. In fact, you will often hear how a credit card transaction goes over the Visa Inc., MasterCard Worldwide, Discover Financial Services or American Express Co. “rails,” alluding to that old-fashioned, proprietary transportation network known as the railroad.

1. Authorization

When a payment card is swiped or otherwise presented at the POS, the terminal or e-commerce website collects cardholder data (such as the cardholder’s name, card number, card brand, and transaction type, whether that be a PIN or signature debit transaction, for example.) When the train leaves the POS station, it is carrying that little packet of cardholder information.

The train travels down “rails” to a processor (which is often the acquirer) that reads that packet and reroutes the train down another set of tracks to the corresponding card brand. In the case of MasterCard and Visa, the card brand then forwards the train by yet another set of tracks to the bank that issued the card. (Discover and AmEx have typically issued their own cards.)

At the issuer, the contents of that packet are analyzed to verify the legitimacy of the transaction – that the cardholder name matches up with, for example, the PIN entered at the POS, that the card has not been reported lost or stolen, and that the cardholder’s account has a sufficient balance to cover the cost of the transaction.

Once that information is confirmed, the issuer routes that train now carrying that transaction’s authorization code back through the card brand, which returns that virtual locomotive back to the processor, which reroutes it back to the merchant’s POS system, where the sale is finalized.

However, if back at the card issuer that packet contains information that doesn’t jive, such as the cardholder name and PIN do not match or the account balance is insufficient to cover the transaction, then a denial message is sent and the transaction is declined at the POS.

Whether the transaction is approved or declined, it is here that the processor stores the transaction. Transactions are stored just in case a consumer disputes a charge, for example, in which case the chargeback process ensues.

That first authorization step comprises the “front-end” of processing. The function is performed in real time, which may last from a sub-second up to approximately five seconds, depending on the complexity of the transaction.

The remaining six steps make up what is commonly termed “back-end processing.”

2. Merchant balancing

Merchant balancing is defined as the process of reconciling transactions, usually at the end of a 24-hour business cycle, by closing out a batch of transactions at a terminal and sending them off in encrypted format to the processor for back-end processing.

3. Capture

Capture means converting authorization codes into billable transaction records within a batch for the subsequent clearing and settlement of the transactions.

4. Clearing

Clearing involves the processor performing risk management procedures on the transactions to flag potentially illegitimate ones, then submitting the “good” transactions via the respective card brands’ rails for interchange processing.

5. Interchange

This is where the card brands break up the transaction amounts into percentages (based on numerous rate categories for card types and other factors) to be routed to the appropriate card issuers, acquirers, processors, ISOs and merchants. This is also the stage where card brands sort transactions by bank identification number (BIN) and route the transactions to the appropriate issuers for posting to cardholders’ accounts.

6. Settlement

At this stage, the process of transferring funds for sales and credits between processors and issuers is accomplished.

7. Merchant payment/ACH

In this final step, processors make deposits into merchants’ accounts to reimburse merchants for sales completed way back in stage one. The deposits typically include the total amount of sales less the amount of credits/returns and the discount rate (interchange plus processing and other fees).

In some cases a merchant may use one provider for front-end processing and another for the back-end function.

The combined front-end and back-end processing of any payment is referred to as the payment’s “life cycle.”

Tracking payment types

The preceding explication of the payment process only scratches the surface of its complexity. However, it may come as a surprise that the five basic payment types – credit, debit and prepaid cards, as well as checks and ACH processing – do not add greatly to that complexity.

Credit and debit cards are usually processed over separate rails, but are very similar in how they are actually processed, according to Steve Mathison, a Vice President in Product Management at the industry’s largest acquirer, First Data Corp.

“From a pure transaction processing and switching capability perspective, there’s not a lot of difference,” he said. “What happens on the Visa/MasterCard or the bank side, the biggest difference is, well, the bank giving the consumer a loan or are they drawing those funds directly out of a bank account.”

Prepaid cards are processed basically the same way as credit and debit cards, but with a twist. “What’s different is on the issuer’s side – how they hold those funds,” Mathison said.

“[Prepaid] is not a loan, and it’s not withdrawing from a DDA [demand deposit account] – ‘I’ve actually collected and I’m holding a liability that I owe to the consumer that the consumer redeems from time to time by going to a merchant.’ So the style of how the issuer handles it is the biggest difference,” he added.

Checks are processed similarly as the above card payments, Mathison added. After the data on the check (magnetic ink character recognition line information, the signature, etc.) is captured via a check reader at the POS, it becomes “just another electronic transaction,” he said. The processor recognizes the transaction is a check and then usually routes it over the ACH network, Mathison noted.

The ACH, which began in the 1960s as a way for banks to facilitate recurring consumer credit payments (such as payroll and retirement benefits) and recurring consumer debits (payments of insurance premiums and utility bills, for example), has been expanded to include person-to-person money transfers and decoupled debit payments.

The main difference between a credit/debit/prepaid card payment and one that travels over the ACH is where the transactions are routed.

While a credit transaction would be routed through a card brand, an ACH payment is funneled through the U.S. Federal Reserve banking system, where money is transferred directly from one bank account to another, according to Mathison. Person-to-person payment via PayPal Inc. accounts is one example.

Function junction

Among the top electronic funds transfer (EFT) networks over which debit cards run are First Data’s Star Network, Discover’s Pulse, Visa’s Interlink, the NYCE Payments Network LLC and MasterCard’s Maestro.

Among the top acquirer/processors that connect to those networks are First Data, Chase Paymentech Solutions LLC, Elavon Inc., Fifth Third Processing Solutions, Global Payments Inc. and Heartland Payment Systems Inc.

At processing’s front end, the connection between the POS device, or online gateway, and the processor must be seamless. Greg Chapman, Chairman of gateway provider PaySentinel LLC, said that connection is like a “light socket plugged into a wall. The switch goes off and on.”

To send transactions to the processor, data must be configured according to certain specifications. 1stTransaction Corp.’s TransactionX is POS software that runs on Microsoft Corp.’s Windows operating system for PCs. Rich O’Brien, founder and Chief Executive Officer at 1stTransaction, said each processor wants the card data formatted differently.

“The idea of taking data…and moving it into a format that’s applicable to each of the different platforms, it takes a little bit of work to make sure everything works,” he said. “And it has to be certified because it has to be repeatable.”

For example, processors require transactions coming from restaurants to have different information from transactions coming from gas stations, O’Brien said; a transaction from a restaurant needs a separate data field for tips while a transaction from a gas station requires a field for the type of gasoline pumped.

Another example would be an airline ticket. Mathison said the front-end authorization of an airline ticket may include the card number, expiration date and limited track data; but, in the settlement phase, flight and ticket numbers are included in the data.

A switch in time

A core function at the processor level is analyzing the transactions received from POS devices for such things as transaction type and card brand and then routing them to the appropriate entities. The combination of hardware and software that analyzes that information and routes it over the right network is called the “switch.”

David Bergert, Technology and Development Director at Dallas-based payment system manufacturer On-Line Strategies Inc., said a switch is either a “full tower computer or a highly available set of servers with specialized software optimized for online transaction processing.”

Once a switch receives a transaction arranged in a certain processor’s “message format,” the switch’s logic engine analyzes the different data fields in order to route it. “A lot of the switching algorithms are based on BIN-based routing,” Bergert said. “They look at the first one to six digits of the card to determine what the card type is. If it’s ’5′ it goes to MasterCard; if it’s ’4′ it goes to Visa; if it’s ’6011′ it goes to Discover; if it’s ’37′ it goes to AmEx.”

Like the processors, the card brands also have individual specifications for how they want card data formatted, Bergert added. So the switch does what is called “message translation” and sends along a “new” message to the card brands, he said.

Many factors play into how fast a transaction moves through a switch, including computer processing power and the physical age of the hardware, Bergert noted. But he also pointed to a transaction’s “external duration” as also affecting processing speed.

For example, it may take a shorter or longer time for a transaction to get through the authorization stage, depending on how much fraud control the issuing bank applies to a transaction. It might take longer if the bank performs velocity controls (the frequency of transactions within a given time period that involves a particular card or a particular cardholder’s name, for example) on a transaction to determine if it is valid.

“A lot of it depends on the amount of logic that the issuing bank determines it needs to do on each transaction that comes through,” Bergert said.

Another factor is the size of the data packet itself. On-Line Strategies builds special switches to facilitate pharmaceutical payments.

Bergert said because such payments involve adjudication, the process for determining which purchases at mixed-use retailers are covered by health insurance plans, the card data includes insurance information, which makes the size of the “message” a hundred times larger than the size of an average 200 byte-size transaction.

Processing of such transactions can take up to five seconds, where a standard financial transaction takes a millisecond, he added.

Payment pros, like merchants and consumers, are guilty of taking for granted the payment infrastructure that allows modern commerce to occur.

It may be enough to know that the system works. But when you take the time to investigate how, you gain a deeper appreciation for the ingenuity that went into its construction. We have come a long way, indeed, when we think a transaction is slow if it takes all of five seconds to complete.

1. Keep an eye on your credit card every time you use it, and make sure you get it back as quickly as possible. Try not to let your credit card out of your sight whenever possible.

2. Be very careful to whom you give your credit card. Don’t give out your account number over the phone unless you initiate the call and you know the company is reputable. Never give your credit card info out when you receive a phone call. (For example, if you’re told there has been a ‘computer problem’ and the caller needs you to verify information.) Legitimate companies don’t call you to ask for a credit card number over the phone.

3. Never respond to emails that request you provide your credit card info via email — and don’t ever respond to emails that ask you to go to a website to verify personal (and credit card) information. These are called ‘phishing’ scams.

4. Never provide your credit card information on a website that is not a secure site.

5. Sign your credit cards as soon as you receive them.

6. Shred all credit card applications you receive…

7. Don’t write your PIN number on your credit card — or have it anywhere near your credit card (in the event that your wallet gets stolen).

8. Never leave your credit cards or receipts lying around.

9. Shield your credit card number so that others around you can’t copy it or capture it on a cell phone or other camera.

10. Keep a list in a secure place with all of your account numbers and expiration dates, as well as the phone number and address of each bank that has issued you a credit card. Keep this list updated each time you get a new credit card.

11. Only carry around credit cards that you absolutely need. Don’t carry around extra credit cards that you rarely use.

12. Open credit card bills promptly and make sure there are no bogus charges. Treat your credit card bill like your checking account — reconcile it monthly. Save your receipts so you can compare them with your monthly bills.

13. If you find any charges that you don’t have a receipt for — or that you don’t recognize — report these charges promptly (and in writing) to the credit card issuer.

14. Always void and destroy incorrect receipts.

15. Shred anything with your credit card number written on it.

16. Never sign a blank credit card receipt. Carefully draw a line through blank portions of the receipt where additional charges could be fraudulently added.

17. Carbon paper is rarely used these days, but if there is a carbon that is used in a credit card transaction, destroy it immediately.

18. Never write your credit card account number in a public place (such as on a postcard or so that it shows through the envelope payment window).

19. Ideally, it’s a good idea to carry your credit cards separately from your wallet — perhaps in a zippered compartment or a small pouch.

20. Never lend a credit card to anyone else.

21. If you move, notify your credit card issuers in advance of your change of address.

If you suspect credit card fraud:

If your credit cards are lost or stolen, contact the issuer(s) immediately.

Most credit card companies have toll-free numbers and 24-hour service to deal with these emergencies — they are eager to avoid credit card fraud.

According to US law, once you have reported the loss or theft of your credit card, you have no more responsibility for unauthorized charges. Further, your maximum liability under federal US law is $50 per credit card — and many credit card issuers will even waive that fee for good customers. 

If you follow all these tips, it will go a long way in protecting you from credit card fraud

Secrets of a former credit card thief