Credit Cards breaking terminals.

[DTSMAN]

This came down the pipe from Radiant, but they are not the only ones being effected. There was a larger article on this, but this is the jist of it.


"This hardware announcement covers important information regarding a new marketing and security technology introduced into credit and debit cards. This new technology incorporates a metallic coating security hologram over the magnetic stripe on the back of credit and debit cards.
It is causing Electro Static Discharge (ESD) on some MSR credit card readers. The resulting ESD can disable the MSR and require a reboot of the Point-of-Sale (POS) terminal."


Bo

Kentucky phone support-
"Mash the Kentrol key and hit scape."

 

[AkamaiAloha]

Thanks a lot of passing that along, Bo. I'll keep my eye out.

 

[Aloha1]

yeh, most common culprit is the new AMEX cards w/ holograms. They are killing MSR's left and right.

 

[DTSMAN]

Found this article online about this that gives more info.

Visa Warns Issuers On ‘Holomag ‘
SAN FRANCISCO (03/16/06) -- Visa USA is recommending its members immediately stop issuing cards with the holographic magnetic stripe image due to problems when the card is swiped at the point of sale. The card can create a static discharge that causes a payment terminal to reboot. The static problem has been reported in areas of low humidity, such as the Southwest, Iowa and Minnesota. Visa began promoting the holographic mag-stripe in January as part of its redesign of its logo. A dove image appears as a hologram across the mag-stripe on the back of the card. As many as 20 million of Visa's 500 million cards in the U.S. could be impacted. Visa is considering compensating issuers that reissue the cards with the holographic mag-stripe. Visa began hearing of the problem several months ago in Europe.


These people implemented all these new rules for us POS providers to follow but didn't bother following any of the encryption rules themselves and they got hacked and lost a ton of personal information. How did I find out? I woke up yesterday 750 dollars over-drawn.

http://www.cbsnews.com/stories/2005/06/18/national/main702830_page2.shtml

Bo

Kentucky phone support-
"Mash the Kentrol key and hit scape."

 

[RokStar]

Bo, could you please give a link to this story, or tell me where you found it?
I couldn't find it.
Thanks

 

[DTSMAN]

http://www.cujournal.com/archive/060316.htm

Bo

Kentucky phone support-
"Mash the Kentrol key and hit scape."

 

[Shift4SMS]

Bo, I'm a little confused by your statement: "...These people implemented all these new rules for us POS providers to follow but didn't bother following any of the encryption rules themselves and they got hacked and lost a ton of personal information. How did I find out? I woke up yesterday 750 dollars over-drawn."

Encryption has nothing to do with the hologram problem and "these people" (I'm assuming you mean the card associations) were not the cause of the breach you referenced -- a third party processor was and third party processors don't make the rules; they only abide by them or ignore them depending on the ethics of the processor.

Steve Sommers
Shift4 Corporation --

http://www.shift4.com

Creators of $$$ ON THE NET(tm) payment processing services

 

[DTSMAN]

I was refering to this link I had posted. I had added this bit of rant while I was on the subject of credit cards, sorry for the confusion.

http://www.cbsnews.com/stories/2005/06/18/national/main702830_page2.shtml

Bo

Kentucky phone support-
"Mash the Kentrol key and hit scape."

 

[Shift4SMS]

But the breach referenced was a third party processor, not Visa or MasterCard. Visa was "working" with the processor to determine the extent of the breach -- as well as the fine to be levied.

Steve Sommers
Shift4 Corporation --

http://www.shift4.com

Creators of $$$ ON THE NET(tm) payment processing services

 

[DTSMAN]

end user - person with the card who pays fees and interest
merchant - person allowed to accept cards for a fee plus a percentage of their sales
third party contractor - someone who processes the credit cards for them for a fee. Kind of like when your general contractor subs out the plumbing on a job. You hold the general contractor responsible not the plumber, because the plumber performs his services on behalf of the general contractor.
When BJs wholesale screwed up they were all over them, When the restaurant chain Cameron Mitchell screwed up they pointed the finger again and called for change. They are not pointing the finger in this case because it will come back on them. I know your a bit defensive, because your company sells and develops credit card processing software. The rules these guys have to follow are changing drastically every year. I am willing to make a guess that 20yrs from now, the credit card industry will not resemble the credit card industry of today. Either, they are going to control the global economy, or stiffer regulations will continue to be implemented to control.
I use to not pay much attention to this side of the industry, until on two different occasions I had to sit down with customers that asked for my help in comparing their CC invoices to their POS batches and trying to find where the differences are coming from. That is when I learned about BS fees, and those end users that think they get free paper for their printers aren't it is disguised as a fee.
I am done ranting, and done posting on this topic, (at least for a while ). I'm sure I could be wrong but it is just my opinion and posistion, and hopefully others who read this thread may not concur but read it and be inlightened on things they might not be aware.
With your credit card software, do you get a monthly kickback? Just curious.


Peace Out

Bo

Kentucky phone support-
"Mash the Kentrol key and hit scape."

 

[AkamaiAloha]

I wouldn't take it personally Steve, especially if you're not associated with VISA directly. But the general consensus among those of us out in the field is that they are making this up as they go along, and even they aren't sure what's going on--in the meantime, scaring the hell out of everyone and threating everbody with fines. We even had a consultant (whose job it was to explain and CISP/PCI compliance) come to our annual reseller meeting, and even they seemed unsure about what the rules meant, and their implementation and impact.

Though I understand some of the responsiblity should fall on the merchants and POS companies--and that the goverment is partially behind this---it does feel like VISA is the process of making it anybody's fault but there own, trying to recoup their losses.

Make my words, this will be fought out in court. Eventually, they'll try to fine somebody who has questionable liability in a breech (according to their shady guilelines) and enough money to challenge them. I think that's when the rules will take a more formal and official shape.

 

[Shift4SMS]

Akamai, I fully agree, the card associations are making it up as they go and there is A LOT of confusion in the industry. Last September, we help a security summit and had representatives from VISA, MasterCard, AMEX all together in an open forum session and many of the topics that our merchants were bringing up had no answers -- they didn't have a clue on how their own rules effected merchants or if fines would be assessed under various situations.

We do quite a bit of hotel processing business with adv. deposits, check-in's and check-out's, etc. A big topic that could not be answered was travel agents. They work on behalf of the hotel (technically) but if a breach happens within one of the 20,000 or so travel agents (which is very likely), who is liable and who will get any assessed fines? (Even though in many cases, the hotel never sees the credit card info nor do they have any idea how secure or insecure these agents are).

Basically, my point is yes, they are making it up as they go. In their defense, much of the entire security industry could be classified as "making it up as they go" -- as the hackers change tactics, so must the defenses. Where I believe they are failing is that one hand is trying to be the security experts and cops of the industry while the other hand do not want to put real teeth in their rules for fear of alienating merchants and losing business. Fines are a good example. VISA several times clarified, at our summit that VISA does not fine merchants, VISA fines member banks -- and that's as far as they went. But what this means is that each member bank can interpret the rules and define their own rules and enforcement policy. Net result: Confusion, confusion, confusion.

Back to Bo, I'm not taking it personally. My only issue is the thought that the card associations and third party processors are one and the same. In reality, VISA in particular, didn't even recognize the existence of third party processors. As far as they were concerned, there were member banks (the "in" crowd) and everyone else (or in their case, no one else). The card associations define rules that everyone in the mix, including third party processors, must abide by, but they are different organizations. Your argument is incorrect, they are pointing the finger at the third party processor in this case and they have demanded fines and called for changes. I previously quoted "working" in my previous posting. By "working", they were determining the exact failures and figuring out 1) if all the current rules were followed, 2) if new rules needed implemented (in this case, I don't believe so, the issue was a failure to follow the existing rules), 3) the real size and extent of the breach and 4) the fine and the probation period (I believe twenty years, quarterly scans and yearly onsite security audits, possibly more).

The idea that "they are not following their own rules" is incorrect -- the card associations are doing everything they can to make sure "they" are following the rules.


Steve Sommers
Shift4 Corporation --

http://www.shift4.com

Creators of $$$ ON THE NET(tm) payment processing services

 

[Shift4SMS]

Bo, sorry I missed your last question: With your credit card software, do you get a monthly kickback?

No, we get paid transaction fees directly by the merchant -- we work for the merchant, not the card associations. These fees cover 24x7x365 real-person support, 24 months of data storage for chargeback defense in addition to our gateway feature set.

Our fees are strictly transaction based on a sliding scale (cheaper with volume), not percentage of the ticket and we do not get a kick-back from any of the card associations, merchant banks or ISO's (independent sales organizations that act as a bank -- but they are not).