Category: Archive | Page 44

A Surreal Peek Into The Payment Data Underworld

If you’re in the mood for a truly surreal peek into the stolen payment card data market, check out this profile of a data-seller called Joker’s Stash, over at KrebsOnSecurity. This vendor’s employees, solely selling illegal stolen data mind you, “set themselves apart by focusing on loyalty programs, frequent-buyer discounts, money-back guarantees and just plain old good customer service.” Heck, it’s hard enough to get legitimate retailers to do that.

Indeed, the Bitcoin-accepting company markets itself as proudly only selling data that it’s own people stole, as opposed to selling what any lowlife on the street steals. And it offers limited guarantees: “All sales are final, although some batches of stolen cards for sale at Joker’s Stash come with a replacement policy — a short window of time from minutes to a few hours, generally — in which buyers can request replacement cards for any that come back as declined during that replacement timeframe.” Even their loyalty program is better than that offered by some large retailers.

Class Action Merchant EMV Lawsuit Could Make The EMV Transition A Lot Messier

EMV has always delivered more than its fair share of headaches and surprises—and this week even has the MasterCard CEO doing some EMV griping of his own—but a class action lawsuit filed last week is raising yet another troubling EMV question. Is the liability shift appropriate if merchants have done everything in their power to embrace EMV? If backlogs from the card brands are why a merchant doesn’t have an EMV greenlight, is it fair to punish them with the liability shift?

Like every payments issue, there are details to be dealt with. Did the merchant submit all paperwork in a reasonable timeframe? One can’t file 10 minutes before the deadline and then blame the backlog for a lack of approval.
Still, it’s an interesting question. And the lawsuit from B&R Supermarkets and Grove Liquors goes further than saying that the backlog was unexpected or larger than expected. The filing accuses the card brands—and other payments players—of deliberately being slow, in an attempt to push off liability costs on as many merchants as possible, regardless of their EMV efforts.

Venmo/PayPal Go Overboard On Compliance

If you’re trying to use Venmo to pay someone for sitting your Persian cat or for buying a used Persian rug, don’t actually use the word “Persian” or be prepared to wait longer. And you can thank a compliance program that is perhaps going a few steps too far.

Although opting—understandably—to be vague on specifics, the PayPal-owned Venmo responded to media reports that is has coded its systems to be on the lookout for certain words, including Persian.
“There has been recent discussion around specific keywords associated with payments within Venmo that have caused us to pause the transaction and review. We understand the frustration this may cause,” Venmo said on its blog.

FTC Launches PCI Probe. Ruh-Roh

On Monday (March 7), the U.S. Federal Trade Commission (FTC) launched a government investigation of PCI, zeroing in on potentially excessive charges, inconsistency in enforcement and rampant conflicts of interest. As famed QSA Scooby Doo would have said, “Ruh-roh.”

None of this is news to the FTC and it’s part of the reason for the investigation, which FTC is officially calling a study. “We have heard these issues,” said David Lincicum, an FTC attorney in the division of privacy and identity protection, who is the lead attorney on the study and is also managing the study. “We go into this looking to get information, to get some details about what the interactions look like.”

ExxonMobil Now Accepts ApplePay, But Rejects NFC. Bad Move

Wanting to avoid having to purchase and install NFC-friendly card readers at its stations, ExxonMobil has opted to use ApplePay but only as an in-app method, from within the petro company’s own app. Although it might make short-term economic sense from ExxonMobil’s perspective, it may be a big hit with over the long-term and it could damage some consumer perceptions of NFC payment convenience.

ApplePay has several solid user-experience advantages and cashiers at retailers that accept a lot of ApplePay transactions (think Whole Foods, TraderJoe’s or McDonald’s) typically find it the fastest payment experience. The service will be offered initially at 6,000 Exxon and Mobil gas stations in 46 states, with an additional 2,000 stores slated to join by this summer.

Dwolla’s $100K CFPB Security Fine Wasn’t For What It Did As Much As What It Said

Dwolla got slapped down hard on Wednesday (March 2) by the Consumer Financial Protection Bureau for a series of security violations. But due to a dearth of meaningful federal security laws, CFPB’s $100K fine of Dwolla had to follow in the footsteps of fellow federal regulator Federal Trade Commission. They can’t punish a company for what it did nearly as easily as they can punish it for not doing what it says.

That said, once Dwolla opened the door to federal investigators by boasting about its security on its Web site, every security violation discovered was fair game. Takeaway: In the same way that marketers of publicly-held companies were beaten down by senior staffers from investor relations to never say anything publicly without IR’s blessing, payment facilitators today must reign in anything involving security that even smells a little of hype. See? Our mothers were right. Boasting can deliver real problems. Once those doors were opened, according to a federal consent order published on Wednesday, security violations aplenty were found.

The Balance Move By Square Cash Could Push Square To Full Financial Services Status

When P2P app Square Cash announced a move to support cash balances a few days ago, it seemed a minor enough new capability. But as is true for so many things about Square, the fear is not what payment facilitator extraordinaire Square is today, but what Square will morph into tomorrow.

“There’s not a major impact over the short term, but a very significant potential impact over the long term,” said Rick Oglesby, senior analyst for Double Diamond Group. First, let’s briefly look at what Square Cash added.

Patent Wrap: MasterCard’s Plan To Turn An ATM Into A POS

In this week’s look at interesting payments patents issued and/or applied for, PayPal and MasterCard inventors are our payments patent people with a trio of invention applications all filed on Feb. 18. MasterCard’s filing envisions using all of those strategically ATMs for a lot more than cash-dispensing. This makes even more sense given that cash-dispensing will become increasingly unnecessary as in-person purchases go digital.

Meanwhile, PayPal wants to aggregate purchases from multiple merchants in one quasi-session. And MasterCard also has an idea for a way to use payment data to identify physically-proximate consumers with similar buying patterns.

PF Flint Mobile Shuts Down, Turns Business Over To Stripe

Payment facilitator Flint Mobile’s payments business was effectively shuttered on Monday (Feb. 15), seemingly a victim of a payments player coming into an already-developed market too late and with insufficiently deep pockets. The beginning of the end happened on Feb. 5, when “Flint abruptly suspended all new signups and closed all card processing for current accounts. Users who tried to process cards were met with a message saying, ‘You have exceeded your processing limits.'”

A visit to the site late on Wednesday (Feb. 17) by PaymentFacilitator.com found a seemingly active homepage, but clicking on the Sign Up Now button delivered the note “New signups suspended. We are currently transitioning to a new platform. We appreciate your patience.” Alas, it seems that patience will serve no purpose. Although it appeared that company executives, between Feb. 5 and Feb. 17, were indeed trying to find a way to keep the business going, it didn’t work out.

PCI Council’s New EMV Payment Token Rules Are Worth Reading Closely

The PCI Council in late December rolled out its security rules for token service providers for EMV payment tokens, which overwhelmingly deals with mobile transactions. Today, the card brands handle the vast majority of tokens issued, but the council expects that to sharply change now that EMVCo has released the specification. Given the importance of tokens to payment facilitators, it’s worth a read.

One of the fun things that this document does, in pure PCI Council fashion, is deliver more acronyms. Yes, these are brand acronyms. (No, no need to thank them.) One is TDE, for Token Data Environment. An important term—not an acronym yet, sadly—is Payment Token Data, which has a very specific definition: “Covers a number of discrete data elements, including the Payment Token and related data as defined in the EMV Payment Tokenisation Specification Technical Framework, which include the Payment Token Expiry Date, Payment Token Requestor ID, Payment Token Assurance Level and Payment Token Assurance Data.”