transaction trends september 2010

The Official Publication of the Electronic Transactions Association | September 2010

ALSO INSIDE:Level 4 Compliance Best Practices

Pace Slows for StartupsOPSCOVERT

FS-ISAC President and CEO William B. Nelson reveals how this quiet organization strives to keep merchants safe

2010 Strategic Leadership Forum Preview »

Focus. Stability. Trust.In turbulent times… experience becomes infinitely more important.

©2008 Elavon, Inc. All Rights Reserved.

www.elavon.com

Selecting the right payments processor has always been important. In today’s economy it is absolutely critical. Choose Elavon – a partner who is focused solely on the payments business. You can rely on Elavon to continue making the investments necessary to successfully navigate the changing payments landscape.

One World. One Source for Payment Processing...Worldwide.

transaction_trends_2009.indd 1 12/17/08 11:21:14 AM

TransacTion trends | September 2010 3

The Official Publication of the Electronic Transactions Association Vol. 15 | No. 9

TransacTion trends

22 DataSecurityFundamental tips for keeping merchants secure

26 AdIndex

28 IndustryInsiderArdent Giving Solutions helps nonprofits raise much-needed money

coverStory

10covertopsBy Julie Ritzer Ross

Every day, the Financial Services Information Sharing and Analysis Center works behind the scenes to protect the U.S. financial infrastructure. President and CEO William B. Nelson explains how.

14theeducationofLevel4By Richard H. Gamble

The July 1 deadline has passed, but getting small merchants compliant remains tough. Experts share tips for getting them on the bandwagon.

18SPecIALSerIeSStartupStories:Slow,ButSteady,WinstheraceBy Julie Ritzer Ross

Progress cools off for our three new ISOs.

FeAtUreS

20Preview:2010StrategicLeadershipForumGet an insider’s look at the high-impact, high-level discussions planned for ETA’s Strategic Leadership Forum.

10

14

6

DePArtmentS

5 President’smessageInsights from ETA’s elected leader

6 IndustrynewsTrends, strategies, and news in the payments business

8 ISocornerStreamlining operations during tough times

20

Call today to disCuss a growth plan and to sChedule a visit to our Corporate headquarters. Call Jim Fink @ 1.800.Cardswipe (1.800.227.3794) ext.7800, and reference code ad3010a

Gain More FreedoM and Control

StrateGiC advantaGeS: Growth CapitalBiN relatioNshipsowNership/portaBility riGhtsMultiple froNt eNds iNCludiNG our proprietary froNt-eNd platforM

CoMpetitive advantaGeS:oNBoard—The Ultimate Boarding and Tracking System

e-stateMeNts—Online Merchant Statements eVo CharGe—Specialized Computer POS Software

MerChaNt fuNdiNG —Merchant Advance Program

exCeptioNal priCiNG direCt

Vis i t us onl ine at www.goevo.comVis i t us onl ine at www.goevo.com

account Management — view profiles down to the individual level… merchant, sales rep, and iso office. you can view batches, transaction and settlement information from multiple front ends, and receive daily chargeback updates. plus, full roll up and drill down commission performance reporting at all organization levels. Boarding System — single point of entry workflow management tool (front-ends/back-end/amex/discover). you have the power to control the workflow process. e-statement access — evo’s electronic monthly merchant statements including statement history are available to you through onBoard. Our newest proprietary product! Your Corporate identity — personalize onBoard with your own graphics through a customized url and branded onBoard portal.

onBoard api — real time programming interface to board and manage accounts. leverage our infrastructure to automate your processes.

OnBoard is EVO’s proprietary boarding and information management system. We built an advanced infrastructure including a suite of proprietary products and services based on the needs of our partners. Our goal is to provide you with the foundation that you need

to build your business. Take a closer look at OnBoard…

®TM

Give Your BuSineSS the FreedoM to Grow. partner with evo and

the ultimate boarding and data management tool built for your success.


Electronic Transactions Association1101 16th Street NW, Suite 402Washington, DC 20036202/828-2635www.electran.org

ETA Chief Executive Officer Carla Balakgie

ETA Director, Communications & PR Thomas Goldsmith

Transaction TrendsPublishing office: Stratton Publishing & Marketing Inc.5285 Shawnee Road, Suite 510Alexandria, VA 22312703/914-9200

PublisherDebra Stratton

Features EditorAngela Hickman Brady

Managing EditorJosephine Rossi

Art DirectorJanelle Welch

Contributing WritersBrad Caldwell, Richard H. Gamble, Bryan Ochalla, Julie Ritzer Ross

Advertising SalesSteve Schwanz or Fox Associates (800/440-0232; [email protected])

Fox Associates Offices Chicago 312/644.3888 New York 212/725.2106Atlanta 800/699.5475 Detroit 248/626.0511Los Angeles 213/228.1250 Phoenix 480/538.5021

Ad Production/Billing Carrie Wood

Editorial Policy: The Electronic Transactions Association, founded in 1990, is a not-for-profit organization representing entities who provide transaction services between

merchants and settlement banks and others involved in the electronic transactions industry. Our purpose is to provide leadership in the industry through education, advocacy, and the exchange of information.

The magazine acts as a moderator without approving, disapproving, or guaranteeing the validity or accuracy of any data, claim, or opinion appearing under a byline or obtained or quoted from an acknowledged source. The opinions expressed do not necessarily reflect the official view of the Electronic Transactions Association. Also, appearance of advertisements and new product or service information does not constitute an endorsement of products or services featured by the Association. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided and disseminated with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice and other expert assistance are required, the services of a competent professional should be sought.

Transaction Trends (ISSN 1939-1595) is the official publication, published monthly, of the Electronic Transactions Association, 1101 16th St. N.W., Suite 402, Washington, DC 20036; 800/695-5509 or 202/828-2635; 202/828-2639 fax. Postage paid at New Richmond, Wisconsin and additional mailing offices. POSTMASTER: Send address changes to the address noted above.

Copyright © 2010 The Electronic Transactions Association. All Rights Reserved, including World Rights and Electronic Rights. No part of this publication may be reproduced without permission from the publisher, nor may any part of this publication be reproduced, stored in a retrieval system, or copied by mechanical photocopying, recording, or other means, now or hereafter invented, without permission of the publisher. Nonmembers, government agencies, $150 per year; single copy, $20. Subscriptions are available for 12-month periods only, at the quoted rates.

Forum Focus: Idea Exchange

Our business is changing at a dizzying pace. There is much uncertainty out there: What will the broader economic outlook mean for us? How will ground-breaking payments law affect the business? How can companies

not only cope, but also take advantage of opportunities and succeed? To find out, you might go to the trouble of rounding up, in one place, in-

dustry leaders and prognosticators. You might organize panels full of the best talent to discuss critical issues. You might call hundreds people to join you, so that they could talk to you and one another to share information.

You might. But you won’t. And you need not. Because the ETA will do that for you.

We have it all worked out. We have thought about what you need to know. We have called upon those who can impart that information to you. We have encouraged thought leaders and peers to attend. And they will all be at the 2010 Strategic Leadership Forum at The Break-ers in Palm Beach, Florida, October 26-28. The Forum is the only industry event that focuses participants on the strategies they’ll need to grow their companies. That

makes the program unique and draws the sharpest, most successful execu-tives there.

The meeting is where critical strategic questions are raised. The more inti-mate setting ensures that nothing is handed down from the stage—it’s all put on the table for discussion. Opinions are freely given. Assumptions and ideas are measured against the collective knowledge and experience of more than 300 veterans of the business.

The event brings together today’s and tomorrow’s industry leaders. They share a commitment to their businesses and our industry. They also know that to make good on those commitments, they need an informed vision that looks beyond the next quarterly report.

The topics for discussion this year are industry dynamics, technology, and critical business issues. For each topic area, Forum planners have assembled an impressive collection of speakers. Don’t miss the Forum preview in this issue of Transaction Trends. It’s worth your time to take a look at that article and get registered.

The past two years have been characterized as a turning point in the his-tory of the payments business. Business models are changing, the underlying economics are shifting, and the road ahead is anything but clear. If you’re a regular Forum attendee, be sure to join us in October. The 2010 event prom-ises to be one of ETA’s best. If you’ve never attended a Forum, it’s time to step up and be a part of the future of our industry. Either way, I look forward to seeing and exchanging ideas with you in Palm Beach.

Warm regards, Holli TarganHolli Targan is president of ETA and a partner at Jaffe, Raitt, Heuer & Weiss, P.C.

President’s Message

inDusTrYnews

6 September 2010 | TransacTion trends

“Main Street” brick-and-mortar retailers and restaurants experienced the 11th consecutive quarter of year-over-year credit and signature debit card sales de-clines, continuing a trend that began for restaurants in Q3 2008 and for retailers in Q2 2007, according to the most recent Small Business Credit Sales (SBCS) Report by Capital Access Network Inc. (CAN). Same-store card sales for Q2 2010 also dropped about 6 percent from their Q2 2009 levels, the lowest year–over-year de-clines since Q4 2008.

“The data indicate that businesses that have been operating for 10 to 15 years experienced less year-over-year card sales decline in the second quar-ter than newer businesses this quarter,” says Glenn Goldman, CAN’s president and CEO. “A bright spot also appeared

in the restaurant sector. Higher-end res-taurants experienced year-over-year card sales growth for the first time in seven quarters. Overall, while card sales are still declining, the trends are moderat-ing, and if they continue, we may see card spend growth across all sectors and markets some time in 2011.”

Other highlights from the report:• Year-over-year credit sales declines seem to be moderating. The Q2 2010 figures are consistent with the Federal Reserve’s Sta-tistical Release, which reported consumer credit is down at an annual rate of more than 4 percent.• For seven quarters, all size cities have ex-perienced declining year-over-year same- store credit sales. Larger cities (populations of 1 million or more) have been hardest hit since Q4 2008.

Restaurant and Retailer Card Sale Declines Moderate

Customers of Turkish retail bank Akbank will soon be able to use a microSD-based mobile payments system, accord-ing to a press release from Visa Europe. The company has partnered with the bank and technology provider, Device-Fidelity, to bring contactless payments to Turkey and plans for further expansion.

Given a relatively low number of mobile devices have integrated near field communications (NFC) technologies, the solution allows smartphone owners to use mobile pay-ments features via DeviceFidelity’s In2Pay microSD card slot and Visa’s contactless technology.

The project will begin with a number of Blackberry handsets popular with Akbank’s customers and will ex-pand to include devices from manufacturers including HTC, Samsung, LG, Nokia, and Motorola. The microSD card can be used for digital data storage as well.

Visa Launches MicroSD-Based Contactless System in Turkey

Prepaid cards that carry network brands are gaining in popularity, but primarily as gift cards, according to Cardbeat, a research report pub-lished by Auriemma Consulting Group.

Of the 528 cardholders who participated in the Cardbeat survey, 42 percent of respondents have claimed they have received an open-loop gift card in 2010 compared with 26 percent in 2005. In particular, youth-oriented, general-purpose reloadable cards were shown as an area of potential growth for the prepaid sector; about one third of parents surveyed were receptive to the product.

“Prospect parents liked the idea of their child having a card to use in an emergency (64 percent) and felt the card offered greater security for their child than carrying cash (59 percent),” says Nan-cy Stahl, editor of the report. “Issuers should emphasize the security benefits and position the prod-uct as a prepaid debit card, which many consum-ers perceive as safer than a credit card.”

Credit Debit

45.1% 54.9%

0% 50% 100%

54.3% 45.7%

Source: ETA/Strawhecker Group’s U.S. Economic Indicators

Q2 2010 Report

infographPaymenttypemix:Dollarvolume(Visa and MasterCard Q1 2010)

Youth Cards Present Marketing Opportunity

When the recession began to take hold, many ISOs and ac-quirers began streamlining

operations to cope. For some, however, the changes revealed new revenue opportuni-ties and imparted lessons that will carry into future business planning.

Seizing opportunities in a weak econo-my, Total Merchant Services of Basalt, Colo-rado, expedited several projects, according to Scott Mabry, chief operations officer.

First, the company consolidated two call center work groups into one and cross-trained all call center staff to respond to any type of inquiry. This provides for “better staff utilization and reduced wait time for mer-chants,” says Mabry.

TMS also re-engineered its application processing work, using Lean Six Sigma methods, and now a group of four people manages the process, rather than one per-son processing each application. Mabry says the change cut costs by 25 percent and re-duced processing time from one to three days down to as little as 30 minutes.

The company also continues to use “intelligent automation” to guide service representatives through common tasks, such as terminal swaps and account can-cellations. “Now, we can process these requests in a more automated and accu-rate manner,” says Mabry. “What used to involve two or three people and hours, if not days, can be done in seconds, in real-time, during a phone request.

“All of the things we’ve accomplished are permanent improvements, not Band-Aids to get through lean economic times,” Mabry notes. “These are all smart initiatives that we intended to do at some point. Now we have the time and resources to get them done.”

Sharper FocusStreamlining in a down economy for ACCELERATED Payment Technologies (APT), in Pleasant Grove, Utah, meant di-vesting itself of the POS software line of business to focus exclusively on being a high-tech ISO, explains CEO Roy Banks. “In

a challenging economy like this one, you don’t want to be distracted with multiple lines of complementary businesses. You want to focus on what you do best and where your growth prospects are brightest and do it even better,” he says.

Because APT is now selling tools to lever-age technology and reduce traditional oper-ating expenses by relying heavily on people and paper, he figures that he’s streamlining the business to sell streamlining services to his clients. “Companies, including us, need to find new, more efficient ways to operate our businesses while we drive revenue growth,” he points out. “We’re investing heavily in technology that replaces operations proce-dures that don’t bring efficiencies.”

Unlike many other ISOs, APT is not bur-dened by a need to borrow money to fund its investments in technology or its acqui-sitions of other ISOs. It was bought by a private equity investor in 2008 and taken private. Among its efficiency-enhancing technology investments are a new payment gateway processing platform, customer re-lationship management system, and a new IP-based phone system, Banks reports.

Time to BuildIf streamlining means economizing, Joyce Cook is not interested. The CEO of Interna-tional Cybertrans, an ISO based in Nashville, sees the current economy as a golden op-portunity to spend more money and expand the business. That’s largely due to the avail-ability of good people at reasonable prices.

“We’re increasing our sales force. We’ve

been able to hire good regional managers and support them in building sales in their territories,” she explains. “We’re interview-ing and hiring aggressively and spending down cash reserves to do it,” reports Cook, the sole owner of the ISO. “Whatever we do is self-funded. Basically, I’m investing in myself. We’re not cutting back at all, and we never had to. We see the cutbacks that our competitors are making as an oppor-tunity for us.”

In the current economy, there are bet-ter opportunities to hire managers than to hire salespeople, Cook reports. “At the manager level, there are people who want the jobs at reasonable compensation. They are willing to take less up front in order to advance a solid career with a stable com-pany. It’s still a challenge to find compe-tent, motivated sales reps.”

Rather than entering new markets, Inter-national Cybertrans is focused on increasing penetration in markets it has traditionally served, Cook adds. Along with expanding staff, the ISO has brought products and ser-vices it previously had outsourced in-house.

Similarly, electronic payments consul-tant Paul Martaus is skeptical of stream-lining. “You don’t wake up in a recession and discover a need to be efficient. If you are a good business leader, you built an efficient organization and the people and processes are all justified. A lot of stream-lining is gaining short-term profitability by sacrificing long-term viability,” insists the president of Martaus & Associates in Mountain Home, Arkansas.

Lay people off and double up on duties and you increase productivity on paper, but you have to worry about what isn’t being done and what damage that could cause over time, Martaus insists. “Cutting corners can be a fatal mistake.” Of course, continu-ing to spend money you don’t have can also be fatal, he concedes. TT

Richard H. Gamble is a contributing writer to Transaction Trends. Reach him at [email protected].

ISO COrner

Recession’s Silver LiningRocky economy offers opportunities to introduce automation and sharpen business strategy

By Richard H. Gamble

ISO COrner


“Companies need to find new, more efficient ways to operate our businesses while we drive revenue growth.”

—Roy Banks ACCELERATED Payment Technologies

Comprehensive Card Based Solutions.

www.ftpsllc.com513.534.5160

For over forty years, Fifth Third Processing Solutions has

been a premier source of payment acceptance services for

leading businesses nationwide. Partnering with over 180,000

locations worldwide, no one is better suited to help with your

payment processing needs.

FIFTH THIRD DIRECTSM | PROPRIETARY/PRIVATE LABEL PROGRAMS

GIFT CARD AND LOYALTY PROGRAMS | AGENT BANK PROGRAM

CREDIT, DEBIT AND ELECTRONIC BENEFITS TRANSFER (EBT)

ACCEPTANCE

OPSBy Julie Ritzer Ross

Information sharing is essential to protecting the infrastructure of the financial services sector and minimizing the effects of cyber and physical attacks on and threats to finan-cial data, according to Dulles, Virginia-based

Financial Services Information Sharing and Analy-sis Center (FS-ISAC).

FS-ISAC was launched in 1999 by the financial services sector in response to a Presidential Direc-tive that mandated the public and private sectors share information about physical and cyber se-curity threats and vulnerabilities to help protect the country’s critical infrastructure. The group’s mission, in collaboration with the U.S. Department of Treasury and the Financial Services Sector Coor-dinating Council (FSSCC), is to “enhance the abil-ity of the financial services sector to prepare for and respond to cyber and physical threats, vulner-abilities, and incidents, and to serve as the primary communications channel for the sector,” explains William B. Nelson, FS-ISAC president and CEO.

FS-ISAC is the designated operational arm of the FSSCC, a group of more than 30 private-sector firms and financial trade associations that works to help reinforce the financial services sector’s re-silience against terrorist attacks and other threats to the nation’s financial infrastructure. The FS-ISAC assists both FSSCC and the Department of Trea-sury in identifying, prioritizing, and coordinating the protection of critical financial services, infra-structure services, and key resources, as well as by facilitating the sharing of information.

Transaction Trends recently talked with Nel-son to learn more about the organization’s work and priorities.

Transaction Trends: How is FS-ISAC pro-gressing against its objectives? What are some ex-amples of recent achievements?

Nelson: While we have much work to do, we have come very far in the past few years in fulfill-ing both pieces of our mission. At our inception,

WILLIAM B. NELSON TALKS ABOUT THE FS-ISAC, A COLLABORATIVE EFFORT OF FINANCIAL SERVICES COMPANIES AND FEDERAL AGENCIES TO MINIMIZE

DATA SECURITY THREATS

[ COVER STORY ]

Up Close:


COVERT

Pho

to b

y Ja

mes

Keg

ley


[ COVER STORY ]

member-to-member information-sharing was the exception rather than the rule, with many players operating under the as-sumption that talking about these issues would give something away to the compe-tition. However, this is no longer the case; more and more “sources” are approaching us with information about threats or inci-dents within their organizations. The more diverse the sources from which we draw information, the more effective our mem-bers can be in preparing for and respond-ing to all cyber and physical threats.

While member education has helped to foster anonymous information-sharing, other initiatives introduced have pushed the envelope. For example, we now pro-vide an anonymous information-sharing ca-pability across the entire financial services industry. Upon receiving a submission, in-dustry experts verify and analyze the threat and identify any recommended solutions before alerting members.

Just as our support of anonymous infor-mation-sharing allows us to meet our goal of serving as a sector communications hub for timely, accurate cyber and physi-cal threat information, so, too, does our Critical Infrastructure Notification System (CINS). CINS lets us speed security alerts to multiple recipients near-simultaneously, while providing for user authentication and delivery confirmation. Moreover, it en-sures that member firms are clued in on the latest tried-and-true procedures and best practices for guarding against known and emerging security threats.

Consistent with our objective to provide an effective forum for information-sharing within the financial services sector, other critical infrastructure/key resource organi-zations, and the U.S. government, we are engaged in a four-member pilot with the Department of Defense. The pilot is aimed at creating an information-sharing frame-work around the massive amount of threat signatures seen at the federal level.

As far as the push to identify and implement new services that add value to the membership, FS-ISAC recently formed an Account Takeover Task Force. The task force has three working groups that have been charged with developing and recommending tools to stop those attempting account takeovers from suc-ceeding with their plans.

More About FS-ISACThe organization’s strategic objectives—derived from founder and federal

agency feedback—include:

■ providing an effective forum for information-sharing within the financial ser-

vices sector, with other critical infrastructure/key resource (CI/KR) organizations,

and the U.S. government;

■ offering, through subject matter expert analysis, feedback to the FSSCC and the

Financial and Banking Information Infrastructure Committee (FBIIC ) on relevant

threats, vulnerabilities, and incidents;

■ identifying critical financial services sector operational support issues and

requirements, and articulating them to the Department of Treasury and Depart-

ment of Homeland Security;

■ and serving as the sector communications hub by conveying timely and

accurate cyber and physical threat information and vulnerability/incident alerts

to its membership.

The organization also serves as the sector communications hub during emergen-

ter, and health care, were issued. Informa-tion on processes for requesting assistance, such as loans for hurricane victims, was disseminated to our constituency. We also issued special reports about economic and other impacts brought upon by the storm.

In another instance, an e-mail scam was perpetrated on retail financial services customers. Keystroke monitoring software was secretly installed on company comput-ers to capture customers’ account infor-mation. A total of 16,000 “keystroke logs” containing customer information were found on an online “dumpsite” and provid-ed to us. We provided a list of compromised accounts to member institutions. These ac-counts were legitimate and were locked by the bank to protect against fraud, and ac-count owners were notified. Involvement with FS-ISAC saved the financial institution from monetary loss. We also cooperated with the Department of Homeland Secu-rity, the U.S. Secret Service, and the FBI on the post-incident investigation.

Transaction Trends: Between Feb-ruary 9 and 11 this year, FS-ISAC conducted the Cyber Attack Against Payment Proces-

Toward the same end, we last year formed the Payments Processing Infor-mation Sharing Council (PPISC), an infor-mation-sharing forum geared specifically toward the payments processing commu-nity and its special needs. PPISC opens lines of communication and collaboration among processors, with the intention that the greater the openness and the higher degree of collaboration, the stronger the barrier against the specific threats to these industry players and the organizations they serve.

Transaction Trends: Can you share a few case studies to illustrate the role FS-ISAC has played in cyber and physical inci-dents that threatened data security?

Nelson: Hurricane Katrina, in August of 2005, represents a good example. As news of the storm’s approach became wide-spread and mandatory evacuation orders were issued, we raised the alert level for the financial services sector. In the aftermath, daily updates on the impact to the financial services community, as well as real-time in-formation on such critical infrastructures as transportation, telecommunications, wa-


sors (CAPP) Exercise. What was this exer-cise, and what spurred it?

Nelson: The impetus for CAPP was a need to achieve six strategic objectives, which, if unattained, would foster contin-ued data vulnerabilities and exposure to risk. Our first goal was to test the ability of financial institutions, card processors, business/government users, and retailers to respond to major cyber attacks against payment processes of all types. We also wanted, through an analysis of data from surveys completed by participants at the end of the exercise, to raise financial firms’ awareness of cyber threats to their enterprises, processors, and customers; recommend improvements to cyber in-cident response procedures; evaluate and develop appropriate risk mitigation recommendations in response to cyber attacks against payment processes used in the exercise; engage participants go-ing forward on the need to share threat, vulnerability, and incident information; and develop an “after-action” report to be used for workshops, webinars, and ongoing educational sessions regarding lessons learned from this endeavor.

The exercise, which was voluntary with no charge to participants, consisted of four separate components involving four separate sectors: processors, retailers, busi-ness/government users, and financial insti-tutions. Participants included processors, retailers, business/government users, and organizations from the financial sector.

We subjected each processor to a spear phishing attack directed at one of its ex-ecutives, as well as to a Distributed Denial of Service (DDoS) attack. The successful infections resulted in malware that spread through processors’ internal networks, quickly locking out enough internal and customer accounts to swamp the help desk. The networks became so ineffective that many employees attempted to work at home using their laptops, but because the laptops were infected, the problems con-tinued to spread faster than it was possible to clean up machines. On the second day, numerous “card-not-present” charges were found to be fraudulent, and it became evi-dent that an organized crime ring had sto-len enough data to manufacture working debit cards for 100 percent of the custom-ers in the processor database.

The retail attack scenario featured two independent attacks, with the first be-ginning when law enforcement issued a notification about a wave of fraudulent gift card returns. Criminal activity in this area can be difficult to detect. Point-of-sale (POS) systems were found to be compromised at the time of the fraudulent transactions.

A second attack started when accounts payable operations fell victim to a targeted spear phishing attack. Clicking a link in an e-mail made to appear as if it had been sent to a manager by a family member resulted in the loading of malicious software. The attackers subsequently gained full access to the companies’ electronic online bank-ing systems.

Transaction Trends: Based on that exercise, what should ISOs and proces-sors—as well as their merchant custom-ers—do to improve enterprise security and decrease operational risk?

Nelson: Both ISOs and merchants must educate their employees and customers about specific and general risks to data security, taking into account social engi-neering and imparting a list of computer security best practices. Building internal relationships and, in turn, engaging in cross-department event/incident sharing, is critical, as is installing dedicated, non-networked computers for accessing online banking and initiating payments.

Assessing existing information security technologies and practices and all software and hardware systems in place also ranks high on the list, along with implementing fraud detection and predictive analysis so-lutions. Long-term infrastructure solutions, not short-term fixes, need to be developed. Merchants must actively and consistently monitor card reversal transactions in order to truly detect fraudulent activity; institut-ing procedures for handling these transac-tions is paramount. Finally, all sectors must partner with law enforcement agencies to decrease exposure to risk and share even the smallest bits of information about pos-sible problems. Remember that above all, knowledge is power. TT

Julie Ritzer Ross is a contributing writer to Transaction Trends. Reach her at [email protected].

cies by delivering rapid notifications and communications to and among the FS-ISAC

and FSSCC members; identifies and implements new services that add value to the

membership and support the mission of the FS-ISAC; and collaborates with the De-

partment of Treasury and the FSSCC to foster awareness of the benefits of informa-

tion-sharing within the sector, among additional CI/KR organizations, and with the

government. FS-ISAC also educates the financial services sector on key infrastructure

protection issues, vulnerabilities, threats, risk management, and compliance issues;

and coordinates with other public and private sector CI/KR organizations to ensure

sector awareness and emergency preparedness.

The nonprofit organization currently has 4,200 members, including financial service

firm provider organizations (among them processors and ISOs); banking firms and

credit unions; securities firms; insurance credit card and mortgage banking

companies; financial services sector utilities; and “appropriate” financial industry

associations. Five membership levels are priced at $850 to $49,550 per year. Member

benefits, which are based on the tier of service selected, include early notification

of security threats and attacks, anonymous information-sharing across the financial

services industry, regularly scheduled member meetings, biweekly conference calls,

webinars, and more. Members can access threat information and news pertaining to

their particular area of operation via a password-protected, customizable Web portal.


By Richard H. Gamble

[ FEATURE]

LEVEL 4WITH A CURRICULUM OF CONSTANT COMMUNICATION AND SEVERAL HIGH-TECH TOOLS, GROWING NUMBERS OF SMALL

MERCHANTS MAKE THE GRADE

KE Y NOTES8 Now that the compliance deadline has

passed, the card schemes will be less lenient, says one expert. “That was the date when excuses ran out.”

8 If software vendors will only sell and distribute compliant applications, then the merchants who use those products will not be storing card data and will be “de facto compliant,” but many legacy systems are still in use.

8 Communications supporting compliance must be multi-faceted and multi-media—using mailings, e-mail, text messages, and phone calls.

8 Too often, PCI compliance is viewed as a technology challenge when many Level 4 merchants don’t use much technology at all. It’s not their terminals or software applications that need to be fixed; it’s the way they handle cards and card numbers.

The July 1 deadline for all small (Level 4) merchants to be using PCI com-pliant software or be fully PCI com-pliant was a milestone, but not the finish line.

The deadline’s approach prompted ac-quirers to step up education efforts, em-ploy creative marketing techniques, and generally encourage or mandate that their merchants comply, says Doug Klotnia, ex-ecutive vice president for product and strategic sales at Chicago-based Trustwave, an information security and compliance solutions firm. “Programs that had been optional are now mandated, with fees that are automatically charged to uncooperative merchants. We’ve seen a real change in the past 18 months. The mandates now have teeth.”

Now that the deadline has passed, “the card schemes will be less lenient,” predicts Kurt Schaeffer, senior vice president of operations at Global Payments in Atlanta. “That was the date when excuses ran out.”

But a “mandate” with a firm deadline can be less definitive than it seems. “The card schemes can declare mandates and set deadlines, but if the acquirers don’t enforce them, not much happens,” Klotnia points out.

And the problem is the sheer mass of the Level 4 universe, the lack of techno-logical sophistication among these small

The Education of

merchants, and the questionable econom-ics of converting every last one of them. When you get down to really small mer-chants, universal PCI compliance may be cost-prohibitive, notes Donna Embry, senior vice president for strategic product devel-opment at Payment Alliance International in Louisville, Kentucky. “Go to an art fair or flea market and watch the way vendors there write down credit card numbers by hand or use a knuckle-buster to imprint the full number on a paper slip they carry around,” she suggests. “Are you really go-ing to convert those merchants to PCI compliance?”

And how badly do you need to? Security breaches at Level 4 merchants usually oc-cur because a person steals a card number, not because a hacker breaks into stored data, Embry explains. “It’s mostly perpe-trated by employees who handle cards physically, and PCI compliance won’t stop that. You can mandate compliant software, but a lot of the compromises don’t involve software. The hackers go after the gateways and networks where there are lots of num-bers.” That is where PCI compliance efforts have been properly focused, she says.

Built-In ComplianceInstead of pursuing individual mom-and-pop merchants, acquirers have found a more efficient way to attack the problem:


They go after software vendors, a much smaller, more sophisticated, and more co-operative group. “If you can get the vendors to only sell and distribute compliant appli-cations, then the merchants who use those products will not be storing card data and will be de facto compliant,” Schaeffer says.

The challenge is one of marrying Level 4 merchants with compliant software applications, which is more manageable than getting them to build a secure IT in-frastructure. “Most Level 4 merchants are mom-and-pop businesses. They’re respon-sible for their data security, but they don’t employ software network engineers and they can’t tell you very much about the software they’re using.”

It’s relatively easy to enforce a mandate when merchants are boarded, when they change processors, or when they install new equipment provided by the acquirer, processor, or ISO, Embry says. But mer-chants that simply drift along within the status quo are very difficult to detect un-less something goes wrong like a breach. “I’m not seeing any systematic review of all old accounts to determine compliance,” she says. “The numbers are just too great.” But when it comes to boarding new mer-chants, “underwriting will turn them down if they’re not using the right version of the right software.”

Even with a software focus, huge num-bers of legacy applications are in use. Each vendor has multiple model numbers and multiple release numbers. “It’s an unbeliev-ably complex task to identify them all and see whether they pass the PADSS (Payment Application Data Security Standard) test,” says electronic payments consultant Paul Martaus, president of Martaus & Associates in Mountain Home, Arkansas.

However, not every small merchant has to be converted, Schaeffer points out. “The vast majority of these merchants don’t use third-party applications. We already know what they’re using, because we provided the applications and know them to be com-pliant. These merchants are not a concern. The group that is a concern is a minority subset of a whole merchant portfolio.”

Communicating ComplianceGetting small merchants to meet PCI com-pliance standards has been going on long enough that best practices have been de-


[ FEATURE]

veloped and are paying off for people like John Bartholomew, vice president of sales at SecurityMetrics, a PCI compliance and data security firm based in Orem, Utah. The first step to get se-nior management buy-in at the ISO or acquirer level, he says. “The marching orders have to be clear as to which groups of merchants are to be targeted and what incentives will be used.”

Then it’s all about communication, says Bartholomew, who undertakes some of that communication on behalf of Securi-tyMetrics clients. “You can’t overestimate the importance of communication. It needs to be multi-faceted and multi-media.” A standard mailing or message on statements will get a low re-sponse, he says. “You have to repeat and repeat and repeat, using mailings, e-mail, text messages, and phone calls.”

But with the right messages from the ISO or acquirer and enough repetition, it can work impressively, Bartholomew says. He’s worked with one acquirer that has 3,700 merchants and 99 percent of them are enrolled in PCI compliant programs. An-other acquirer has reached 96 percent. A larger one with 20,000 merchants has reached 80 percent compliance. Generally, the larger the acquirer or ISO, the more merchants will be compliant but a lower percentage of the total, he notes.

While hitting 90-some percent is exceptional, Schaeffer insists that Global’s Level 4 merchants that are not using PCI- compliant applications are now “anomalies. Nobody can be perfect, and a compliant merchant today could buy a noncompliant applica-tion tomorrow and we wouldn’t know,” he says, “but we don’t have many that are not compliant.”

The acquirers and ISOs that get above 80 percent compliance generally run at least three communication campaigns, each with multiple messages. “You run a campaign. Then you reload and run another one. Then you do it again. That’s how you get the small merchants engaged,” Bartholomew says.

In its communication campaigns, SecurityMetrics always uses the brand that merchants recognize as their card processing con-nection, be it an ISO, processor, gateway, or bank, Bartholomew reports, and all the messaging is determined by and comes from the ISO or acquirer.

Incentivizing ComplianceBesides repetitive communication, incentives can help to con-vert small merchants to PCI compliance, Bartholomew says. Generally, the incentive is notice that a fee will be charged if the merchant has not complied by a deadline.

But fees really are a minor part of the effort to achieve compli-ance, says consultant Cliff Gray, an associate of the Strawhecker Group. They come in several flavors and are often called non-compliance fees, but many acquirers use them not so much to compel compliance as to build a slush fund to cover expenses when a breach occurs, he explains. But “there’s no evidence that fees drive compliance,” Gray says. “Merchants whine but pay them as a cost of business. At best, they have a small impact on compliance.”

Global uses a “generic PCI fee” that most of its merchants pay, Schaeffer says, but they don’t call it a penalty fee. Global

Choose the online course that’s right for you:

Learn Without Leaving Your Desk

Member $195/each Non-Member $295/each

A new series of online, cutting-edge, educational seminars to help enhance your knowledge in a wide variety of payment topics.

Introduction to Electronic Processing

Introduction to Sales and Marketing

Introduction to Operations

Sales Channel Development

Register online:www.electran.orgOr call ETA:1-800-695-5509


relies on persuasion, “educating them that there are serious repercussions, financial and reputational, to a breach, and that it is in their best interest to support safety and security.”

A personal interview is another tac-tic. In other words, sit down with the merchant to determine just what card-handling practices they’re using and what steps they need to take to comply, Bartholomew suggests. “A lot of small mer-chants won’t have much technical exper-tise. A preliminary interview allows us to classify the merchant in the right category. It isn’t always obvious to the merchant which bucket they belong in. If they pick the wrong one, they’ll go through a lot of frustration and encounter a lot of techni-cal questions they can’t handle and don’t really need to,” he says. “It can be a hard enough process when you start with the right bucket. They often need guidance, and giving them guidance and remov-ing roadblocks will do a lot to encourage them to comply,” he explains.

Too often, PCI compliance is viewed as a technology challenge when, in fact,

many Level 4 merchants don’t use much technology at all, Bartholomew says. It’s not their terminals or software applica-tions that need to be fixed; it’s the way they handle cards and card numbers. In this low-technology Level 4 universe, 70 percent of merchants don’t use the Inter-net at all for transaction processing, he points out.

Innovating ComplianceVarious high-tech tools are also vying to be part of the solution. Trustwave’s Trust-Keeper Agent works automatically and reports daily to the merchant and the acquirer on the status of any point-of-sale applications the merchant may have running and whether they are PCI DSS-compliant, Klotnia explains. “It will show what is not compliant and how much risk it poses,” he explains. If track data is stored anywhere on the merchant’s system, this software will reveal it. “It’s a powerful tool, much better than simply relying on self-assessment questionnaires,” says Klotnia, who adds that about 80,000 copies of the software have been installed.

What will really solve the PCI compli-ance challenge? The coming of tokeniza-tion and end-to-end encryption, insists Gray. When they are properly implement-ed, merchants will never see a card num-ber. “They will be near-compliant right out the door. All they would have to do is fill out a questionnaire and they’re done.”

Heartland Payment Systems of Princeton, New Jersey, which has invested heavily in end-to-end encryption and has recently rolled out its core product, is betting that encryption will be the answer to PCI com-pliance. “We’re seeing pretty quick up-take by merchants of all categories, including Level 4,” reports Steve Elefant, chief infor-mation officer.

Everything helps, but education seems to be helping most of all. “Merchants are getting smarter about PCI and liability,” says Gray. “Most of them want to be com-pliant for the right reasons, to be safe and keep the system safe.” TT

Richard H. Gamble is a contributing writer to Transaction Trends. Reach him at [email protected].

Your mobile merchant customers are out in the fi eld every day using the tools of their trade to fi x their customers’ problems. Now you have a sophisticated tool to fi x the way they charge for their services. AprivaPay™ gives mobile merchant customers the ability to perform credit card transactions right on their smartphones. It’s easy, cost effi cient and simplifi es credit card transactions. Now anywhere and everywhere becomes a point of sale. No matter how complicated the job, charging for it has never been this easy.

How you fi x the water heater. How you charge for it.

Find out which product is right for your customers. Call 877.277.0728 or visit www.aprivapay.com.

© 2010 Apriva LLC. All Rights Reserved.

Your mobile merchant customers are out in the fi eld every day using the tools of their trade to fi x their customers’ problems. Now

How you charge for it.How you fi x the water heater.

SUPPORTS:

Visit us at Western States Acquirers Association, October 13-14, San Diego, CA


Startup Stories: A special series following three newly launched ISOs (11th installment)»

Slow, but steady, progress is the watchword for Transac-tion Trends’ three ISO startups. Some new initiatives are begin-ning to bear fruit, but at a less

rapid clip than had originally been antici-pated or with unforeseen complications. Yet at the same time, other efforts undertaken to bolster the bottom line and beat the com-petition are earning the stamp of success.

“Stops and starts are something to be ex-pected,” says Steven Feldshuh, vice president, business development at Paymint Associates. “Any new ISO that doesn’t recognize that, and work around it, is very short-sighted.”

Earlier this year, Paymint Associates signed an agreement with UP Solution, a Hacken-sack, New Jersey-based hardware, software, and payment processing services provider. The agreement calls for Paymint Associates to initially market the vendor’s POS system in tandem with a value-added reseller (VAR), and to subsequently become an UP Solution VAR under the umbrella of the latter’s re-seller program.

While Feldshuh believes the transition will eventually happen, the ISO is no longer in as much of a hurry to make a transition to full-fledged UP Solution VAR. “We are start-ing out very slowly not because of anything on (the vendor’s) end, but simply because the full process of getting merchants up-and-running on the POS system takes lon-ger than we had thought,” Feldshuh explains. He considers merchants’ time frame for this process “drastically optimistic,” noting that proceeding through all of the necessary steps—from configuration, to establishing the proper connections, to staff training—is a far more complex endeavor than simply installing credit card terminals. Each step, he adds, further extends the time frame.

ISOs We’re Following:

» ACCELERATED Payment Technologies, Pleasant Grove, UT

» Leap Payments, Agoura Hills, CA

» Paymint Associates, Brooklyn, NY

Entrepreneurs grapple with

unforeseen delays in their progress

By Julie Ritzer Ross

Slow, But Steady, Wins the Race

Qualifying new business owners for POS system financing has also proven to be dif-ficult, unless the prospect in question has excellent credit. “So we are tiptoeing into this arena,” Feldshuh says.

Paymint Associates has also been slower to break out of the high-risk merchant pro-cessing gate—again as a result of the long-er-than-expected time frame (three to five weeks) for boarding merchants. Underwrit-ing requires “so many additional documents beyond the typical application, imprinted check, and proof of business,” Feldshuh says. Plus, several merchants whose applications the ISO has submitted to processors lack current financial statements or have filed for extensions on their corporate tax returns. Others merely receive spreadsheets, rather than the requisite processing statements, from their existing processors.

“Getting high-risk merchants up-and-run-ning requires a lot more energy from our staff,” Feldshuh says. “Hopefully, the greater profit margins from this venture” will render it worthwhile.

Meanwhile, Paymint Associates is reaping the benefits of a new alliance with Payment Alliance International (PAI) of Louisville, Kentucky. The ISO previously maintained a direct relationship with Global Payments, but made the switch based on its need for a complete support system that would en-able management to focus on developing products and leads as well as becoming a reseller of POS systems. “Our goal is to remain a marketing/sales organization and be responsible for our own agent support,” Feldshuh says. “Moving under the PAI um-brella has eliminated concern about main-taining merchant support, and when we are overloaded, we can even have their infra-structure handle programming of terminals.”

LET US PROFILE YOUR COMPANY!If you launched a new ISO in the last 12 months and would like to be considered for the second Startup Stories series, contact [email protected].

TransacTion trends | August 2010 18


Picking Up SpeedMeanwhile, Pleasant Grove, Utah-based ACCELERATED Payment Technologies has been experiencing some delay-related challenges of its own as it continues to “settle in” to its new integrated operating model. ACCELERATED was formed this past spring when CAM Com-merce sold its point-of-sale software division to Robertson Piper Software Group (RPSG), enabling its integrated payments division to transition into an ISO/payment processing organization. In the integrated model, ACCELERATED’s proprietary payment technology interfaces with other software used by merchant clients.

“Refocusing a firm as comprehensively as we have is never going to be clear sailing,” says Richard Davis, director of business develop-ment. Collaborating with software resellers with which ACCELER-ATED’s payment processing solution is integrated has entailed a larger time investment than initially anticipated because of the need to assist reseller partners in “shouldering some of the burden of ‘put-ting right’ current software that hasn’t been updated or maintained as well as” the ISO would have liked, Davis explains.

To speed up the process, ACCELERATED is assuming as much of this burden as its reseller partners, despite the fact that its own software doesn’t require tweaking to allow for flawless integration and utilization by merchant clients. “From the very beginning, our CEO, Roy Banks, made it clear to everyone that establishing deep relationships with our partners was the key to success and that it was everybody’s responsibility to ensure” all critical steps would be taken to attain that goal, Davis says.

Integration snafus have not deterred the ISO from introducing new programs. In mid-July, ACCELERATED was on the cusp of launching a new PCI compliance assistance program designed to effectively lead merchants through the steps needed to adhere to PCI mandates.

Out-Running FraudstersFor Leap Payments Inc., an initiative to garner more exposure via the Internet has had positive effects—as well as an unanticipated adverse side effect. While the ISO’s enhanced online visibility via a more detailed Web site has brought a flurry of inquiries from pro-spective clients, it’s also made Leap Payments a target for criminal activities. “Criminals have set up new businesses with stolen identi-ties, and are trying to establish merchant accounts so they can run transactions on stolen credit cards,” says Will Detterman, CEO.

Several such “fraudsters” contact Leap Payments each week, and while Detterman and his team can generally recognize their true intentions, staying one step ahead of them is a challenge. “It’s not a new game these criminals are playing; it’s just unfortunate to see that the frequency is increasing and their sophistication, meaning we need to be vigilant,” Detterman says. “They obviously put a lot of time and effort into making everything appear legitimate, and it’s sad. If they put as much energy into a legal business venture, I think they’d be much better off in the long run.”

Over the past few months, the ISO has boarded several large mer-chants. “We’ve always thought of ourselves as the company to which merchants ‘graduate’ once they have been through the school of hard knocks with our competitors, but more prospects report that they are simply fed up with constant rate changes and statements that they can’t understand,” Detterman says.

The ISO now follows several practices intended to prove its integ-rity to potential and existing clients of all sizes. Among those prac-tices is analyzing merchants’ monthly statements to ensure they’re receiving the best “deal” possible, and emphasizing to prospects that the “wholesale rates” promoted by some of Leap Payments’ competi-tors don’t save them any money.

“The general concept of cutting out the middleman sounds good, but for financial services it simply doesn’t translate, as merchants are buying a service, not a product, and there aren’t multiple hands through which the service passes before it reaches merchants,” Detter-man says. “Going direct to a processor for Visa/MasterCard defines the workings of most credit card processing organizations—so almost all rates are ‘wholesale’ rates. This is no great deal merchants are getting.”

The ISO also eschews the practice of charging merchants month-ly “PCI non-compliance” or data security fees, regardless of whether or not they have certified that their businesses are compliant.

Leap Payments works with its merchants to complete the PCI cer-tification process, ensuring that they aren’t at risk for data breaches and avoiding the assessment of “junk” fees. “We believe that once merchants have completed the PCI certification process, they should not be charged a monthly fee for it,” Detterman says. “ISOs need to make money—but new programs, not sneaking fees onto statements, is the way to go.” TT

Julie Ritzer Ross is a contributing writer to Transaction Trends. Reach her at [email protected].


As fall settles around most of the country, leading electronic payments profes-sionals will descend on The Breakers resort in Palm Beach, Florida, for three days of high-impact, high-level discussions on the future of the industry. ETA’s Strategic Leadership Forum (SLF) has become the most important high-level networking event for many of the industry’s leaders.

Attendees will get a sharper view of what’s ahead and insights into how they can refine their strategic vision to outperform competitors when economic condi-tions improve. The 2010 Forum will tackle three main topics: Electronic Payment Dynamics, Technologies and Products, and Critical Business Issues. Each will be the theme for multiple sessions, organized to help you make the connections and put all the pieces together.

One important highlight will be a keynote address from Mort Kondracke, execu-tive director and columnist for Roll Call, the nonpartisan Capitol Hill newspaper. A veteran journalist and political commentator, Kondracke will bring his unique perspective to bear on the electronic payments business environment.

Here’s a closer look at the sessions planned for the 2010 SLF.■ Alternative Payments: Opening Up New Merchants or Competing for Your In-

come? The 2010 marketing launch of Square and the 10th anniversary of PayPal serve as interesting bookends to the alternative payments sector. What is the fu-ture of this dynamic and exciting space, and what are important trends that will determine the outcomes? What role does merchant aggregation play, and what determines when it is friend or foe? The rules have ostensibly been set for some time, but how do they affect alternative payment methods? How do different pay-

THE FUTURE OF PAYMENTS, TODAYOCTOBER 26-28, 2010 PALM BEACH, FLORIDA

[ FEATURE]

2010 Preview:

ETA Strategic Leadership Forum

ment methods conform to the rules, or how will the rules conform to them? This session will explore all these areas, and more. ■ Economic Indicators & Trends: The changing

economy has become an important variable that must be considered when doing business in the payments industry. This presentation will focus on macroeco-nomic data, explain what it potentially means for your company, and demonstrate how you can best prepare for the impacts of the underlying economic conditions. This “outsiders’” look at the payments industry will also show how the industry performed through the recession and why the payments indus-try is attractive to outside investors. ■ Industry CEO Roundtable—Sail On to Better Wa-

ters: This invigorating exchange of information, ideas, and insights will feature an unparalleled collection of industry veterans who have successfully navigated their companies through the recent economic storms and are now positioning their organizations for the waters ahead. ■ E2EE and Tokenization: All Encryption Is Not Cre-

ated Equal—A Review of Encryption and Tokenization for Payment Card Data: Recently, we’ve all seen much discussion and many opinions regarding the strength of encryption and the value of tokenization related to protection of payment card data and PCI compliance. In the midst of a constant stream of press releases announcing data breaches and a persistently chang-ing regulatory environment, how can acquirers, ISOs, technology providers, and merchants filter through the noise and make sense of what the market has to offer? ■ Mobile Technology Solutions—Is 2011 Finally the

Year? Year after year, we continue to hear, “The time has come for mobile!” But the future requires—and merchants are asking for—mobility for a variety of reasons involving emerging technology, data security, and recent marketplace developments. These envi-ronmental changes include new PCI requirements, chip-and-pin expansion, new vertical markets, the emergence of smartphone apps, pay-at-the-table, line busting with scanning, and so many more that seem-ingly emerge every day. Solutions have come from all corners of the globe, leveraging competing technolo-gies such as terminals vs. smartphones, direct con-

nectivity vs. gateways, and integrated vs. standalone. Now more than ever, mobile technologies have a place across the globe. ■ Interchange: Interchange is no longer a secret.

(Was it ever?) This session will review the current status on various state legislative actions, federal leg-islation, and what the merchant community is saying about interchange. Information about the results from other countries’ efforts to manage interchange will be covered. While interchange has been part of the land-scape for many decades, we will hear about what’s driving the discussion now and how it will impact your business and the business of your customers. ■ Industry Economics—Alive and Well: Industry

experts will discuss the impact of trends related to the positive shift from paper/cash to electronic payments, trends with same-store sales, and the development of new emerging market sectors and mobile pay-ments. This session will also address interchange as part of the industry’s economic equation, as well as the privatization of previously publicly held companies or re-capitalization of major industry participants us-ing third-party debt, and recent actions of major in-dustry bank-owned acquirers and sponsors to recapi-talize and partner with other industry participants.

Of course, it wouldn’t be an ETA event without activities that are fun and that provide opportuni-ties to rub elbows with your peers. Consider taking advantage of the Breakers’ fine offerings with these ETA-planned activities:■ Wine and Cheese Tasting—$90 per person (limit

of 30 people): Experience this one-of-a-kind opportu-nity for both wine aficionados and novices alike that will combine wine appreciation, education, and the finer points of tasting wine. ■ Catamaran Cruise—$90 per person (limit of 35

people): The cruise includes beverages (beer, water, and soda), snacks, snorkeling gear, and music. Enjoy a guided three-hour cruise and see some of Palm Beach’s historical landmarks.■ 9 Holes of Golf—$90 per person (limit of 40 peo-

ple): With fairways that weave between sandy haz-ards, the Breakers’ Ocean Course rewards wit over power. (Sponsored by SecurityMetrics) TT

REGISTER TODAYVisit www.electran.org/SLF10

Schedule At-a-Glance

DAY TIME DESCRIPTION

Tuesday, October 26 5:30-7:30pm Opening Reception

Wednesday, October 27 7:30-8:30am Networking Breakfast

8:00-11:15am Electronic Payment Dynamics

11:15am-1:15pm Technologies and Products

2:00-6:00pm Networking Activities

10:00pm-Midnight Afterglow Party

Thursday, October 28 9:00am-12:30pm Critical Business Issues


Early deadline is October 1.


ISO COrnerDATA SeCUrITY

Merchant Vulnerabilities ExposedSeven common pitfalls every ISO should know—and every merchant must avoidBy Brad Caldwell

In all of the publicity over stolen credit card data, one issue that is fre-quently overlooked is the fact that

many breaches are caused by the same handful of vulnerabilities. Despite con-tinuous preaching by the security indus-try, smaller merchants in particular fail to follow even the most basic rules to hacker-proof their systems, leaving an open invitation to criminals.

Consider the case of a two-site luxury resort that had 150,000 cards stolen, lead-ing to $80,000 in PCI Data Security Stan-dard (DSS) fines from card brands and $440,000 in customer reimbursements required by card issuers. An analysis by SecurityMetrics’ forensics team deter-mined that the hacker entered through a poorly protected remote access program and then took advantage of inadequate data segmentation to install malware that was able to access the resort’s entire net-work. Both are common techniques seen repeatedly in compromise incidents.

In another case, a mom-and-pop res-taurant was forced to close after having 1,200 cards stolen and being hit with $10,000 in PCI DSS fines plus $110,000 in customer reimbursements. Here again, the hacker wormed his way in through an insecure remote access program and discovered a system without the seg-mentation that would have blocked him from accessing the restaurant’s payment application.

In this case, however, the hacker har-vested data in a different way—using a keylogger instead of a memory dump-er. In addition, he found a remnant file from the POS vendor containing the IP addresses of 27 other small restaurants using the same system configuration and the same default password for remote ac-cess. With one successful breach, that at-tacker was able to reach 28 different data repositories.

Although data thieves are continually inventing new ways to penetrate net-works, breaches with known methodolo-

gies are largely preventable by following a few simple guidelines. ISOs can help their merchants keep customer cardhold-er data under lock and key by helping them avoid these common pitfalls:

1. Improperly configured firewalls. In many cases, this is all it takes for a hacker to enter your merchant’s system. Nearly 50 percent of all Level 4 mer-chants investigated by SecurityMetrics’ forensics team lack a properly configured firewall.

Firewall security problems can be dramatically reduced by following proce-dures such as doing a full system sweep before firewall installation to detect any viruses or malicious activity, deciding which programs will be allowed to ac-cess the Internet, and so on. Merchants should consult their computer techni-cian and/or the PCI DSS for assistance.

2. Weak authentication for remote access. Too often, weak or default pass-words make it easy to bypass merchants’ remote access systems. That was one of the problems that tripped up the luxu-ry resort mentioned earlier. Users had common passwords such as “abc123” or “iloveyou.”

The solution is to require a strong password—one that combines upper- and lower-case letters, numbers, and special characters—or to create two separate steps to authenticate the user. This “two-factor authentication” typically requires something the user knows plus something the user has. One example is requiring the system to recognize a special computer access software “key” (what the user has) and a passphrase (what the user knows) before permit-ting the user to login. This forces an at-tacker to have the user’s key before he or she can guess the passphrase, making it much harder to access the merchant’s system.

3. Payment data stored with other traffic. Another common security mis-take made by merchants is failure to seg-

regate day-to-day business and Internet traffic from the payment application. Without that segmentation, a hacker who does manage to get in the door has unrestricted access to everything on the network, including payment data. Sepa-rating the payment application forces an attacker to jump an additional hurdle be-fore reaching the proverbial pot of gold.

The best strategy is to operate sepa-rate servers—one for routine business and one for the payment application—and to segment them from each other by a firewall. This second firewall acts as an extra barrier that a hacker may not be able to penetrate, reducing the risk of data theft.

4. Poorly protected wireless transac-tions. The rising use of wireless payment applications has created another avenue for hackers to attack. This was the Achil-les’ heel of T.J.Maxx, which is reported to have lost 45.7 million credit cards to hackers.

If a merchant must process credit cards in a wireless environment, ensure that the wireless network is protected by

Simplify PCIWondering how to help your merchants become PCI compliant and keep them happy? SecurityMetrics can help. As a leader in PCI-DSS we handle more than 100,000 merchant PCI calls every month. Our Simple approach works.

Call today to receive a free PCI consultation for your business. 801-724-9600

www.securitymetrics.com

PCI COMPLIANCE?NO PROBLEM.


strong encryption. PCI DSS mandates the use of strong encryption and explicitly bans outdated wireless standards such as WEP (requirement 4.1.1).

5. Unencrypted payment applica-tions. Payment data stored in clear-text format is easy pickings for a hacker. In one forensics case handled by Securi-tyMetrics, an attacker discovered un-encrypted transaction logs dating back to 2004. In one fell swoop, that hacker was able to steal data from 64,000 cards without waiting weeks or months for malware to collect the information. The merchant was not even aware that the payment application was storing the logs.

This problem can be solved by ensur-ing that the merchant’s payment applica-tion is compliant with current Payment Application Data Security Standards (PA-DSS) that prohibit storage of unen-crypted credit card data. In addition, the application must be configured properly. If it is set to store transaction or error logs, those logs may contain unencrypted credit card data, which defeats the pur-pose of deploying a PA-DSS compliant payment system.

6. Outdated anti-virus software.

Sometimes merchants are meticulous about maintaining anti-virus/anti-spy-ware software on their servers but fail to realize that it also is imperative to pro-tect individual POS terminals. This over-sight enables hackers to install malware on merchants’ terminals and steal credit card data as each card is processed. Up-dated anti-virus software installed at the POS terminal will often detect and pre-vent this type of attack.

7. Failure to thwart data export. The final security layer that many merchants miss involves stopping successful hack-

ers from exporting the data they have reached. They typically accomplish this by using the File Transfer Protocol (FTP) to copy the data out of the system, or by using a covert SMTP server to automati-cally e-mail the captured data to them-selves at frequent intervals.

To limit the damage that can be done at this point, the merchant’s firewall should be configured so that data leav-ing the payment application can be sent only to the payment processor or other trusted sources. All other IP addresses should be blacklisted. In addition, since processors no longer require an FTP op-tion, FTP traffic for the payment applica-tion should be disallowed.

While there is no silver bullet that will keep hackers at bay, avoiding these Seven Deadly Security Sins will go a long way toward protecting merchants from credit card theft. ISOs and acquirers can help by educating their merchant portfolio in the basic rules of data security. TT

Brad Caldwell is CEO of SecurityMetrics, a provider of PCI DSS security solutions. Reach him at [email protected].

ISO COrnerDATA SeCUrITY

Operate separate servers—one for

routine business and one for the payment

application—and segment them from

each other by a firewall.

Are You on the List?Sign up for a listing in the Transaction Trends’ 2010-2011 Products and Services Directory— THE resource to the electronic transaction industry— and receive a FREE listing in the new online ETA Payments Marketplace.

Plus, this year’s Directory (a special supplement to the December issue) enjoys bonus distribution at the 2011 ETA Annual Meeting & Expo, ensuring maximum exposure for your company.

Don’t miss this opportunity. Contact [email protected] for more information. Deadline for entries is October 4.

tt

Traffi c:Proofreader:Studio:Production:Copy Writer:

Katja OllendorffAmanda NowinskiIain BoltinDiana CourcierJay Rendon

Project Mgr:Product Mgr:Editor:Legal:C

lient

Date: Client: Job Number: File Name: Description: Posting Date(s):

Print Scale:

6-30-2010 11:56 AMVisaVIS-0098-10VIS_DPS_PPS_Brent_Apage_m1.inddVisa DPS PPS CampaignNone

100%

Actual Bleed: Actual Trim:Actual Live:

Mech Bleed: Mech Trim:Mech Live:Scale:

445 Bush Street San Francisco California 94108 Tel 415 707.1111 Fax 415 707.1100 Prepared by Eleven Inc. eleveninc.com All rights reserved. 2010.

Clie

nt C

onfi d

enti

alE

leve

n

Inks: CMYKNotes: A Size. Pubs: PayTech

Fonts: Whitney (Semibold, Book, Medium)

Date Initials OK

Designer: Creative Dir: Account Mgr: Account:

Michael FioreMichael FioreTiffany TitoloZoey Taylor

Date Initials OK Date Initials OK Mechanical Version:

1 Round #:

8.375”W x 11.125”H7.875”W x 10.5”H7”W x 10”H

8.375” x 11.125”7.875” x 10.5”7” x 10”None

Tr a n s a c t i o n P r o c e s s i n g R i s k M i t i g a t i o n B u s i n e s s A n a l y t i c s

Of course, Brent’s not the exception. Every member of the Visa® team is backed by our powerful, reliable global payments network and a proven issuer processing system. Which, in this case, helps Brent be much more than a Regional Sales Manager. He’s a diagnostic ace who can determine the right processing solution for every client, every time. Find out what Brent and his team can do for you at visadps.com.

Meet the mastermind of prepaid processing:

Brent© 2010 Visa

S:7”S

:10”

T:7.875”T:10.5

”

B:8.375”B

:11.125”

B17328_1d_Apage.indd07.08.10150 L/SMG

A17328x01P_300ucr.tif


ETA 2009-2010 BOARD OF DIRECTORSOFFICERS

PRESIDENT Holli Targan

PartnerJaffe, Raitt, Heuer & Weiss, P.C.

PRESIDENT-ELECTRick Pylant

President & ChairmanCOCARD Marketing Group, LLC

TREASUREREddie Myers

President & COOPayment Processing, Inc.

SECRETARY Roy Banks

CEOACCELERATED Payment

Technologies™

IMMEDIATE PAST PRESIDENTNick Baxter

Senior Vice PresidentFirst National Bank of Omaha

DIRECTORSTodd Ablowitz

PresidentDouble Diamond Group

Greg CohenPresident

Moneris Solutions

Kim FitzsimmonsSenior Vice President–First Data

ServicesFirst Data Corporation

Heidi GoffPresident & Managing Director,

The AmericasHypercom, Inc.

Robert McCullenCEO

Trustwave

Jeff RosenblattPresident

EVO Merchant Services

Debra RossiExecutive Vice President

Merchant Payment SolutionsWells Fargo Bank

Dave SiembiedaPresident & CEOCrossCheck, Inc.

Tom WimsettPresident & CEO

National Processing Company

ADvISORy COunCIlRobert BaldwinPresident & CFO

Heartland Payment Systems, Inc.

Joe CohaneCEO

Veracity Payment Solutions

Dean LeavittChairman & CEO

Unicorn Partners, LLC

Ed MyersU.S. President

Global Payments, Inc.

Deana RichPresident

Rich Consulting

Kurt StrawheckerExecutive Partner

The Strawhecker Group

Buzz StrykerPresident & CEOPOS Portal, Inc.

Ex-OFFICIOCarla Balakgie

CEOElectronic Transactions

Association

Jan EstepPresident & CEO

NACHA

Sameer GovilHead of Acceptance Solutions

Global AcceptanceVisa

Matt JohansonVice President

Acquirer RelationsDiscover Network

Steve CarnevaleSenior Vice President/

Group Head Commerce Development

MasterCard Worldwide

Bryan O’MalleyVice President

American Express

lEGAl COunSElDave Goch

Attorney at LawWebster, Chamberlain & Bean

Company Page Phone Web

Apriva 17 480-421-1200 www.apriva.com

Authorize.Net C2 866-437-0491 www.authorize.net

Cynergy Data 2 800-933-0064 x5147 www.cynergydata.net

Elavon 1 678-731-5000 www.elavon.com

EVO Merchant Services 4 800-227-3794 www.goevo.com

Fifth Third Processing Solutions 9 513-534-7678 www.ftpsllc.com

First American Payment Systems 16 866-GO4-FAPS www.go4faps.com

Hypercom Corporation 7 480-642-5000 [email protected]

Security Metrics 23 801-724-9600 www.securitymetrics.com

Total Merchant Services, Inc C4 888-84-TOTAL x9727 www.totalmerchantservices.com

TransFirst C3 214-453-7711 www.transfirst.com

Trustwave 27 312-873-7291 [email protected]

USA ePay 19 866-872-3729 www.usaepay.com

Visa 25 www.visadps.com

ADvERTISERS INDEx

www.trustwave.com | 888-878-7817 | [email protected]

INTRODUCING TRUSTKEEPER® 3.0

Now you can achieve the highest adoption and compliance rates in the industry. Featuring our

very own PCI Wizard, this groundbreaking technology guides merchants through the process,

customizing certifi cation every step of the way. Finally, a cure for the common Level 4 compliance

problem. Download your free white paper today at www.trustwave.com/Level4PCI

TWV-8140 Trustkeeper 3.0 Print ad.indd 1 2/17/10 3:45:15 PM


“How many people in the payment process-ing industry think, when they drive by a church, There’s an opportunity for me?”

asks Bryce Collman, founder of Ardent Giving Solutions.Few, if any, he says, which is why he opened the com-

pany in late 2009. His goal for the Dallas/Fort Worth-based company (and also a First American Payment Systems ISO) is to give churches, schools, and nonprofits tools to increase their donation income while decreasing their expenses.

The first part of that goal is especially important since all of the market segments served by Ardent survive on giving and, “as you might imagine, they’re all strug-gling in this down economy,” says Collman.

The Ardent team helps churches, schools, and nonprofits facilitate do-nations and decrease spending by providing them with basic payment processing products and services—such as credit card, debt card, and ACH processing, as well as remote deposit capture—that were devel-oped to meet their unique needs. Such basics are necessary because most of these organizations are just starting to dip their toes in the wa-ters of electronic giving and “are not aware of all the tools that are

available to them,” Collman says. “So we bring them to their doorstep.”

Almost all of the organizations Ardent works with have some sort of annual offsite fundraiser, such as a golf tourna-ment. “You wouldn’t believe how common it is for these organizations to manually imprint the credit cards for that offsite function, which usually includes a silent auction,” Collman adds. “Then they spend the next two days call-ing in for authorizations. That not only increases their ex-penses significantly, but it also eats up their valuable time.”

The Proper ProductsArdent Giving Solutions’ suite of products helps alleviate man-power and expense issues as well as other prob-lems commonly experienced by churches, schools, and nonprofits.

InDUSTrY InsIder

A Gift for GivingArdent Giving Solutions finds success by specializing in the often-ignored markets of churches and nonprofitsBy Bryan Ochalla

For example, Ardent’s Web-based donor-management program includes a recurring payment component, which is very important to churches whose donation collections “usually tank in the summer,” Collman says. “If they can interest their members in recurring giving, they’ll not just level-off but grow their overall level of giving.”

Similarly, many churches do not accept credit card donations from parishioners. As a result, Ardent recently added a debit-only giving solution to its product mix. The function uses the company’s established systems to block credit card transactions from being processed and prompt members to resubmit their pledge using a debit card.

“It has been a need [for these organizations] for a long time, but it was believed it couldn’t be done,” Collman says. “That just goes to show how much the payment pro-cessing industry has ignored this market segment over the years.”

Vertical AttentionWhen asked how Ardent Giving Solutions differentiates itself from competitors in the payment processing space, Collman answers: “We don’t take a one-size-fits-all or a one-solution-fits-all approach. We take the time to learn about each client’s specific goals and needs. We try to figure out where they are, what challenges they face, and where they see themselves going, and then we provide them with solu-tions that will fit those needs.

“We specialize in these verticals,” he adds. “And that specialization carries with it experience and knowledge and an understanding of our customer and prospect base—none of which someone who just stumbles across churches or schools or nonprofits would have.”

If you want to earn the trust—and the business—of these often-overlooked organizations, “you have to ask the right questions, and you can’t do that if you don’t have a deep understanding of their industries.”

That’s not to suggest Collman and his crew are without challenges. Their biggest challenge at the moment involves finding motivated agents who are “geographically where we need them,” Collman says.

“Our slogan is ‘Our passion. Your mission,’” he adds. “So it’s important that our agents share our passion for these organizations and what they’re trying to accomplish.” TT

Bryan Ochalla is a contributing writer for Transaction Trends. Reach him at [email protected].

If you want to earn the trust of these often-overlooked organizations, “you have to ask the right questions, and you can’t do that if you don’t have a deep understanding of their industries.”

—Bryce Collman

From Zero To TransFirst®

Do you have a need for speed?

Trust. Innovation. Collaboration. – TransFirst.

With 15 years of experience in secure transaction processing technologies and

services, TransFirst® is now transforming the ISO/ISA arena. We’re more than a

processor, we’re a valuable business partner, blending uncommon support to help

streamline the merchant boarding process, as well as proprietary cutting-edge

products. Whether it’s working capital, commission enhancements, or residual

advance programs, TransFirst is here to keep your business on the fast track.

• Proprietary leading-edge tools: TransLead, which delivers pre-qualified leads, and TransGuard®, alerting agents when their merchants might be at risk of leaving

• Available investment capital

• Aggressive revenue share program

• Timely and accurate monthly residuals

• 96%+ merchant application approval rate

• State-of-the-art training

Take Tr ansF i r s t® f o r a t e s t d r i ve t oday ! Contact us at 866.969.3350, [email protected],

or visit www.TransFirstSales.com.

GivinG it to you straiGht.real reps. real success.

Total Merchant Services (TMS) is a Member Service Provider for: HSBC Bank USA, National Association, Buffalo, NY.

see the difference for yourself. Join the team with a proven track record.

Check out Total Merchant Services program details at www.upfrontandresiduals.com or call us toll-free at 1-888-84-total ext. 9411

i first joined total Merchant services because I felt like I could believe them. I stayed because they keep their promises – my overall monthly and residual revenues keep increasing, month after month.

the underwriters are superb. I always feel like my customers are safe. I feel like I have total control over my portfolio. Even in uncertain times, I feel secure because I am with a good, ethical company.

Without a doubt, aMplify is the pulse of my business. The amount and quality of the information available via the Account Management Portal has made me efficient, effective, and most importantly, profitable.

i always know with certainty what is going on with my clients. I can depend on daily emails to notify me of any updates and changes. This lets me focus on growing my business because I know my merchants are safe, secure and satisfied.

I’m helping my clients, making great money, and having fun in the process.

Jeff Schafer

transaction trends september 2010

Documents

payments business

right payments processor

changing payments landscape

merchants safe

official publication

ceo william

payment processing

investments necessary