Posted on May 2nd, 2009 by David Navetta  InfoSecCompliance.com

The last two plaintiff-banks still breathing after 1st Circuit Appeal

Little know (or at least discussed) fact: despite announcing settlements with VISA and Mastercard in 2007, the TJX data security litigation is still going. In fact most of the issuing banks impacted by the TJX breach are no longer pursuing TJX and/or have settled via VISA and Mastercard dispute resolution processes.

However, two financial institutions (Amerifirst Bank and SELCO Community Credit Union - hereinafter “Issuing Banks” or plaintiffs) have pressed forward with an appeal of various dismissals and class certification motions to the U.S Court of Appeals for the First Circuit (the “Appellate Court”). The 1st Circuit’s opinion sheds some more (high level) light on the liability risk of payment card data breach security cases. Ultimately, the Appellate Court allowed three theories of liability to proceed, including a previously dismissed theory alleging that TJX’s inadequate security amounted to an unfair business practices under Massachusetts’s unfair and deceptive business practices law.

The main issue on appeal was the ruling on a motion to dismiss by the U.S District Court for the District of Massachusetts (the “District Court”). TJX and Fifth Third Bank (TJX’s merchant bank; collectively referred to as “defendants”) had asked the District Court to dismiss all of the counts alleged in the Issuing Bank’s complaint, including: (1) negligence; (2) breach of contract; (3) negligent misrepresentation; and (4) unfair or deceptive business practices under chapter 93A (Massachusetts’s consumer fraud statute). The District Court dismissed the negligence and breach of contract claim, but allowed the negligent misrepresentation claim and the 93A claim (which was based on negligent misrepresentation) to proceed.

Negligent Misrepresentation

The Appellate Court ultimately refused to dismiss the plaintiff’s negligent misrepresentation claim. However, the Court took a different path than the District Court. First, the court noted that the plaintiffs were not alleging any actual misrepresentation, but rather the plaintiff’s “negligent misrepresentation” was based purely on the defendants’ conduct in performing credit card transactions (in fact, the Appellate Court also referenced the defendants’ conduct in the form of entering contracts requiring certain credit card security measures). While conduct can be part of a misrepresentation, the link between the conduct and the implication must be “tight.” This link may be established by a combination of words and conduct concerning the alleged misrepresentation.


Continue Reading at InfoSecCompliance.com

Momentum Payment Systems Adds Way Systems' Mobile Transaction Terminal to Merchant Solutions Package

Download this press release as an Adobe PDF document.

Momentum Payment Systems recently announced a new strategic partnership with Way Systems Inc. and will now offer Way Systems' Mobile Transaction Terminal and Printer.

Houston, Texas (PRWEB) April 30, 2009-- Houston, TX based Momentum Payment Systems, www.MomentumPayments.com, a full service electronic payment processing provider, recently announced a new strategic partnership with Way Systems Inc. and will now offer Way Systems' Mobile Transaction Terminal and Printer.

The Mobile Transaction Terminal makes it possible to accept payments any time and anywhere by combining low-cost mobile phone technologies with the capabilities of a point-of-sale terminal. The terminal can process credit, pin-based debit and smart cards and can be paired with the mobile printer through its infrared wireless connection in order to print receipts quickly and easily. Unlike many other wireless units currently on the market they are easily portable. The printer and the terminal are small and lightweight, weighing only 5 and 8.8 ounces respectively.

"We believe that Way Systems' products will offer us another cost-effective and technologically-advanced wireless solution that we can offer our merchants in order to fit their payment processing needs," said Mark Harrelson, Chief Sales Officer.

About Momentum Payment Systems
Momentum Payment Systems, LLC is a fast growing merchant acquirer that specializes in providing small and medium-sized businesses throughout the United States with comprehensive electronic transaction processing solutions. Momentum offers traditional credit card, debit card, ATM card, gift card, prepaid card, EBT and check processing services. Momentum also proudly offers 24 hour customer service and technical support.

For further information, visit Momentum Payment Systems online at www.MomentumPayments.com

###


See the original story at:

http://www.prweb.com/releases/2009/05/prweb2378324.htm

Heartland Payment Systems Returns to Visa's List of PCI DSS Validated Service Providers

PRINCETON, N.J., May 01, 2009 (BUSINESS WIRE) -- Following the completion of its annual Payment Card Industry Data Security Standard (PCI DSS) assessment, Heartland Payment Systems has successfully validated its compliance with PCI DSS. As such, Heartland is returning to Visa's List of PCI DSS Validated Service Providers. According to Visa, Heartland will appear on the list - which can be found at www.visa.com/cisp -- on Monday, May 4.

About Heartland Payment Systems

Heartland Payment Systems, Inc., a NYSE company trading under the symbol HPY, delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide. Heartland is the founding supporter of The Merchant Bill of Rights, a public advocacy initiative that educates merchants about fair credit and debit card processing practices. For more information, please visit www.HeartlandPaymentSystems.com and www.MerchantBillOfRights.com.

SOURCE: Heartland Payment Systems
Picture Compliments of the PIN Payments Blog, Clockwork Orange and Milk

Heartland Payment Systems Jason Maloni, 202-973-1335  jason.maloni@e-hps.com

Mastercard Incorporated (NYSE: MA) reports Q1 EPS of $2.80, 19 cents better than the analyst estimate of $2.61. Revenue for the quarter was $1.2 billion, versus the consensus of $1.21 billion. Shares have dipped over 7% in Friday's trading session.

Highlights From MA's Q1 Conference Call:

• (CEO) While our net revenues for the quarter declined 2.2% on an as reported basis, net revenue grew 1.8% on a constant currency basis.
• We have taken considerable cost reduction actions to deliver a strong operating margin of 48.6%, an improvement of 5 percentage points over Q1 of 2008 and the highest quarterly margin to-date that we recorded as a public company.
• (CFO) Q1 net revenues of 1.2 billion declined 2.2% over the comparable period last year. This decline was primarily driven by the unfavorable impact of foreign exchange and higher rebates and incentives partially offset by pricing, increased process transactions and increases of other payment related services.
• Worldwide debit GDV grew 10.7% for the quarter. This compares to about 17.8% growth in worldwide debit in the first quarter of last year, but is more inline with the growth on a sequential basis.
• The decline in gas prices on a year-over-year basis accounted for approximately 40% of the decline in U.S. purchase volumes. Gross dollar volumes were down 0.7% on a local currency basis or approximately 14% on a U.S. dollar converted basis.
• Looking now to process transactions, they increased 5.8% compared with the year ago quarter to 5.1 billion in the first quarter.
• The number of MasterCard's branded cards worldwide grew 4% to 967 million in the quarter and excluding the U.S., the rest of the world card issuance grew 12.1%.
• Cross-border volume fees decreased by11.3% versus Q1 '08. While cross-border volumes were essentially flat on a local currency basis, they declined by 14% on a U.S. dollar basis which impacted this revenue line.
• We generated $416 million in cash from operations and ended the quarter with cash and cash equivalents and current investments of 2.3 billion.
  

MasterCard Incorporated, together with its subsidiaries, provides transaction processing and related services to customers principally in support of their credit, deposit access, electronic cash and automated teller machine payment card programs, and travelers cheque programs.

USPS Probes Security Breach - CBS News

Data Companies Issue New Warnings About Breach That Could Lead To Potential Compromise Of Credit Cards

(CBS) CBS News has learned of another data breach potentially compromising the personal information of thousands of people. Companies Lexis Nexis and Investigative Professionals have notified up to 40,000 people whose “sensitive and personally identifiable” information may have been viewed by individuals who should not have had access.

The United States Postal Inspection Service is investigating a data breach at both companies that resulted in sensitive information being used in a crime. Those individuals have been notified.

Sources tell CBS News that the data breach is linked to a Nigerian Scam artist who used the information to incur fraudulent charges on victims’ credit cards.

Peter Rendina, a spokesman for the Postal Inspectors Service said that of the 40,000 individuals whose information was accessed, up to 300 were compromised and used to obtain fraudulent credit cards.

Continue Reading at CBS

The total dollar volume of purchases made with Visa debit cards at the end of 2008 was larger than the amount spent on credit card purchases -- the first time debit purchases surpassed credit. Visa's 2008 fourth-quarter debit card transactions made up more than 50 percent of Visa's volume.

"The reality is that the vast majority of consumers want to pay as they go," said Stacey Pinkerd in a press release. Pinkerd oversees Visa's debit-card business.

Visa's growth in its debit card segment far exceeded analyst's predictions. (Editor's Note:  Not the analyst I know.  See Debit is King, Replaces Cash on Throne  So that I'm on the record for future developments when they occur:

• PIN Debit will increase it's margin on signature debit,
• eCommerce will "eventually" overtake Brick and Mortar
• Hackers will continue to outsmart and their attacks will continue to breach software applications, until we finally realize that:
  
• Hardware is the only tried and true method to conduct secure online transactions, (and a 2FA 3DES E2EE PCI 2.0 PED that encrypts Track 2 data and utilizes DUKPT does it best).
  
• Analysts will realize and start writing that Software PIN Debit is not really True PIN Debit especially when:
  
• Online Merchants Start Demanding Card Present and TRUE PIN Debit Interchange Rates which they cannot derive from a software based POS solution.
  
• True PIN Debit will become ubiquitous on the web by 2014.

FIS Reports Strong Earnings Growth | PIN Payments News Blog

Adjusted EPS of $0.31, up 19.2%/Adjusted EBITDA margin of 22.7%, up 100 basis points

Free cash flow increases to $119 million

JACKSONVILLE, Fla., May 1st, 2009 PIN Payments News Blog -- Fidelity National Information Services, Inc. (NYSE: FIS), a leading global provider of technology services to financial institutions, today reported financial results for the quarter ended March 31, 2009.

Consolidated revenue of $797.8 million declined 3.9% in U.S. dollars and increased 0.3% in constant currency compared to $830.3 million in the first quarter of 2008. Non-GAAP adjusted net earnings increased 19.2% to $0.31 per share in U.S. dollars, compared to $0.26 in the prior year, and increased 23.1% in constant currency. The increase is attributable to improved operating performance, lower interest expense and a lower share count, partially offset by a slightly higher tax rate. GAAP net earnings from continuing operations attributable to common stockholders totaled $34.3 million, or $0.18 per share compared to $0.06 per share in the prior period. Free cash flow (cash from operations less capital expenditures) was $119.2 million compared with $4.9 million in the prior year quarter.

"FIS's strong first quarter performance in the midst of ongoing economic uncertainty reflects the continued solid execution of our business plan and the strength of our operating model," stated William P. Foley, II, executive chairman of FIS.

"We are very pleased with the strong growth in earnings, profit margins and free cash flow," stated Lee A. Kennedy, president and chief executive officer. "Despite very difficult market conditions, our disciplined focus on improving efficiency and managing costs drove a 100 basis point improvement in our EBITDA margin, and contributed to the 19.2% increase in earnings per share. Although we expect challenging market conditions to persist throughout 2009, we remain confident in our ability to achieve solid earnings growth and strong free cash flow."

Supplemental Information

Consolidated revenue in the first quarter of 2009 was $797.8 million, compared with $830.3 in the prior year quarter, a decrease of 3.9% in U.S. dollars. Excluding a $34.9 million unfavorable impact of foreign currency resulting from a strengthening of the U.S. dollar, consolidated revenue increased 0.3% driven by strong growth in International.

• Financial Solutions revenue declined 3.2% to $271.3 million compared to $280.4 million in the prior period, as increased demand for risk management and commercial outsourcing services was offset by lower software license and professional services revenue;
• Payment Solutions revenue declined 2.3% to $364.7 million compared to $373.3 million in the 2008 quarter, due primarily to a $9.7 million decline in the company's retail check guarantee business. Excluding Check Services' revenue from both periods, Payment Solutions revenue increased 0.4%;
• International revenue declined 8.3% to $162.3 million in U.S. dollars, compared to $176.9 million in the prior year quarter.
• International revenue increased 11.5% in constant currency, driven by 16.3% growth in payments and 4.5% growth in financial solutions.
• Adjusted EBITDA increased 0.7% to $181.2 million in the first quarter of 2009 compared to $180.0 million in the 2008 quarter. The adjusted EBITDA margin improved 100 basis points to 22.7% compared to 21.7% in the prior-year quarter, driven by increased operating leverage and ongoing expense management.
• Financial Solutions EBITDA declined 2.9% to $102.0 million, due primarily to a decline in high margin software sales. The 37.6% margin was comparable to the prior period;
• Payment Solutions EBITDA increased 11.5% to $95.2 million, and the margin increased 320 basis points to 26.1%. The improvement is attributable to increased operating efficiency;
• International EBITDA decreased 8.6% to $23.4 million due to a $5.2 million unfavorable currency impact. The International margin of 14.4% was comparable to prior year.

The effective tax rate in the first quarter of 2009 was 34.5% compared to 33.1% in the first quarter of 2008.

Balance Sheet

FIS had $272.0 million in cash and cash equivalents at March 31, 2009. The company repaid $54.0 million of debt during the first quarter, reducing total debt outstanding to $2.46 billion, of which $2.1 billion has been swapped to fixed interest rates. The effective interest rate was 5.2% as of March 31, 2009.

Continuing an intensive focus on capital spending, capital expenditures totaled $45.3 million in the quarter, which is a 42% reduction from the $78.3 million spent in the prior year.

Acquisition Update

On April 1, 2009, FIS announced plans to acquire Metavante Technologies, Inc. (NYSE: MV). The transaction is subject to approval by FIS and Metavante shareholders, receipt of regulatory approvals and the satisfaction of customary closing conditions. Subject to receiving the required approvals, FIS expects to complete the transaction in the third quarter of 2009.

2009 Outlook

FIS reaffirmed its full year outlook for adjusted net earnings of $1.60 to $1.66 per share. This guidance does not reflect the proposed acquisition of Metavante. FIS will update its fiscal 2009 guidance to include Metavante's results following the completion of the transaction.

Use of Non-GAAP Financial Information

Generally Accepted Accounting Principles (GAAP) is the term used to refer to the standard framework of guidelines for financial accounting. GAAP includes the standards, conventions, and rules accountants follow in recording and summarizing transactions, and in the preparation of financial statements. In addition to reporting financial results in accordance with GAAP, the company has provided non-GAAP financial measures which it believes are useful to help investors better understand its financial performance, competitive position and prospects for the future. These non-GAAP measures include earnings before interest, taxes and amortization (EBITDA), adjusted net earnings, and free cash flow. Adjusted EBITDA excludes the impact of merger and acquisition and integration expenses, LPS spin-off related costs, certain stock compensation charges and certain other costs. Adjusted net earnings exclude the after-tax impact of merger and acquisition and integration expenses, LPS spin-off related costs, certain stock compensation charges, acquisition related amortization and certain other costs. Any non-GAAP measures should be considered in context with the GAAP financial presentation and should not be considered in isolation or as a substitute for GAAP net earnings. Further, FIS's non-GAAP measures may be calculated differently from similarly-titled measures of other companies. A reconciliation of these non-GAAP measures to related GAAP measures is included in the press release attachments.

Conference Call and Webcast

FIS will host a call with investors and analysts to discuss first quarter 2009 results on Wednesday, April 29, 2009, beginning at 8:30 a.m. Eastern daylight time. To register for the live event and to access a supplemental slide presentation, go to the Investor Relations section at www.fidelityinfoservices.com and click on "Events and Multimedia." A webcast replay will be available on FIS' Investor Relations website, and a telephone replay will be available through May 13, 2009, by dialing 800-475-6701 (USA) or 320-365-3844 (International). The access code will be 996633. To access a PDF version of this release and accompanying financial tables, go to http://www.investor.fidelityinfoservices.com.

About Fidelity National Information Services, Inc.

Fidelity National Information Services, Inc. (NYSE: FIS), a member of the S&P 500 Index, is a leading provider of core processing for financial institutions; card issuer and transaction processing services; and outsourcing services to financial institutions and retailers. FIS has processing and technology relationships with 40 of the top 50 global banks, including nine of the top 10 and was ranked the number one banking technology provider in the world by American Banker and the research firm Financial Insights in the 2008 FinTech 100 rankings. Headquartered in Jacksonville, Fla., FIS maintains a strong global presence, serving more than 14,000 financial institutions in more than 90 countries worldwide. For more information on Fidelity National Information Services, please visit www.fidelityinfoservices.com.

• enable both originating and receiving parties to be in agreement as to the key being used for a given transaction,
• each transaction will have a distinct key from all other transactions, except by coincidence,
• if a present key is compromised, past and future keys (and thus the transactional data encrypted under them) remain uncompromised,
• each device generates a different key sequence,
• originators and receivers of encrypted messages do not have to perform an interactive key-agreement protocol beforehand.

By Steve Evans - CBR security

Twitter, the phenomenally popular micro-blogging site, faces more question about its security procedures after a French hacker claimed he accessed the account of a Twitter employee with administrative rights.

The hacker claimed that this enabled him to access Twitter accounts belonging to US president Barack Obama and singers Britney Spears and Lily Allen. He posted screenshots taken during the break-in on a hacker forum.

The screenshots appeared to show email addresses, mobile phone numbers and information about other Twitter accounts that had been blocked by the user.

This is the latest security setback for Twitter, which has seen huge growth during 2009. Over the Easter weekend the site was hit by a malware attack that resulted in Twitter identifying and deleting almost 10,000 tweets that could have continued to spread the worm.

Graham Cluley, senior technology consultant at security firm Sophos, said: “This is just the latest in a string of security issues at Twitter in recent months, and the website is surely in danger of losing the confidence of its users who will be rattled by yet another breach.

“Just like with the recent Twitter worm outbreaks, this is not so much a case of Twitter raising awareness amongst its many users about sensible online security, but learning a few lessons itself. Careless security by the micro-blogging site could potentially put millions of Twitter users at risk.”

Recent research from Sophos revealed that two thirds of businesses think social networking is a security risk, as IT admins believe that employees share too much personal information via their social networking profiles.

Facebook beefs up security with MarkMonitor - Security : News   By Steve Evans

Social networking site hit by another phishing attack

Facebook has expanded its use of MarkMonitor’s AntiFraud Solutions to cover malware attacks, after it was revealed on Wednesday that users of the social networking site were the victims of another phishing scam.

Facebook’s users were sent an email claiming to be from the site, but redirected users to FBaction.net where they were asked to enter their username and password. Their details were then stolen by the fake website.

Facebook was already using MarkMonitor’s technology to protect users from potential phishing attacks but has now extended that to cover malware as well.

Facebook has often found itself the target of malware attacks due to its strong brand name and number of users. The impact of malware on a user’s PC can range from deleting important files to capturing personal information such as usernames, passwords and other login information that can be used for identity theft.

Continue Reading at CBR

Security firm Sophos said its latest research into social networking found that 63% of system administrators worry that employees share too much personal information via their social networking profiles, putting their corporate infrastructure – and the sensitive data stored on it – at risk

The findings also indicate that a quarter of businesses have been the victim of spam, phishing or malware attacks via sites like Twitter, Facebook, LinkedIn and MySpace.

With social networking now part of many computer users' daily routine – from finding out what friends are up to, to viewing photos or simply updating their online status – Sophos experts note that unprecedented amounts of information is updated every minute.

Frequent use of social networking sites makes them a prime target for cybercriminals intent on stealing identities, spreading malware or bombarding users with spam, Sophos said.

So I guess what they are also saying is that applications such as TwitPay need to be enhanced.  I think we can help Amazon with that. 

Keep in mind, just because Sophos is warning about the security risks of social networking sites doesn't mean they are going to be targeted by Hackers or utilized for phishing attacks. 

Does it?  We'll see.  Stay tuned.  I've got some insider information that both incidents will be covered by the PIN Payments Blog within the next hour and a half!  Click the "Follow Me on Twitter" graphic above right to stay up to date.

Until then, you may read the above article in it's entirety here

Data breach CEOs should face jail: survey - Security : News

A new survey of security executives has revealed that they believe CEOs and board members should face imprisonment for exposing consumers’ confidential data.

The survey, carried out on behalf of Websense at this year’s e-Crime Congress, found that 30% of the 104 respondents believe jail time is a suitable punishment for security breaches that result in the loss of confidential data.

Negligent security procedures should also result in a fine for the guilty company, 62% of respondents believed.

Compensation for consumers whose data had been compromised was favoured by 68% of respondents.

The tables are turning.  If security executives feel that strongly about the crime, then it's time for CEO's to start seriously looking at protecting cardholder data. 

Here's my "hard cell" ... CEO's now have a choice! 

1 PCI 2.0 Approved PED with 3DES End to End Encryption with DUKPT (pronounced DUCK PUT) key management or...
2.  Get PUT away and throw away the key?  (no key management)

I do know that 10 out of 10 people surveyed would rather have HomeATM Monitoring than go to Jail.

Read the Entire Article

'Phantom' withdrawal case concludes in U.K. court

A Halifax bank defends chip-and-PIN, while the plaintiff argues his cash card could have been cloned
By Jeremy Kirk , IDG News Service , 04/30/2009

A one-day trial that raises questions about the security of cash cards used in the U.K. and Europe concluded Thursday, with a decision expected in about a month.

Alain Job sued U.K. bank Halifax in March 2007 over eight withdrawals made from his account in February 2006. Job maintains he did not withdraw a cumulative £2,100 ($3,100). He also maintains he did not authorize anyone else to withdraw the money.

Job decided to sue after the Financial Ombudsman Service (FOS), which mediates disputes between banks and customers, sided with Halifax.

Job is the first person to sue a U.K. bank over a phantom withdrawal and believes one possibility is that his card was cloned. Halifax maintains that it was his exact card that was used to perform the withdrawals and that either Jobs is knowingly trying to defraud the banks or was grossly negligent in handling his card and PIN (personal identification number).

Job admitted at one point during testimony to putting his cash card in his garden outside one night for some inexplicable reason, according to Alistair Kelman, an attorney who watched the proceedings in Nottingham County Court.

Stephen Mason, an attorney who specializes in the collection of digital evidence and has written about case law involving disputed cash-machine transactions is representing Job is "pro bono" i.e. "he's doing Job for Free"

Continue Reading at NetworkWorld

AmEx, Visa Gift Card Claims Construction Upheld