Saw this in Cardline: “European banks could stop accepting magnetic stripe credit and debit cards once European financial companies complete the switchover to the chip-based cards as expected by 2011, says European Payments Council chairman Gerard Hartsink. European banks’ agreement to implement such a prohibition could be detrimental to U.S. cardholders who travel to Europe.” Gee really? You think?

Further from Cardline: “Hartsink says the council may make a decision to strictly use chip cards in 2011, or even as early as 2010. Consultant Dave Birch notes that others besides Hartsink are suggesting a ban on magnetic stripe cards. In a recent blog post he referred to comments from a Singaporean financial regulator calling for a “concerted, global effort to phase out magnetic stripe technology entirely.””

Strong words and a big deal (as in Carl Sagan like big deal—millions and millions of…DOLLARS). The investment necessary on both the issuing and merchant sides of the equation has proven to be the logjam that payment networks and other interested parties (government, etc.) haven’t been able to bust in the US. The mag stripe infrastructure is just too embedded.

If this comes to pass in the next year, I envision a period of hybrid “if you’re traveling to Europe we’ll issue you a special chip card” programs among US issuers, or maybe EMV prepaid cards for those issuers who don’t want the hassle of the extended ad hoc credit issuance. Either way, it will still be a hassle, and could prove to be the catalyst that drives chip issuance in the US.

We shall see…

Apple
The iPhone retains its status as the most popular mobile device, watching adoption steadily rise due to the new 3GS and $99 3G. Growth could jump pending another 4G model release (with significant improvements) but we’ll wait and see come June 2010. Unwilling to ignore its more than 80 million US subscribers, the iPhone joins the Verizon network in 2010 or early 2011 and begins to close in on Blackberry in becoming the market leader.

Blackberry
Blackberry must push for stronger development of their app store and duplicate iPhone-like functionality and simplicity in their product line or risk quickly losing their place as the dominant smartphone manufacturer. Mobile payment capabilities could help give Blackberry a strong leg up in this battle if it can get ahead (and stay ahead) of Apple in this space.

AT&T
Unable to maintain its ironclad grip on the iPhone, AT&T sees subscriber growth flatten and decrease as disillusioned customers move to the Verizon network – no longer “tethered” to the network by their iPhone. AT&T’s promises of a faster and improved network may have come too late.

Verizon
A virtual winner in all aspects, Verizon stands to benefit most from the smartphone war. Subscriber growth will rise as both existing and new iPhone customers switch from AT&T in the hopes of improved coverage areas and faster data access. Revenue will increase as existing subscribers buy iPhones (or other new smartphones such as the Palm Pre) and add the required data plans (and two-year commitments).

Other
Other handset manufacturers such as Palm, Motorola, or Nokia could become significant players in this space with a groundbreaking product but none have posed a threat as of yet. Even the Palm Pre’s release was quickly overtaken by the iPhone “storm”. Mobile payments players also lie in the weeds, waiting for their opportunity to help one of these players stay one move ahead.

Yes this is the largest pilot ever, and yes it bodes well for infrastructure development on the merchant and telco sides of things for the Indian market, but I’ve been hearing about and reading about pilots for going on 6 years now…

This, in combination with the stickers and skins solutions we’ve been seeing latesly (actually, the idea goes all the way back to Orlando and Dallas pilots in 2003), leave us decidedly in limbo with NFC initiatives.

Yes, there is progress, and yes these pilots DO matter, but the key aspects of true NFC and mobile payments realization are still not adequately addressed:
•A strong enough business case for merchants to invest in POS terminals
•A strong enough case for NFC capable handsets to become the norm (investment on the part of handset manufacturers and wireless carriers)

Until each of the above things happens, we’re looking at a niche play. Getting beyond the niche requires non payment value for carriers – stickiness, ARPU, other – and IMMEDIATE payment value for merchants.

A bit of a chicken and egg situation still, and the pilots are chipping away at that stone, but I guess I’m just impatient…

John Ulzheimer, president of consumer education for credit.com, said other card issuers are making similar moves—cutting lines of credit, increasing interest rates or closing accounts altogether—to either improve cash flow, fend off future defaults or shed customers that don’t make them money. These companies also have a deadline.

“The reason they’re doing it now is because as of February next year, it’s going to be much more difficult to make these changes because of the new (credit card reform) law” passed by Congress in May, Ulzheimer said. “They’re in a housekeeping mode right now.

Banks are losing money on their card operations, too, reports MoneyRates blog. Said Cundiff: “From a profitability standpoint, they’ve got to get these people off their books as soon as possible, especially the inactive ones.”

“This cardholder shouldn’t take it personally,” Ulzheimer added. “They’re among a huge crowd of other cardholders that have seen their terms adversely changed over the last 12 to 24 months.”

Young is taking it personally: She plans to switch providers once she’s paid off her Chase card. “They will lose thousands of dollars from me and from others like me.” Read Full Article

The answer in part: Make lemonade out of lemons.

The question is topical because some bankers and vendors seem to believe that security fears erect a nearly insurmountable barrier of entry for Web startups. Though many consumers inherently trust bank security, the reality is that some will be willing to experiment with such sites because they believe there’s an acceptable trade-off between risk and reward.

To get a feel for how Web startups tell their security stories, I examined the sites for Mint, Wesabe, Geezeo and Rudder, which suffered an embarrassing security mishap in May. And it turns out there’s a basic formula that involves creating a perception of security, minimizing the use of personal data, deputizing the customer with financial alerts and disclosure. But most interesting of all to me: Two of the sites spin their biggest functional weakness into a security strength.

That weakness is that users of such sites can only monitor their money. On the contrary, banks and credit unions have the capability to install personal finance management tools that enable customers to both monitor and manage their money. That’s a fundamental advantage for banks and credit unions – if they don’t wait too long to upgrade their tools.

That doesn’t deter Mint, however. Instead, it convincingly treats this limitation as a plus. “You cannot move money with Mint…Mint .com is a ‘read-only’ service…you cannot move money between – or out of – your bank, credit union or credit card accounts.” And in a reassuring video on its site, CEO Aaron Patzer says even if the worst breach occurred, a fraudster “couldn’t really do anything” to drain a user’s accounts.

Rudder takes a similar approach, noting that it has only read-only access to data, “so no one can modify your account or transfer money.” As we saw when Rudder e-mailed highly detailed updates to the wrong customers in May, however, it doesn’t take a hacker stealing money to give an institution a black eye.

The challenge for Web startups is to create a perception of security. As such, the sites variously talk about incorporating “bank-level security,” “industry-standard encryption,” and “the same technology most banks use.” That includes mentioning 128-bit SSL encryption, firewalls, services by the likes of Verisign, HackerSafe, TRUSTe and RSA Security, and calling on the security reputation of their data aggregators. It’s only a slight exaggeration to say they try to conjure up an image of servers guarded by biometric scanners, 24/7 guards and snarling Dobermans. (Still, it’s an image that will be trumped every time by a picture of an inpenetrable vault.)

But the bigger point here is that as much as consumers are anxious about security, they can get over that hurdle if the benefits of the personal finance management tools are strong enough. Past Javelin consumer surveys show that the appeal of such products is that they can enable customers to save time and gain control of their finances. I’ll wager that a survey we have in the field now – for an upcoming PFM report that will examine consumer motivations and behaviors—will reinforce those motives. If banks and credit union wait too long to install personal finance management tools that address those fundamental consumer desires, talking about security will be moot.

More of my blogs on the topic:
> Citi’s ‘myFi’ shows the potential of PFM
> Why Microsoft gave up on Money
> Now on Yahoo: “Mint Lite”
> Rudder’s security blunder bruises entire PFM industry
> In search of perfect PFM at Finovate

There have been several recent cases. Last year, the Metro Boston Transit Authority prevented researchers Zack Anderson, RJ Ryan and Alessandro Chiesa from presenting their findings on flaws within transit cards. When the court order expired, a PDF of the talk was released instead. In 2007, HID prevented Chris Paget of IOActive from giving a talk on vulnerabilities within common work access cards. The most famous example, however, was Cisco’s attempt to silence Michael Lynn, then a researcher at Integrated Systems Security. To avoid a lawsuit, Black Hat allowed Cisco employees to rip pages from the official conference catalog at the last minute. Lynn, who started to give a backup talk instead announced his resignation from ISS and gave his original talk. Ironically, Lynn now works at Juniper Networks.

Granted there are a handful people who attend security conferences for the sake of learning how to take down a network router, fake access to a large corporation, or even ride public transit for free. But each of these actions is still illegal. The positive result of attending a security conference is that a greater number of people are aware that there is a problem and therefore can take steps to mitigate those problems until they are fixed. The positive outweighs the negative.

But flaws within ATMs aren’t exactly state secrets.

Back in April, Verizon Business released its 2009 Data Breach Report. While I wrote about a finding that certain PCI requirements were most often out of compliance at breached companies (see my new PCI report for more on that), Kim Zetter at Wired.com found another nugget: ATM PIN numbers were being decrypted.

Zetter wrote: “it was believed that once a PIN was typed on a keypad and encrypted, it would traverse bank processing networks with complete safety, until it was decrypted and authenticated by a financial institution on the other side. But the new PIN-hacking techniques belie this theory, and threaten to destabilize the banking-system transaction process.”

The attacks identified by Verizon Business are focused on device called a hardware security module (HSM). This is a security appliance that typically sits on bank networks. The HSM passes PIN numbers passes from an ATM or retail cash register to the card issuer. The module is supposed to be a tamper-resistant device for encryption and decryption, although Brian Sartin, director of investigative response for Verizon Business, concluded that “PIN-based attacks and many of the very large compromises from the past year go hand in hand.”

Whether this is what Barnaby Jack was going to talk about in Las Vegas, we won’t know.

Independent of what individual ATM vendors think, Visa, MasterCard and PCI are taking attacks on the ATM or unattended POS systems seriously. Visa, for example, is implementing a requirement that such systems use TDES encryption by July 1, 2010. The PCI Security Standards Council is also testing HSMs and should have certification guidance soon.

San Francisco, CA, June 30, 2009 – Javelin Strategy & Research (www.javelinstrategy.com) today released a report that examines payment card breaches that have occurred despite compliance measures deployed by the industry. The report, Understanding How PCI-Compliant Companies Can Be Breached, also presents how consumers and merchants are concerned whether PCI vendors are secure in the wake of the breach at Heartland Payment System – one of the largest data breaches in U.S. history.

As part of its ongoing assessments, the PCI Security Standards Council released new guidelines for risk-based compliance as well as qualified security assessor reviews and remediation. The Javelin report evaluates whether these initiatives will calm the concerns of merchants and consumers. The report also includes an update of the payment card industry data security standards (PCI DSS), an overview of emerging technologies, such as tokenization, end-to-end encryption, and Chip and PIN, and covers lessons learned from the Heartland breach.

“The PCI Data Security Standard has raised the high water mark for security,” said Mary Monahan, Managing Partner & Research Director. “But there’s a persistent myth that compliance guarantees security. The reality is that PCI compliance is only a baseline. It needs to be monitored constantly as the threat landscape changes.”

Key Findings – Understanding How PCI-Compliant Companies Can Be Breached:

• The top three breach vulnerabilities of PCI-compliant companies occur because of poor tracking and monitoring, insecure Web applications, and inadequate protection of stored cardholder data.
• The PCI Data Security Standard has helped increase the safety of cardholder data and compliance rates are improving, but compliance does not ensure security.
• At PCI-certified companies that are breached, many compliance requirements are often found to be out-of-compliance.
• The need for keeping PANs for potential charge-backs remains unanswered.

“The notion that certified PCI-compliant companies cannot be breached is a myth,” said Robert Vamosi, Research Analyst, Risk, Fraud, and Security. “Our research has found that qualified security assessors can mishandle the PCI certification process or businesses may be compliant during the audit, but not follow-through later. In addition, compliance improves security, but it does not prevent breaches. Merchants, the PCI Council and issuers must continue to work together to resolve reoccurring complaints and speak with one voice against the common threats of loss and fraud.”

About Javelin Strategy & Research

Javelin is the leading independent provider of quantitative and qualitative research focused exclusively on financial services topics. Based on the most rigorous statistical methodologies, Javelin conducts in-depth primary research studies to pinpoint dynamic risks and opportunities. Javelin helps its clients achieve their initiatives through three service offerings, including syndicated research subscriptions, custom research projects and strategic consulting. Javelin’s client list includes some of the largest banks, credit unions, card issuers, and technology enterprises in the financial services industry. For more information about this or other Javelin reports, please visit www.javelinstrategy.com/research or contact Elizabeth Travers at (925) 225-9100 or etravers@javelinstrategy.com.

The FTC investigation was initiated in response to media reports that CVS pharmacies, the nation’s largest chain, with over 6,300 locations, were routinely disposing of sensitive personal information in open dumpsters. The FTC says the allegations included information such as “pill bottles with patient names, addresses, prescribing physicians’ names, medication and dosages; medication instruction sheets with personal information; computer order information from the pharmacies, including consumers’ personal information; employment applications, including social security numbers; payroll information; and credit card and insurance card information, including, in some cases, account numbers and driver’s license numbers.”

The FTC compliant focused on claims by the company: for example, “CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information.” After the investigation, the FTC alleged the claim was deceptive and that CVS security practices were unfair, both in violation of the FTC Act.

Because Protected Health Information (PHI) was involved, a separate Health and Human Services (HHS) investigation was initiated for violations of the Health Insurance Portability and Accountability Act (HIPAA).

In February the FTC detailed the settlement. It requires CVS to obtain, “every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order.” The settlement also bars CVS from future misrepresentations of the company’s security practices.

In a related settlement, CVS will pay HHS $2.25 million for the HIPAA violations.