Three men were indicted on charges of being responsible for five corporate data breaches in a scheme in which the card numbers were stolen from Heartland Payment Systems, 7-Eleven Inc and Hannaford Brothers Co, federal prosecutors said in a statement.

The suspects also hacked two unidentified corporate victims, the U.S. attorney’s office in New Jersey said in the statement.

Prosecutors allege Albert Gonzalez, 28, of Miami, and two unnamed Russian coconspirators targeted large corporations by scanning the list of Fortune 500 companies and exploring corporate websites before setting out to identify vulnerabilities.

The suspects would seek to sell the data to others who would use it to make fraudulent purchases, the statement said.

In one example, the suspects went to retail locations to identify the type of checkout machines, and after further investigation into the computer systems they uploaded information onto servers that worked as hacking platforms, the statement said.

“These servers, located in New Jersey and around the world, were used by the coconspirators to store information critical to the hacking schemes and subsequently to launch the hacking attacks,” prosecutors said.

“The scheme is believed to constitute the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice,” the statement said.

(Reporting by Daniel Trotta; Editing by Maureen Bavdek)

© 2009 Thomson Reuters. All rights reserved. Reuters content is the intellectual property of Thomson Reuters or its third party content providers. Any copying, republication or redistribution of Reuters content, including by framing or similar means, is expressly prohibited without the prior written consent of Thomson Reuters. Thomson Reuters shall not be liable for any errors or delays in content, or for any actions taken in reliance thereon. “Reuters” and the Reuters Logo are trademarks of Thomson Reuters and its affiliated companies. For additional information on other Reuters media services please visit http://about.reuters.com/media/.

Better Business Alliance will be looking to assist CDLA member’s base of over 350 member lawyers throughout California. In part, the Better Business Alliance will provide all Associate member Lawyers with “Evidencing” documentation that support their current “retail” high costs, and provide Member lawyers with the ability to process at a wholesale level eliminating lawyer members from ever falling victim to high credit card processing costs again.

updated 5:45 a.m. MT, Mon., June 15, 2009

Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.

And while you may take steps to protect yourself against identity theft, an Associated Press investigation has found the banks and other companies that handle your information are not being nearly as cautious as they could.

The government leaves it to card companies to design security rules that protect the nation’s 50 billion annual transactions. Yet an examination of those industry requirements explains why so many breaches occur: The rules are cursory at best and all but meaningless at worst, It means every time you pay with plastic, companies are gambling with your personal data. If hackers intercept your numbers, you’ll spend weeks straightening your mangled credit, though you can’t be held liable for unauthorized charges. Even if your transaction isn’t hacked, you still lose: Merchants pass to all their customers the costs they incur from fraud.

More than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers, according to the Privacy Rights Clearinghouse. Meanwhile, many others likely have been breached and didn’t detect it. Even the companies that had the payment industry’s top rating for computer security, a seal of approval known as PCI compliance, have fallen victim to huge heists.

Companies that are not compliant with the PCI standards — including one in 10 of the medium-sized and large retailers in the United States — face fines but are left free to process credit and debit card payments. Most retailers don’t have to endure security audits, but can evaluate themselves.

Credit card providers don’t appear to be in a rush to tighten the rules. They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost.

That is of little consolation to consumers who bet on the industry’s payment security and lost. according to the AP’s analysis of data breaches dating to 2005.

It took four months for Pamela LaMotte, 46, of Colchester, Vt., to fix the damage after two of her credit card accounts were tapped by hackers in a breach traced to a Hannaford Bros. grocery store.

LaMotte, who was unemployed at the time, says she had to borrow money from her mother and boyfriend to pay $500 in overdraft and late fees — which were eventually refunded — while the banks investigated.

“Maybe somebody who doesn’t live paycheck to paycheck, it wouldn’t matter to them too much, but for me it screwed me up in a major way,” she said. LaMotte says she pays more by cash and check now

It all happened at a supermarket chain that met the PCI standards. Someone installed malicious software on Hannaford’s servers that snatched customer data while it was being sent to the banks for approval.

Since then, hackers plundered two companies that process payments and had PCI certification. Heartland Payment Systems lost card numbers, expiration dates and other data for potentially hundreds of millions of shoppers. RBS WorldPay Inc. got taken for more than 1 million Social Security numbers — a golden ticket to hackers that enables all kinds of fraud.

Superficial guidelines
In the past, each credit card company had its own security rules, a system that was chaotic for stores.

In 2006, the big card brands — Visa, MasterCard, American Express, Discover and JCB International — formed the Payment Card Industry Security Standards Council and created uniform security rules for merchants.

Avivah Litan, a Gartner Inc. analyst, says retailers and payment processors have spent more than $2 billion on security upgrades to comply with PCI. And the payment industry touts the fact that 93 percent of big retailers in the U.S., and 88 percent of medium-sized ones, are compliant with the PCI rules.

That leaves plenty of merchants out, of course, but the main threat against them is a fine: $25,000 for big retailers for each month they are not compliant, $5,000 for medium-sized ones.

Computer security experts say the PCI guidelines are superficial, including requirements that stores run antivirus software and install computer firewalls. Those steps are designed to keep hackers out and customer data in. Yet tests that simulate hacker attacks are required just once a year, and businesses can run the tests themselves.

“It’s like going to a doctor and getting your blood pressure read, and if your blood pressure’s good you get a clean bill of health,” said Tom Kellermann, a former senior member of the World Bank’s Treasury security team and now vice president of security awareness for Core Security Technologies, which audited Google’s Internet payment processing system.

Merchants that decide to hire an outside auditor to check for compliance with the PCI rules need not spend much. Though some firms generally charge about $60,000 and take months to complete their inspections, others are far cheaper and faster.

“PCI compliance can cost just a couple hundred bucks,” said Jeremiah Grossman, founder of WhiteHat Security Inc., a Web security firm. “If that’s the case, all the incentives are in the wrong direction. The merchants are inclined to go with the cheapest certification they need.”

For some inspectors, the certification course takes just one weekend and ends in an open-book exam. Applicants must have five years of computer security experience, but once they are let loose, there’s little oversight of their work. Larger stores take it on themselves to provide evidence to auditors that they comply with the rules, leaving the door open for mistakes or fraud.

And retailers with fewer than 6 million annual card transactions — a group comprising more than 99 percent of all retailers — do not even need auditors. They can test and evaluate themselves.

Inconsistent audits
At the same time, the card companies themselves are increasingly hands-off.

Two years ago, Visa scaled back its review of inspection records for the payment processors it works with. It now examines records only for payment processors with computer networks directly connected to Visa’s.

In the U.S., that means fewer than 100 payment processors out of the 700 that Visa works with are PCI-compliant.

Visa’s head of global data security, Eduardo Perez, said the company scaled back its records review because it took too much work and because the PCI standards have improved the industry’s security “considerably.”

“I think we’ve made a lot of progress,” he said. “While there have been a few large compromises, there are many more compromises we feel we’ve helped prevent by driving these minimum requirements.”

Representatives for MasterCard, American Express, Discover and JCB — which, along with Visa, steer PCI policy — either didn’t return messages from the AP or directed questions to the PCI security council.

PCI’s general manager, Bob Russo, said inspector certification is “rigorous.” Yet he also acknowledged that inconsistent audits are a problem — and that merchants and payment processors who suffered data breaches possibly shouldn’t have been PCI-certified. Those companies also might have easily fallen out of compliance after their inspection, by not installing the proper security updates, and nobody noticed.

The council is trying to crack down on shoddy work by requiring annual audits for the dozen companies that do the bulk of the PCI inspections. Smaller firms will be examined once every three years.

Those reviews merely scratch the surface, though. Only three full-time staffers are assigned to the task, and they can’t visit retailers themselves. They are left to review the paperwork from the examinations.

The AP contacted eight of the biggest “acquiring banks” — the banks that retailers use as middlemen between the stores and consumers’ banks. Those banks are responsible for ensuring that retailers are PCI compliant. Most didn’t return calls or wouldn’t comment for this story.

Mike Herman, compliance managing director for Chase Paymentech, a division of JPMorgan Chase, said his bank has five workers reviewing compliance reports from retailers. Most of the work is done by phone or e-mail.

“We have faith in the certification process, and we really haven’t doubted the assessors’ work,” Herman said. “It’s really the merchants that don’t engage assessors; those get a little more scrutiny.”

He defended the system: “Can you imagine how many breaches we’d have and how severe they’d be if we didn’t have PCI?”

Steps to stop leaks
Supporters of PCI point out nearly all big and medium-sized retailers governed by the standard now say they no longer store sensitive cardholder data. Just a few years ago they did — leaving credit card numbers in databases that were vulnerable to hackers.

So why are breaches still happening? Because criminals have sharpened their attacks and are now capturing more data as it makes its way from store to bank, when breaches are harder to stop.

Security experts say there are several steps the payment industry could take to make sure customer information doesn’t leak out of networks.

Banks could scramble the data that travels over payment networks, so it would be meaningless to anyone not authorized to see it.

For example, TJX Cos., the chain that owns T.J. Maxx and Marshalls and was victimized by a breach that exposed as many as 100 million accounts, the most on record, has tightened its security but says many banks won’t accept data in encrypted form.

PCI requires data transmitted across “open, public networks” to be encrypted, but that means hackers with access to a company’s internal network still can get at it. Requiring encryption all the time would be expensive and slow transactions.

Another possibility: Some security professionals think the banks and credit card companies should start their own PCI inspection arms to make sure the audits are done properly. Banks say they have stepped up oversight of the inspections, doing their own checks of questionable PCI assessment jobs. But taking control of the whole process is far-fetched: nobody wants the liability.

PCI could also be optional. In its place, some experts suggest setting fines for each piece of sensitive data a retailer loses.

The U.S. might also try a system like Europe’s, where shoppers need a secret PIN code and card with a chip inside to complete purchases. The system, called Chip and PIN, has cut down on fraud there (because it’s harder to use counterfeit cards), but transferred it elsewhere — to places like the U.S. that don’t have as many safeguards.

A key reason PCI exists is that the banks and card brands don’t want the government regulating credit card security. These companies also want to be sure transactions keep humming through the system — which is why banks and card companies are willing to put up with some fraud.

“If they did mind, they have immense resources and could really change things,” said Ed Skoudis, co-founder of security consultancy InGuardians Inc. and an instructor with the SANS Institute, a computer-security training organization. Skoudis investigates retail breaches in support of government investigations. “But they don’t want to strangle the goose that laid the golden egg by making it too hard to accept credit cards, because that’s bad for everybody.”

Debra Aragon, Founder Better Business Alliance

Better Business Alliance “SO THEY SAY”

‘There’s no good answer here’
Academics and economists who have studied the issue of interchange fees say one big problem is that there’s no real way of knowing what the justifiable value of an interchange fee is, let alone how one would go about regulating such fees.

Better Business Alliance “response”; considering there are over 300 interchange base wholesale rates mandated by VISA and MasterCard Association and where all banks/processors price their costs over these wholesale base rates, “their profits” then the justifiable value is then predicated on controlling the banks/processors costs over the interchange base rates. WAKE-UP! The mere statement “There is no good answer” is just another bogus manipulation leading merchants to believe there is no solution.

“The question is whether they’re using their market power to make an excessive profit, and, if so, what would you do about it?” said Richard Schmalensee, a professor of applied economics at Massachusetts Institute of Technology, who has studied the issue. “There’s no good answer there.”

Schmalensee said it’s also hard to judge how much, if any, impact the fees have on the prices that are eventually charged to the consumer. That’s because so many factors go into pricing individual items.

Better Business Alliance “response”; STOP trying to confuse this situation by implying “there are so many factors go into pricing individual items? The only Factor here the costs Banks and Processors charge over the set base rates. Why not start training merchant sales representatives to stop pricing merchants with one single rate for Qualified, Mid-Qualified, Non-Qualified and now the new category Partially Qualified. Tiered price structure produces huge profits for the bank, processor and huge residual income for the sales representative-GET REAL!

Retailers, card industry escalate fight over fees Merchants ask Congress to step in with more regulations for issuers

By Allison Linn

Senior writer

msnbc.com

7-11 CEO Joe DePinto speaks amid boxes of petitions during a press conference September 30. DePinto announced that 7-11s across the country have collected some 1.66 million signatures on a petition calling on Congress to pass legislation to stop credit card companies from charging unfair, non-negotiated transaction fees.

The two sides are embroiled in an increasingly nasty fight over the fees retailers are charged every time a credit or debit card is swiped. And consumers are in the middle.

Retailers argue that the system for setting such fees subjects them to restrictive rules and is not competitive enough. They are calling for congressional regulations.

“The consequences of the card companies’ practices are hurting our customers and are hurting us,” said Mallory Duncan, general counsel for the National Retail Federation and chairman of the Merchants Payments Coalition, which is calling for stiffer regulation of the fees charged to retailers.

Those in the credit card industry counter that the fees are necessary to make the payment system function.

They also say the fees are justified because when a customer uses a card the retailer is reimbursed quickly while the card issuers are taking on the risk that the customer won’t pay. That risk has been amplified over the course of the recession as credit card companies have grappled with a steep increase in chargeoffs because more customers can’t pay their bills.

The American Bankers Association reported last week that bank card delinquencies rose to a record 5.01 percent of all accounts in the second quarter.

“Candidly, card acceptance is not a God-given right. …  It has a cost associated with it, and merchants should be bearing this expense,” Chris McWilton, president of U.S. markets for MasterCard Worldwide, said in a recent conference call with journalists.

Hoping to sway public opinion in their favor, both sides have released competing surveys and polls, launched Web sites and created YouTube attack videos. On the heels of a new bill offering more protection to consumers who use credit cards, the retailers also are hoping to spur Congress to pass legislation regulating the fees.

Last week, executives from the 7-11 convenience store chain went to Washington to hand-deliver a petition they circulated asking customers to “help us stand up to the credit card companies and put an end to these unfair credit card fees.” MasterCard immediately countered with a survey it said showed the 7-11 petition was misleading.

Margaret Chabris, a 7-11 spokeswoman, said company officials agree some fees should be paid, but they think the current system is unfair. They planned to meet with politicians but are not offering a specific proposal, she said.

“All we’re asking for is that they be looked into,” she said.

Complex system
Everyone agrees that the charges, called “interchange fees,” are complex and hard to fully explain to consumers.

Visa and MasterCard, by far the largest players in the market, both offer a long list rates they charge per transaction. The fees can vary substantially depending on where a person shops, what kind of debit or credit card is used and even how much that person spends.

For example, the fees may be lower for supermarkets, who generally have razor-thin profit margins and might not accept cards if the fees were too high. But the fees might be higher if a customer uses a rewards card, such as one offering cash back on purchases, because such cards are more expensive to operate.

The interchange fees can range from a small flat fee to a charge of as much as 3 percent per transaction, with many falling around the 2 percent range, according to MasterCard and Visa’s public fee list.

At 7-11, Chabris said the average rate for in-store sales using all types of MasterCard products is about 2.5 percent per transaction.

The dollar amount of interchange fees has risen sharply in recent years, as more people have begun using plastic for everything from fast food and groceries to cars and luxury items. The Merchants Payments Coalition estimates that the fees totaled $48 billion in 2008.

Retailers say the more widespread use of credit and debit cards, combined with some rate increases, has put pressure on their profits and forced them to charge higher prices.

“(It’s) almost inevitable that the vast majority of these credit card fees get passed on to consumers,” Duncan said.

Duncan said the retailers have only a limited ability to shop for a more competitive rate, because Visa and MasterCard control so much of the market. The other option, to not accept cards as payment, could drive away customers.

]]> http://www.betterbusinessalliance.com/2009/05/there-is-an-answer/feed/ http://www.betterbusinessalliance.com/2009/04/california-auto-body-association-caa-%e2%80%9capproved-vendor%e2%80%9d-huge-mistake/ http://www.betterbusinessalliance.com/2009/04/california-auto-body-association-caa-%e2%80%9capproved-vendor%e2%80%9d-huge-mistake/#comments Wed, 29 Apr 2009 21:59:21 +0000 admin http://www.betterbusinessalliance.com/?p=103 California Auto Body Association (CAA) compromises its member’s profitability by referring Heartland Payment Systems as its new “Approved Vendor” for merchant services. One representative is making hypothetical assumptions in savings when current platform that is available to all CAA Members in California through the State Auto Body Association and Better Business Alliance is in fact a true “uniformed benefit”.

Heartlands representatives specifically stated in an email that pricing is based on an individual bases for CAA Members and is dependent on their sales volume. DOES THIS SOUND LIKE A TRUE BENEFIT? Absolutely not! Prices are guaranteed for three years, do you mean during the contract term of three (3) years. Why is there a contract term in the first place? How about the early termination fee and when asked what this was never received an answer.

You can read about Heartland News all over the internet are you “aware”?

Many CAA Members continue to benefit under the State Auto Body Associations Benefit Processing Platform, eliminating contracts, annual fees, erroneous fees and passing through Interchange at a fraction of the cost. How about a COPY of the actual 2009 Visa and MasterCard Interchange Guide, the same guide used by all banks and processors in the United States. Before you proceed through another litany of changing merchants services and then down the road changing again CAA Members need to really understand the truth and verifiable facts.

Better Business Alliance works in conjunction with the State Auto Body Association to provide true real time savings. And for those CAA Members currently with us, pricing has been reduced to reflect even more savings from the initial amount of money saved CAA members in 2006-2007. Just another “Approved Vendor with another Sales Pitch”.

Perhaps CAA Members need to take a hard look at this unfavorable business topic “Merchant Services” and put a final STOP to having to deal with this aspect of their business again.

The CAA is a wonderful organization working politically for the betterment of the auto body industry. But placing Benefit Providers who are nothing more than Approved “Vendors”, someone really needs to think and address why they stipulate this as a Benefit, when every CAA Member is priced “unequally”.

The Auto Body Industry and all related sectors, including Associations should provide a True Uniformed Benefit that is specific and never wavers.

How About this for starters……………………

From Our Alliance to Your Association and Its Members

“Where Your Association Members Truly Benefit” and “Member Loyalty Matters”

Our Alliance advocacy provides a true uniformed benefit for Association Members of all Industry Types. Designed to benefit and enhance your member’s profitability. Because our advocacy is focused in reforming the way businesses accept and process credit cards we are truly on your member’s side. We are NOT your traditional service provider in any capacity whatsoever.

Our Advocacy places your members first, not the bank or processor. We work to educate and arm your members eliminating the siphoning of their hard earned revenues. A True Uniformed Benefit designed to return money to your members guaranteed.

Association Only Wholesale Processing Platform. The only Association based wholesale processing platform of its kind.

We eliminate all the “sales” ploys and high costs associated with merchant services and at the same time insulating your members from ever having to worry about this aspect of their business again.

All Association Members will receive the actual mandated VISA and MasterCard Interchange Guide the same guide used by all banks and processors in the United States. Documentation, virtually never provided to the merchant.

All Association Members are provided with a comprehensive detailed analysis coinciding with the actual interchange guide for verifiable proof of cost and savings.

An Alliance with a true advocacy and providing a true benefit that is equal and uniformed for all Association Members, designed for members to retain more profits.

Unfortunately most Associations provide third party benefits under the designation of “Approved- Vendor” for it member’s credit card processing needs. These approved vendor costs (processing rates) to your members still remain high and continuously include erroneous fees.

Better Business Alliance through its advocacy in working to reform the high costs associated with the acceptance of credit cards, your Association can really help make a difference for your members concurrently helping us meet our goal to aid in the return of $1,000,000,000.00 (One Billion Dollars) back to association member businesses and small to mid size businesses across America, with continuance effort to exceed this pledge.

Learn more and enhance your association’s recognition. Follow the instructions below for your Associations detailed information benefit packet.

Click here for more information

For starters there are over 300 rate classifications each with it’s own specific base rate.

Visa/MC DOES NOT RAISE all 300 rate classes at any time.

Vast majority of Banks/Processors does not expose the real truth and often Visa and MasterCard LOWERS their base rates for many credit card classifications.

The actual mandated interchange guide set by VISA/MC Association and mandated for all banks and processors is available through the Better Business Alliance and State Auto Body Association. This guide is virtually never provided to merchants because it exposes the actual cost “spread” = profit current processor is earning. As educators we expose the truth and facts.

For your current copy of the Visa/MC 2009 Interchange Guide, please complete our contact form.

cforms contact form by delicious:days

The buzz continues to reach PPG and PPG Platinum Distributors across the United States. To date the State Auto Body Associations has saved PPG Distributors in Oregon, Texas, Louisiana, South Dakota, Minnesota, Iowa, California, Florida, Pennsylvania, Alabama, Wyoming, North Dakota and Georgia. State Auto Body Association is becoming the Auto Body Paint & Supply industries sought after channel in the retention of profits when accepting credit cards. Auto Body Supply Warehouse, and Jobber Chains are also realizing no matter how large their chain of stores may be, assistance from the State Auto Body Association is becoming even more important in insuring that this aspect of their business is in control.

Auto Body Industry Businesses and their CEO’s can no longer leave this aspect of their business in the hands of their controllers, CFO’S, Accountants or even bookkeepers. CEO’S/Presidents are now taking an active role and realize that often time’s egos get in the way or the simple lack of knowledge is actually costing them hard earned revenues. It continues to be proven through the State Auto Body Association that current credit card processing costs for the Auto Body Paint and Auto Body Supply Merchant is more than meets the eye.

Just to name a few of the PPG Distributors across America who are reaping the benefit of savings each month and who no longer have to be concerned about this aspect of their business realizing this is NOT a temporary solution but a long term savings for the lifetime of their business. The Few PPG Distributors listed below most have multiple locations (from 2-19 locations)

• WORTH INDUSTRIAL COATINGS INC
• BRAULT AUTO PAINT & SUPPLY
• SOUTHERN AUTOBODY SUPPLY
• DAKOTALAND AUTOGLASS INC
• CENTRAL CITY AUTO BODY SUPPLY
• BEN TUMA ENTERPRISES INC
• NEDS AUTO BODY SUPPLY INC
• LAKE CITY PAINT & SUPPLY, INC
• LOWE PAINT INC
• AUTOMOTIVE COLOR INC
• TEMECULA VALLEY PAINT INC
• SPECTRUM AUTOMOTIVE REFINISHER
• MARTIN AUTO COLOR SERVICE
• CAPITAL PAINT & SUPPLY, INC
• D & S COLOR SUPPLY CO. INC
• PICKS FOR PAINT
• AB & E WAREHOUSE INC
• TERRY’S AUTO SUPPLY INC

The reasons for their high rates had to do with the confusing tiered rate structure that was set by the merchant bank, all set much higher that the base rates set by the credit card companies themselves. In fact, among their two similar restaurant locations they received inconsistent rate structures, making us wonder how they arrive at the rates that they do.

For example, the Better Business Alliance was able to take the interchange cost at one location from 0.0020 (20 basis points) to 0.0005 (5 basis points), fifteen (15) basis points less.

The CEO of Espetus was shocked at what they had been paying, and now he’s pleased that the new savings can be applied to other expenses such as payroll and inventory.

Two Philadelphia law firms have filed class action suits on behalf of all cardholders in the U.S. who had their credit or debit card data stolen in the Heartland Payment System (HPY) data breach. This brings to three the total number of class action lawsuits filed against the Princeton, NJ-based payments processor.

So that’s another reason to join the Better Business Alliance. We’re powered by the number one processor in the world, and your customers’ data is in good hands with us.

Keying in credit card numbers can be costly if not properly educated in understanding Visa and MasterCard Interchange in comparison to current costs.

Solar energy is becoming a big play for heating and air conditioning contractors a spin off of going green and saving energy. In order for these contractors to have the ability to compete they must cut back costs.

A proven example just recently for two Bay Area Heating and Cooling contractors resulted in a 40% monthly savings for one and the other 87% monthly savings off of their current credit card billing. Contractors need to know while in the slow season and before business starts to HEAT-UP they need to COOL down their costs.