ARTICLES AND AWARDS

First Data, PrivaSys Sign Licensing Deal

Mon, 27 Feb 2012 15:39:00 GMT

ATM MarketPlace.com
DENVER - First Data Corp. and PrivaSys Inc., provider of software and card technology, have entered a long-term licensing agreement that allows First Data to process contactless and other emerging payment transactions for its financial institution and merchant clients throughout the world. The PrivaSys solution is available in various form factors, including conventional plastic cards, mobile phones, PDAs and electronic key fobs.

According to a news release, through the PrivaSys' portfolio of patents, First Data expects to expand and develop its contactless-product offerings and migrate to other offerings such as mobile payments for debit, credit and stored-value accounts.

Boston-based consultancy Celent LLC estimates global mobile commerce revenue will more than double by 2008, hitting $54.6 billion in 2008. Contactless mobile commerce is estimated to account for $6 billion of that revenue by 2008.

"First Data is committed to helping our partners and clients quickly and easily adopt important emerging payment technologies," said Barry McCarthy, First Data's president of product innovation for commercial services. "This agreement enhances First Data's ability to leverage our global payment infrastructure to support contactless, mobile and other emerging payment forms."

PrivaSys to Open $17m R&D Centre Here - Global Entrepolis @ Singapore

Mon, 27 Feb 2012 15:39:00 GMT

By Roland Lim
CALIFORNIA-BASED card payment solutions provider PrivaSys will open an Asia Pacific R&D centre in Singapore.

The $17 million-plus PrivaSys Card Technology Centre of Excellence at Serangoon Industrial Park - announced yesterday at Global Entrepolis @ Singapore - will employ about 30 engineers within two years. PrivaSys chief executive officer Joan Ziegler said the facility will also host a sales and marketing team and a technical services team.

PrivaSys also announced yesterday the appointment of local contract manufacturer Cinch Electronics as its primary card producer. Cinch's chief executive Ng Kok Heng said: 'We currently have the capacity to produce three million cards a year, and can easily scale up to produce 20 million cards a year next year.' Cinch will work with locally-located chip tester UTAC on parts of the manufacturing process.

PrivaSys produces secure card payment solutions compatible with existing magnetic strip card hardware used by banks and credit card companies. Its SecureSys cards contain electronics capable of producing a unique code for each transaction, which when used with its proprietary Vault software can help reduce fraud.

PrivaSys also offers a card that incorporates a keypad for the user to key in a personal identification number to activate it, and a card that allows the user to consolidate several credit cards into a single card.

Ms Ziegler also said PrivaSys will announce its first customers in the region in December, and expects to launch its products in the first quarter next year, with the initial focus on China, Hong Kong and Taiwan.

She declined to say how much more its cards will cost over conventional cards, but said card issuers can provide them initially to high-value customers who will generate enough revenue to offset the cost.

Smart Card Aims to Fight Fraud

Mon, 27 Feb 2012 15:39:00 GMT

By Alfred Hermida, BBC News Online
A smart card that generates a one-off number every time you use it could help tackle credit card fraud.

Developed by a San Francisco company called PrivaSys, it has an internal chip that can hold your credit and debit card details on a single piece of plastic identical in size and shape to all your other cards.

The smart card comes as the major credit card companies and financial institutions look for ways of making their cards more secure.

Card fraud cost the UK £292.6m in 2000, an increase of 55% in a year, according to the Association for Payment Clearing Services.

Packed with technology

The PrivaSys card has a calculator-styled keypad, a small Liquid Crystal Display (LCD) screen, a thin battery, a special magnetic stripe and a tiny processor microchip.

"There were initially big desktop computers, and then we had laptops, then Palm Pilots," explained PrivaSys CEO, Joan Ziegler.

"Now, we've taken that technology and jammed packed it into something the size of a conventional credit card."

The technology patented by PrivaSys enables smart credit cards to generate disposable numbers for each purchase.

When you go to a shop or restaurant, you punch in a four-digit Pin into the card to come up with a unique number to that sale.

The card can then be swiped through existing card-reading devices and the account is debited.

Enhanced security

For additional security, the card has a photograph of the cardholder.

"You have some real-time authentication so if someone stole your card, they couldn't impersonate you because the picture wouldn't match," Ms Ziegler told the BBC's Go Digital programme.

The LCD display on the card would also let you receive text messages about special offers, perhaps a free soft drink in a fast-food restaurant or an upgrade to first class when seats are available.

"So if you had an airline mileage card, they could send you an offer of double points if you are purchasing a flight on a Tuesday," said Ms Ziegler.

The major credit card companies, Visa and Mastercard, are working on their own schemes to stop fraud.

In a scheme run by Visa, card users attach a password to their card number, making the number useless to a criminal who does not know the password.

For its part, Mastercard's security plan involves consumers' downloading a special software key that would be used by merchants to verify their identity.

Link to original article

Frost & Sullivan Awards

Mon, 27 Feb 2012 15:39:00 GMT

By Shalini Chowdhary, Frost & Sullivan
"It is with great pleasure that we present PrivaSys with the Frost & Sullivan 2002 Market Engineering Company of the Year Award in the area of smart cards and payment solutions," said Shalini Chowdhary, Frost and Sullivan's leading smart card analyst.

"PrivaSys' card is more than just a smart chip-enabled debit or credit card. With the keypad and display screen, a thin battery, a special magnetic stripe and a tiny processor microchip, you're getting a tiny operating system on a credit card, enabling fraud prevention, multiple cards-on-a-card, and interactive promotions at the point of sale."

New Business Must Be Built on Real Market Needs

Tue, 28 Feb 2012 22:26:00 GMT

By Marsha Walton, CNN Sci-Tech
"Another tiny piece of hardware...sort of "one size fits all" credit card from PrivaSys. The single card could replace the bank, department store, credit, debit and gas cards that stuff many a purse and wallet. And because it can't be used without the owner entering a PIN number, it's more secure than most current charge cards."

Tech Innovation Thrives, Despite Stock-Market Blues

Mon, 27 Feb 2012 15:40:00 GMT

By Don Clark, Wall Street Journal
"...entrepreneurs are still improving hardware, software and technology-based services at a frantic rate....PrivaSys, Inc., of San Francisco, will show a credit card with a tiny display and buttons that can consolidate multiple credit and debit cards into one-while using existing card-reading devices in stores and restaurants."

Link to original article

Radical Gizmos Arrive at Demo Conference

Mon, 27 Feb 2012 15:41:00 GMT

By Edward C. Baig, USA Today
PHOENIX — Picture this scenario. You're walking along when you notice a poster for a Springsteen concert. "The Boss is coming here!!!???" So you grab your cell phone, aim it at a bar code on the poster, and are wirelessly connected to an online ticket agent.

The device is equipped with a tiny digital camera and CodePoint, a software program from Mitigo (www.mitigo.com), a Woburn, Mass., start-up. It allows mobile phones, handhelds and other devices to read bar codes at the train station, on taxi signs and in advertisements.

CodePoint is probably a year away in the USA, perhaps six months away in Japan. But it was among the promising technologies unveiled at the 12th annual Demo conference that ended here Tuesday. I can always count on seeing cool things at this shindig — Demos past, after all, have provided the coming-out party for the Palm Pilot, E-Trade, Handspring, and the Java programming language. But there are no guarantees of market success, especially in times as economically troubling as these.

A week ago, I previewed a brand-new credit card scheme shown at this year's event; PrivaSys has the potential to cut down on wallet clutter by securely storing all of your credit cards on a single card. On Monday, I wrote about the future of personal robots, as seen through the eyes of tech entrepreneur Bill Gross. His new Idealab company, Evolution Robotics (www.evolution.com), aims to spawn a new generation of thinking robots for use in homes and offices.

Robots notwithstanding, I saw fewer products aimed at the masses than in the past — many of the 65 technologies on display were targeted at servicing "enterprises" (industry jargon for big businesses), wireless infrastructure and so-called Web services.

Microsoft, which always seems to be a major presence at these gatherings, unveiled a couple of pieces of its .Net (pronounced dot-Net) strategy, including MSN Money Professional, geared to the investment advisers who manage your portfolios, and software development kits for adding speech to the Web.

The gang from Redmond also demonstrated handwriting recognition capabilities for a class of next-generation Tablet PCs. As their name suggests, the machines are transformed from regular notebooks to writeable tablets when you rotate and fold down their screens — models will be produced by leading hardware makers and could turn up before year's end.

Meanwhile, FullAudio (www.fullaudio.com), which licenses music from several labels and makes it available through subscription services (it has rights to about 100,000 tracks), chose Windows Media to manage those digital rights for its subscription platforms. FullAudio is launching "Music Clubs" with some 30 major radio stations. Listeners have on-demand digital access to the tunes they hear.

Other quick Demo hits: ArrayComm (www.array comm.com) is working on a cellular system that promises to offer mobile users speeds of up to 1 MB a second of bandwidth, with 40 times the data capacity of so-called 3G (third-generation) networks. And IXI Mobile (www.ixi.com) announced a Personal Mobile Gateway, or PMG, a pocket-size device that acts as a personal server for wireless Bluetooth devices, including cell phone, instant messaging and e-mail.

A PMG, messaging device and phone would likely cost less than $200.

Other intriguing developments on the Demo stage:

ActualDepth display (www.actualdepth.com). Deep Video's ActualDepth computer display is one of the loveliest I've seen. Well, it ought to be; the 13.3-inch multidimensional LCD model I was drooling over costs about $3,600, and prices for larger screens climb from there. But what makes ActualDepth so inviting is the fact that one transparent LCD is layered on top of another, giving the illusion of three dimensions (white is actually transparent; black is opaque). The monitors work with existing hardware and software.

Consumers may get their first peek at the monitors in arcade games or in casinos. But in a couple of years, prices could fall enough to start showing up in homes.
Fastap (www.digitwireless.net). By now, most of us have mastered dialing a cell phone. But entering data continues to be a major obstacle for anyone who wants to use a portable handset for text messages, e-mails or adding names to a phone's address book; entering punctuation always throws me.

Digit Wireless, of Cambridge, Mass., aims to replace the nearly 50-year-old 12-button phone keypad with a new alphanumeric pad about one-third the size of a business card. Fastap is actually a matrix of raised and lowered keys — all the letters of the alphabet are represented by tiny raised keys. Phone digits reside in adjacent valleys — my fingers had no problem dialing a phone number, though tapping out letters took a little getting used to. There are also dedicated (lower) keys for @, ?, ., shift, delete, space, and a one-touch button to the Web. The technology should be built into phones later this year — pricing has not been set.
LindenWorld (www.lindenlab.com). I like to think it's because I'm so grounded in the real world that I've not been really big into online role-playing fantasies. But LindenWorld, which feeds off broadband networks, gigahertz-class PCs and souped-up graphics cards, provides stunningly realistic streaming 3-D images. Funded by former Lotus honcho Mitch Kapor and run by a former RealNetworks exec, it'll offer a real-time subscription service in which players build a world with weather, plants, animals and objects that obey the laws of physics (e.g., balls will bounce). Or you could just play in worlds that other folks produced. Out later this year; no pricing yet.
PrinterOn (www.printeron.net). Road warriors will appreciate this one. How many times have you needed to print something off a PDA or a laptop while visiting a hotel or client's office? A Canadian company called PrinterOn has concocted a way for travelers to wirelessly print documents or Web pages from virtually any public (or otherwise available) printer via the Internet. You download the software (it's already integrated into the new wireless Palm i705), pay a subscription fee ($4 to $8 a month), and you can search for a list of printers available for use in your area.
Space Data Skysite Network (www.spacedata .net). Here is one Demo item full of hot air — well, almost. Space Data plans to fill the gaps in wireless coverage by attaching repeaters to helium and hydrogen weather balloons launched twice a day in 70 locations. The four-pound payload includes all the circuitry, a GPS receiver, battery, antenna and parachute for when the balloon comes falling back to Earth, 24 hours after launch. Each balloon climbs 100,000 feet, providing coverage for a 350-mile diameter area — a typical cell tower covers only a six- to 12-mile diameter. This could be good news to folks who can't get voice and wireless data because of where they live, or who travel to outlying areas (and in major cities, too) — Space Data points out that 80% of the U.S. population lives on 10% of the landmass. And to think the weather balloons have been around about 60 years. Space Data is attempting to strike deals with the National Weather Service and various wireless carriers. If everything, um, flies, this may improve U.S. voice coverage in about two years.
N-Charge Power System (www.valence.com). I've attended conferences such as Demo in which audience members type notes right into their laptops (I'm one). But 90 minutes into the session, attendees are starting to fold down the screens. Another hour slips by and more people shut down. The issue, of course, is battery power. Valence Technology's upcoming N-Charge Power System provides up to 10 hours of juice for notebooks or five days of non-stop cell phone talk. The form is a little off-putting at first; the lithium-ion-powered device has the footprint of a laptop. But the half-inch-thick N-Charge could easily slip into a briefcase or the seat pocket of an airplane, and may in fact be easier to schlep than a bulky spare battery. Cost: $200 to $400; available in the spring.
Zinio Reader (www.zinio.com). I've never been fond of reading magazine articles on a computer screen. But the new Zinio Reader software allows publishers to deliver magazines digitally. They mimic the precise look and feel of an actual publication, complete with ads, graphics, etc., while adding a variety of interactive and multimedia elements. These include zippy navigation, search and annotation tools. Subscribers can receive and archive the entire publication in digital form. It just might be a nifty application for one of those Tablet PCs. But I'm not yet convinced that anything beats paper.

Link to original article

One Smart Card for All Your Debts

Mon, 27 Feb 2012 15:41:00 GMT

By Edward C. Baig, USA TODAY
The annual Demo conference that kicks off in Phoenix next week may be the most influential high-tech gabfest you've probably never heard of. But Demo is very much on the radar screen of technology luminaries across the spectrum — executives, financial analysts, venture capitalists and the press.

No wonder. Demo has been the launching pad for everything from E*Trade to the PalmPilot. And though most of the 66 new products and services are being kept under wraps until the conference opens Sunday, this year's event will flaunt advances in battery technology and computer displays, along with new features for Microsoft's Tablet PC. I'll elaborate on the goings-on at Demo in next week's column.

But for now, here's a sneak peek at one new technology that will surely appeal to anyone whose wallet bulges from carrying too many credit cards: A San Francisco company called PrivaSys will demonstrate a battery-powered electronic credit card with an internal chip capable of holding, say, an American Express, MasterCard and Visa — plus your debit cards, gas cards and all other accounts — on a single piece of plastic identical in size and shape to your other cards. Of course, PrivaSys is quick to point out that a whole lot of complicated industry association issues must be dealt with before each of the various financial institutions could appear on such a card. (PrivaSys has struck a deal with First Data, the largest credit card processor.) Merchants, by the way, need not change point-of-sale magnetic stripe terminals.

For security purposes, whenever a consumer wants to conduct a transaction, he or she punches in a PIN directly on the card's built-in keypad, generating a code unique to the sale. The plastic includes a 10- to 16-digit readout for displaying credit card information and to let folks select the appropriate charge account to use at the store — you push arrow keys on the keypad to scroll through the list of accounts held on the card. The cards also will be able to store "loyalty" account info, allowing instant coupons and other rewards, perhaps a free soft drink in a fast-food restaurant or an upgrade to first class when seats are available. An icon on the card's readout may light up when you earn such an award.

Direct link to original article:
http://www.usatoday.com/life/cyber/tech/review/2002/2/06/smartcard.htm

Building an Online Fortress

Mon, 27 Feb 2012 15:42:00 GMT

By Linda Punch, Credit Card Management
The incidents are becoming increasingly commonplace. A hacker breaks into a processor’s database and steals 4.5 million credit card account numbers. Another fraudster downloads software from the World Wide Web that allows him to generate actual credit card account numbers that are used to buy products and services. An organized crime ring steals account numbers from a merchant’s Web site, threatening to post them on another site if the merchant doesn’t pay a $200,000 ransom. The litany of cyberfraud seems to go on and on.

It’s hard to say just how much money online merchants, acquirers, issuers, and consumers are losing to hacker attacks and other types of cyberfraud. That’s because victims often are too embarrassed to report the incident. In some cases, merchants may not even know they’ve been attacked. “There’s been a vast underreporting of events,” says Tracey Vispoli, cyber solutions manager in Warren, N.J.-based Chubb & Son’s department of financial institutions. Chubb offers insurance that protects financial institutions from Internet-related security breaches.

What is clear is that electronic commerce is big business—Forrester Research Inc. estimates consumers spent $3.2 billion online in June alone—and crooks want their piece of the action. In 2000, fraud losses for all Internet-initiated payments totaled about $1.6 billion, and are expected to reach about $9 billion this year, according to Meridien Research Inc. And that doesn’t take into account such intangibles as the loss of public confidence when a consumer reads of a hack attack against an online merchant and takes his business elsewhere.

“Merchants are exposed to fairly significant goodwill damage when a site is hacked and consumer information is put at risk,” says Brian Buckley, Visa International vice president of international risk management.

To be sure, online fraud is nothing new. One of the first widely publicized attacks came in 1995, when hackers breached Netscape Communications Corp.’s software for navigating and doing card transactions in cyberspace. That attack, followed in short order by several similar incidents, prompted Visa International and MasterCard International to develop encryption standards for sending account numbers and other confidential information over the Internet.

What is different about the more recent breaches is that cybercrooks are becoming increasingly sophisticated and more organized in their attacks. “In the old days, it used to be kids with credit card generators filling out forms with names like Monica Lewinsky, Mickey Mouse, or Bill Clinton, things like that,” says Jeff King, director of risk management at Mountain View, Calif.-based CyberSource Corp. Software for generating credit card account numbers and white papers on how to use those numbers to defraud online merchants are readily available on the Internet, he says. In such cases, typically only a small number of cards are involved.

But today’s crooks are stealing hundreds and thousands of credit card account numbers from Web sites or skimming them off the magnetic stripe of cards used to pay at restaurants and other merchants, usually in collusion with employees, King says. “There are gangs in New York, Los Angeles, Baltimore and parts of Texas that are operating and systematically stealing identities from restaurants and other online places and using these identities online.”

The new breed of fraudsters, typically members of an organized crime ring, then make hundreds of purchases, using a different account number each time. Often purchases are routed through Internet service providers overseas and shipped through warehouses or freight forwarders to locations outside the U.S. That makes it harder to detect fraud, King says.

Crooks also are using the theft of account numbers and other confidential data to extort money from merchants, processors, issuers, and others. Indeed, the Federal Bureau of Investigation in March warned merchants to beef up their security, citing the increase in fraudulent activity by organized hacker groups in Eastern Europe.

In one high-profile case, hackers attempted to extort money from financial-services company Bloomberg L.P. after breaking into its database. The hackers were later caught after Bloomberg worked with the FBI to track them down.

These increasingly complex schemes devised by fraudsters make it less likely that any single fraud-screening measure will be effective, King says. He notes, for example, that because crooks often steal information such as billing address and phone number in addition to the account number, address verification won’t work. “What we’ve found is that almost no one (fraud-screening) test is useful anymore,” he says.

As crooks become more devious, the card associations and risk-management vendors are developing tools for protecting cardholder account numbers and other confidential information online. They range from software that allows cardholders to lock and unlock their accounts to cardholder authentication.

One of the more recent weapons being deployed to protect merchants, issuers, acquirers, and others from Internet-related fraud losses is so-called cyber-risk insurance. Policies are being offered by a handful of insurers, including Chubb Group, Lloyds of London, the St. Paul Companies, and RC Knox & Co., an insurance subsidiary of Bridgeport, Conn.-based People’s Bank.

Cyber-insurance is designed to cover e-fraud losses that don’t fall under the traditional fidelity bond and computer-crime insurance. “Fidelity bonds were developed many years ago, way before this technology was even contemplated,” says Vispoli.

For example, computer-crime insurance covers only “old-fashioned” viruses introduced by someone entering a company’s premises, “sticking a diskette into a computer, and launching a virus attack within the internal system,” Vispoli says.

Nowadays, though, viruses can enter a computer system via an Internet service provider, she says. “They’re basically being transmitted from thousands and thousands of miles away.”

Chubb’s CyberSecurity product also provides coverage if a financial institution is found liable for theft of confidential customer information, suffers a direct loss resulting from accepting a consumer’s electronic signature on secured loan agreement and the signature is later found to be fraudulent, or suffers a loss of income and incurs extra expense due to a hacker crashing its Web site by flooding it with e-mail.

CyberSecurity will even reimburse financial institutions for ransom paid to keep a fraudster from posting stolen account numbers on the Web, as well as other expenses associated with a ransom attempt, Vispoli says.

But not all insurance companies are targeting financial institutions. RC Knox in June launched the eTailer Fraud Solution Insurance Policy to protect e-merchants from catastrophic card fraud and chargebacks. RC Knox is offering the insurance in an alliance with Retail Decisions Inc., a card transactions-services business, and Risk Management Solutions, a specialist in credit card fraud insurance. Merchants signing up for the service must use Retail Decisions’ fraud protection and detection solutions.

ETailer covers not only the cost of the lost item shipped but also the profit related to that sale and the fees related to the chargeback, says Bruce Murray Jr., RC Knox vice president. The insurance policy is custom designed for each merchant, he says.

The policy will cover losses from lost or stolen credit cards, identity fraud, and counterfeit cards. Coverage begins when losses hit $100,000 for a small business, $10 million for a medium-sized business, and $250 million for a large business.

MasterCard also has partnered with Marsh, a unit of Marsh & McLennan Cos., and American International Group Inc. to offer cyber-risk insurance at preferred pricing. With MasterCard’s insurance, merchants “can be as elaborate as (they) like,” Orfei says. “You can take out a policy for $50,000 for a spin doctor to help you with managing your reputation...or it can be as elaborate as business loss, reputation damage, a number of other things,” he says. But cyber-risk insurance is the last resort for reducing card fraud losses tied to the Internet. Both MasterCard and Visa have come forward with multi-pronged technological solutions for preventing and detecting cyber-fraud, including cardholder-authentication services and database security.

MasterCard’s Secured Payment Application, launched earlier this year, uses as its base MasterCard’s Universal Cardholder Authentication Field infrastructure. UCAF is a 32-character hidden field that is embedded at the merchant’s Web site. It collects authentication data generated by issuers and cardholders, creates a unique cardholder authentication value for each transaction, and then forwards it to the issuer with the authorization request. Cardholders register for the service with their issuers. “It’s an issuer-centric solution,” says Stephen W. Orfei, MasterCard’s senior vice president of business development. “All of the intelligence will reside at the server.”

Both merchant and cardholder must register for SPA.

Under SPA, cardholders download digital-wallet software. MasterCard issuers also set up a SPA-enabled wallet server to authenticate cardholders’ identities using an issuer-defined authentication method, such as an ID or password.

When cardholders submit their order, the hidden form field automatically identifies the merchant as a SPA participant. The consumer’s wallet is then launched asks the cardholder to identify himself using the issuer’s authentication system. Once the issuer authenticates the user, the wallet becomes linked simultaneously to the merchant and issuer’s server wallet and the account authentication value is generated as a substitute for the actual card number.

When the merchant’s acquiring bank submits the AAV and transaction information, the data are routed to the issuer’s server wallet, where the merchant’s name is matched with where the consumer’s wallet indicated the buyer was shopping. Once the match is completed, the issuer authorizes the transaction.

Cardholder authentication “is essential if we’re going to realize the promise of the Internet,” Orfei adds, noting that 80% to 83% of chargebacks in the e-commerce channel can be attributed to ‘cardholder-not-authorized transactions.’ “We have to remove the opportunity to deceive.”

Under MasterCard rules, online merchants must accept chargebacks if they can’t validate transactions by showing a cardholder’s signature. “If (an online) merchant fulfills an order and the cardholder says they never authorized that transaction, very often the merchant ends up absorbing the cost,” Orfei says.

But SPA gives merchants the electronic equivalent of a cardholder signature. “Obviously, our intent here is to extend MasterCard’s guaranteed payment into cyberspace,” Orfei says.

Issuers also will save money under SPA, because lower chargebacks mean less costs, Orfei says. “Issuers have to manage the chargebacks, they have to manage the costs associated with that, they have to handle customer service, they have to manage that whole cardholder relationship,” he says.

Visa also has developed a cardholder-authentication model, with implementation under way in the U.S., and pilot programs in Canada, Europe, and the Asia-Pacific region. Visa in July announced that discount chain Target Corp. is one of the first e-merchants to adopt Visa Payer Authentication. U.S. cardholders will be able to enroll in the program through participating banks this fall.

Visa has been working for over a year with about 60 vendors, including Accenture, Cap Gemini Ernst & Young, IBM, Microsoft and Sun Microsystems, to develop the program.

Visa began developing its cardholder-authentication product two years ago after the Secure Electronic Transaction protocol—developed with MasterCard to protect account numbers and other confidential information online—failed to catch on with issuers and merchants, says Tom Manessis, Visa vice president of eCommerce authentication. “We really needed a simpler approach (than SET) that models more the physical world,” he says.

The goal was to develop a “pretty lightweight technology with some pretty basic requirements,” Manessis says. Visa wanted to be able to authenticate the consumer without having to provide specialized software or hardware to the consumer; it wanted a system it could integrate with merchant sites without affecting the merchants’ existing store-front checkout process; and it wanted to leverage its existing payment system, he says.

“The key element is that we didn’t want to impact our existing legacy system between issuing banks, acquiring banks, and Visa,” Manessis says.

The Verified by Visa authentication system is based Visa’s 3-D Secure Global interoperability standard. Under the system, cardholders will need to enroll in the program. When the cardholder makes a purchase, the bank identification number on their offline debit or credit card is routed to a Visa server, which routes the transaction information to the proper issuer for authentication and authorization.

The issuer’s server than opens up a box on the cardholder’s screen asking for a password, similar to a personal identification number-prompt at the point of sale. The cardholder authenticates himself by entering the password. The issuing bank sends a message back to the merchant authorizing the transaction. The transaction is processed within 10 to 15 seconds, “very similar to what you encounter as you’re checking out at a Safeway grocery store,” Manessis says.

Once rolled out globally, Visa expects 3-D Secure to reduce Internet disputes by at least 50%, Manessis says. Currently, Visa’s dispute rate for Internet transactions is about five to eight times higher than the overall dispute rate of 0.1%, he says. Internet transactions represent 2% to 3% of Visa’s total transaction volume of $1.9 trillion.

But authenticating cardholders isn’t the sole focus of MasterCard and Visa. Both associations also are developing data-protection programs merchants can use to secure sensitive cardholder data on their Web sites.

“The biggest issue (in online fraud) is protecting data-base information,” says Jeanne Capachin, an analyst with Meridien. “Do we need to store credit card information on all these merchant databases?”

The MasterCard Site Data Protection Service offers a suite of products to help merchants keep their databases secure, including the Guide to MasterCard Rules and Best Practices for Web Merchants and Acquirers. The guide lists measures merchants can take while conducting business, and discusses the coding of e-commerce transactions, risk monitoring, cardholder disclosure, consumer privacy, and the protection of transaction data.

The SDP service also offers an online automated self-assessment survey designed to evaluate a merchant’s security measures and provide an electronic report that compares results to industry peers. In addition, merchants can use MasterCard’s security scan, which scans a Web site and determines its vulnerabilities. The scan is completed within an hour and a security report issued. “What is really slick about it is it not only shows...how one could attack your site and perpetrate a hack, but also tells you how to fix those vulnerabilities,” Orfei says.

MasterCard members and merchants enrolled in the program can receive additional security services, offered independently from MasterCard’s alliance partners, at a discounted rate. The services include ethical hacking, in which a team of experts attempt to attack a network to uncover potential weaknesses; intrusion detection, Web-site monitoring, and firewall monitoring. MasterCard’s preferred vendors are Predictive Systems Inc. and Ubizen.

Compliance

Like MasterCard, Visa’s Cardholder Information Security Program is built on compliance with a series of best practices and standards for e-commerce (“Visa Takes Aim at Database Thieves,” Card Watch, April). The guidelines include required activities such as updating security systems, encrypting stored data, and using anti-virus software. Visa merchants must comply with the standards by Nov. 1.

Visa is working with the largest merchant enterprises in each of its six regions to make sure “they’re aware of the standards and making efforts to adopt the standards,” Buckley says. He adds that the majority of the largest e-commerce merchants have extensive security programs under way already.

Merchants that fail to comply ultimately face fines, Buckley says. The initial fine for non-compliance is $50,000 and for a second incident is $100,000. Visa management will levy a “more significant fine” if there is a third incident of non-compliance within a rolling 12-month period, according to Visa.

But for now, Buckley says, the focus is on educating merchants and helping them to comply with the standards. “This is something merchants need to adopt in their own best interests, not simply because Visa says it’s a requirement,” he says.

Needless to say, the associations aren’t alone in the quest for online security. ClearCommerce offers FraudShield, a combination of rules-based and neural-network technology which allows merchants to set the criteria for screening out fraud based on their needs, says Julie Fergerson, chief technical officer. “What we’ve found is that a neural network is good for some kinds of fraud and rules-based is good for other kinds of fraud,” she says.

In addition, ClearCommerce offers integration with external security services, for example, address-verification services and the bankcard associations’ card-verification methods; automatic lock-outs which protect merchants from schemes that generate credit card numbers; negative and positive lists; and case-management tools. “We’ve been doing this for six years and seen a whole lot of fraud happen,” Fergerson says. “We’ve learned to recognize (fraud) patterns.”

Rules

CyberSource also uses a combination of neural-net and rules-based technology, in its Internet Fraud Screen product co-developed with Visa. CyberSource provides the information it has culled in its fraud-prevention efforts, for example, e-mail addresses or ISPs that have high incidence of fraud, King says. Visa provides the payment information. “We had this wealth of data but what Visa has is the end results of every transaction—was it credited back, was it chargeback fraud, things like that,” King says.

Another company has come forward with a new variation on so-called one-use numbers. PrivaSys is offering a credit card that issues a new account number when the cardholder enters a password or code on a personal identification number pad on the card. The transaction is then routed to the issuing bank for authorization and settlement. The number is derived from an algorithm that combines the cardholder’s actual account number and other data, such as type of merchant, says David Patterson, PrivaSys executive vice president of business development.

Meanwhile, Transale U.S.A. Inc. has developed a program which allows cardholders to turn their cards on or off by sending an e-mail message to the card issuer. “For a security feature to be worthwhile...it has to be utilized by cardholders,” says Michael Mooney, chief executive officer. “By making (Transale) as simple and intuitive as we do, we think that’s the way it’s going to be successful.”

Just what technologies will succeed won’t be known for some time. While all the products will be effective against fraud, “the question is, what will consumers use, and what will merchants and issuers be willing to install,” says Jaime Punishill, senior analyst of emerging technologies at Forrester Research.

Consumers want the “best of both worlds” when shopping online, he says. “We want the ease of one-click shopping at Amazon.com with the utter security of having to sign 5 million documents and show 14 IDs,” he says. “Those are untenable desires.”

What’s more, people’s fears about the technology of online shopping won’t be allayed by more technology, he says. “The question is, how can you minimize the work and maximize the security simultaneously?”

That’s the question the card industry must answer if e-commerce is to grow.

Link to Article
http://web.archive.org/web/20020612093117/http://www.cardforum.com/html/ccmissue/sep01cov.htm

Smart Cards Need a Higher IQ

Mon, 27 Feb 2012 15:42:00 GMT

By Geoff Smith, Bloomberg Business Week
More than a year ago, I signed up for the American Express Blue Card and was disappointed to find that it's a clumsy way to buy things online. This so-called smart card, with an embedded computer chip, was billed as the next generation of technology for secure online transactions. But the software was annoying, and the credit-card reader -- a device that hooks up to your computer that was supposed to simplify the payment process -- had a blinking green light that was always on. My Blue card sits in my wallet, unused.

Here's a surprise: Amex has distributed more than 5 million Blue cards since its late 1999 launch, making it far more popular than Amex had ever expected, according to one consulting firm's estimate. That's not because folks are using it to shop online, since less than 1% of Blue holders use it for that purpose, according to Bruce Brittain, president of Brittain Associates in Atlanta. Instead, most people have picked up a Blue card because it's free and charges low interest rates. It's an Amex card without the high fees.

The moral of the story: Online consumers are basically lazy and cheap. They're also not terribly worried about online security problems. A survey by Forrester Research shows credit-card fraud fears ranked 15th out of 18 reasons cited for why consumers didn't shop online.

SPECIAL DEALS. Smart cards aimed at online shoppers are headed down a stormy path. Visa and Mastercard have announced plans for them, but both issuers will need to up the ante if they want consumers to use them online. Issuers will need to offer enticing deals on these cards, such as lucrative rewards programs, cash-back plans, and favorable repayment terms.

Banks and retailers should arrange special deals for consumers who buy using the cards. Retailers, now paying steep premiums to cover online credit-card fraud, should push credit-card issuers to offer attractive terms.

The first Visa smart card, Fusion, from Fleet Financial Group, is a dubious approach. On the plus side, it's designed to work in tandem with a computer keyboard from Compaq that has a built-in card reader -- a good idea more PC makers should copy. Fleet also has plans for a rewards program offering up to 15% cash back at participating merchants.

Any sizzle the card might have, however, fades quickly when you look at the fine print. Fleet slaps a $35 fee on late payments, which are any made more than 20 days past the statement closing date. The company also hikes the interest rate to 24.99% for anyone making late payments. Ouch.

NEW COMPETITION? Smart cards won't gain much traction on the Net until consumers are given a compelling reason to use them. They need an incentive to go to the trouble of using a scanner and special software.

Smart cards will also have to compete against new technology. One major threat is a new payment system in the "Passport" software embedded in Microsoft's upcoming XP operating system. Passport is Microsoft's online-authentication system that lets you access a wide range of services with a single user name and password.

Among other things, Passport will hold your credit-card and delivery information, with the idea of simplifying online transactions. Passport could potentially support smart cards. But privacy and security experts have raised questions about how safe Passport will be. And its fate could depend on whatever ultimate decision is rendered -- or settlement reached -- in the Microsoft antitrust case.

Single-use credit-card numbers, such as those issued by American Express, are so far not-very-compelling alternatives to smart cards. But a company called Privasys is working on a single-use variation that I'll look at more closely in a future column. It has developed a smart card that contains an LCD, a rewriteable magnetic strip, and a PIN-entry keypad. The card generates a one-time-use credit-card number each time the owner types in a password. The card can be read by any credit-card reader. Sounds like a good idea.

Direct link to the article:
http://www.businessweek.com/technology/content/aug2001/tc20010820_982.htm

Credit Card Issuers Need a New Approach to On-line Security

Mon, 27 Feb 2012 15:43:00 GMT

By Jamie Punishill, Analyst, Forrester
"Savvy fast movers will piggyback on the success of American Express' Blue card and market PrivaSys-enabled cards as the next cool thing to own."

Link to Forrester site (requires subscription to view report)

Card Design Innovations

Tue, 28 Feb 2012 22:24:00 GMT

By David Robertson, President , Nilson Report "Issuers of PrivaSys cards can let their cardholders generate one-time-only pseudo-account numbers (PAN) for use at the point of sale as well as at Internet Web sites."

It's in the Card

Mon, 27 Feb 2012 15:44:00 GMT

By Rafe Needleman, Red Herring magazine
Just what is the big deal with the American Express Blue card? Sure, it's got a chip on it, like European phone cards, but the chip is basically just a fancy magnetic stripe; it holds data, but it doesn't have power or intelligence. Nonetheless, the Blue card has been a phenomenal success for AmEx, proving, if nothing else, the genius of the company's marketing and advertising departments. But it's still just a hunk of plastic.

A new technology company, PrivaSys, is building a credit card that contains a power source, a CPU, a small LCD, a keypad (for entering a PIN), and technology that allows the card to rewrite the magnetic strip on the fly. This enables one-time credit card numbers that can be used in both online and physical retail. Given the rise in fraud and identity theft, this technology has many card-issuing banks very interested. Furthermore, only banks have to change their systems; merchants don't have to do anything.

These cards can also support other applications: for instance, one smart card could replace several, as buttons could activate different accounts. It's fascinating technology. The company has angel funding and is currently raising its first venture round.

Paying by Virtual Numbers

Mon, 27 Feb 2012 15:44:00 GMT

By Nick Sawyer and Brendan Murray, Lafferty, Electronic Payment International
Virtual card solutions are the flavour of the month in North America as a growing number of major issuers adopt pseudo numbers to appease consumer fears in the run-up to Christmas.

DISCOVER FINANCIAL Services, the US credit cards unit of Morgan Stanley Dean Witter, and Canadian bank, CIBC, are the latest cards issuers to launch pseudo number systems to secure the online transactions of their customers.

They follow hot on the heels of MBNA, which rolled out a pseudo number solution using technology from Dublin-based payments company Orbiscom in October, and American Express, which announced a proprietary system called Private Payments in September.

Both systems create a unique 16-digit cards number for each transaction, eliminating the need for customers to disclose their own credit cards details online. In both cases, online retailers process the transaction in exactly the same way, meaning there is no need to modify the current payments process.

The Discover application, called the deskshop 2.0, pops up when the customer enters the checkout page of a merchant's website, and automatically completes merchant payment forms.

The service relies on wallet technology developed by Brodia, the San Francisco- based software company, and Orbiscom for the creation of controlled payment numbers (CPNs), and replaces an earlier version launched in February that used technology from another Dublin-based payments company, Trintech.

CIBC's system, meanwhile, uses technology from New York-based payments software firm Aplettix. As well as generating a pseudo cards number, Aplettix Nexus-1 authenticates the consumer via password and checks the identity of the PC through which the consumer makes the purchase using patent-pending technology.

Cardholders are required to register a PC when signing up for the service and a unique ID is posted onto each PC. Customers can register more than one PC, and a solution is currently being developed for wireless devices, including mobile phones and personal digital assistants (PDAs), planned for launch in the second quarter of 2001.

"The main difference [between Aplettix Nexus-1 and other solutions] is firstly the strong authentication system, which does not incorporate hardware like chips," said Guy Netef, a fonder of the company and vice-president of marketing and business development. "Secondly, it is a complete, automated process. It does not let the user intervene with the process," he added.

The Aplettix solution is also being piloted by Visa Israel Credit Cards (Visa ICC), Israel's largest credit cards issuer and acquirer. The pilot involves a few hundred Visa ICC customers, but will be rolled out fully in early 2001. The CIBC product will be piloted with a small number of customers in early 2001, and will be rolled out to CIBC's four million cardholders "as soon as possible after that", according to Brenda Clarke, vice-president of Internet channel management for CIBC's Card Products division.

Other new entrants are on the horizon, however. Another Israeli company, Cyota, plans to launch its SecureClick pseudo card number service in January 2011 with Bank Hapoalim's Isracard. SecureClick allows consumers to make purchases online without revealing their real credit card number. The system replaces the number with a unique, protected number, and also checks the customer's final invoice for discrepancies.

Privasys, which was incorporated in San Francisco in May 1999, has accelerated plans for the introduction of its new payment card, provisionally known as the Universal Private card (UP). The company hopes the technology will be available around the turn of the year and is in negotiations with a number of major credit card issuers to supply them with the new technology.

The card, which is protected by three patents, will come with an embedded LCD screen, a magnetic stripe, a battery and a small, calculator-type numeric touch pad allowing the card to be personal identification number (PIN)-enabled. To make a card purchase the cardholder enters the four-digit PIN number on the card via the numeric touch pad and a unique account number is created and simultaneously displayed on the LCD screen and encoded by the magnetic stripe.

Orbiscom, an early mover in pseudo card numbers, is working on the second generation of its O-Card system, which will include more consumer tools.

"You can expect to see at least six new consumer-oriented payments products come onto the market early next year," said Graham O'Donnell, chief executive of Orbiscom. Although O'Donnell would not elaborate, it is widely thought that parent- controlled payment tools may be a future development.

Aplettix's Netef welcomed the entry of Amex into the pseudo arena, noting that other US banks had since chosen to develop comparable solutions. "It's good that Amex is supporting it. It really needed a big player to get it started, it gave recognition to other companies and it made customers make faster decisions. A lot of potential customers were sitting on the fence before Amex."

Pseudo card numbers have their critics, however. Frank Prince, senior e-business analyst with Forrester Research, believes these new online security initiatives are of "more use to issuers and merchants than consumers" but that they "do server consumers in that they assuage fear about giving out private information over the Internet."

He stated that, "financial risk management on the part of the card industry is the primary goal, but no product serves a single purpose and this idea was factored into these products when they were being designed."

He added that "the success of marketing programmes to meet the agendas of each of the participants" would be the key to success for any of these online security products.

Afterthoughts: From Dot-Com To Dot-Bomb

Mon, 27 Feb 2012 15:45:00 GMT

By Gerri Detweiler, Credit Card Mangement
Last year, privacy concerns cost Web companies an estimated $28.8 million in lost sales. A recent study by the University of California at Los Angeles Center for Communication Policy found that concern over privacy is the main reason users aren't shopping online.

And a recent Harris Interactive Survey commissioned by the National Consumers League found that consumers ranked the loss of privacy as a greater concern than health care, crime, or taxes!

Privacy concerns affect the financial-services industry in numerous ways. Lenders are struggling to persuade consumers to provide sensitive data in order to apply for loans online. Credit card issuers are trying to boost online transaction volume from shoppers afraid of launching their card numbers into cyberspace. And merchants are suffering fraud losses that accompany riskier Internet transactions. And all are scrambling to find ways to assuage consumers' fears of doing business on the 'Net.

Today it is possible to find out nearly anything about a person just by paying a small fee to an Internet broker. This information is used not only to target, but also to defraud and stalk, consumers. In such an atmosphere it is hardly surprising that Congress is considering legislation to protect consumers' privacy, just as it did twenty some years ago when it created the Fair Credit Reporting Act.

Federal regulation of Internet privacy is not a matter of "if," but "when" and "what." While the high-tech industry has largely fought legislation, a much smarter strategy would be to work with Congress to shape a law that will help allay consumers' fears, while giving the industry room to develop and grow without the fear of accidental regulatory missteps. In the meantime, however, card issuers and merchants can build confidence with a few good practices. A solid, clear privacy policy is a must, but most companies fall far short of the mark.

Try this: after you write your privacy policy, run it by a 14-year-old. If he or she doesn't get it, rewrite it. Guidelines for developing privacy policies can be found at www.privacyalliance.org.

Post your privacy policy where it can be easily accessed. Every time you request personal data from consumers, for example, add a link to your policy and ask for feedback.

If you request sensitive information, such as credit card numbers or Social Security numbers, there is no doubt you are losing business from those who are afraid to submit that data online. Giving them an easy opportunity to ask you questions that will make them more comfortable is essential.

A good example is QuoteSmith.com, an insurance shopping service. It has a clear and succinct privacy policy, along with links that answer specific questions such as "Why do you need my ZIP code and county information?" Promising Solutions

New technology tools also offer some of the most promising solutions to many Internet privacy dilemmas. Among the more interesting:

American Express Co.'s Private Payments program gives cardholders an instantly generated, limited-life transaction number that is used when shopping online in certain transactions. PrivaSys, a San Franciso-based firm, offers technology to Visa and MasterCard issuers that allows them to give cardholders a PIN-protected single-use number for shopping online or offline. Programs such as Anonymizer Inc.'s Anonymizer Surfing, Privada Inc.'s PrivadaControl, and Zero-Knowledge Systems Inc.'s Freedom allow consumers to surf the Web anonymously.

Privada, PrivaSys, and other companies are creating programs that will even allow a consumer to order goods online and have them shipped, while still remaining completely anonymous to merchants.

Shopping, borrowing and other financial transactions on the Internet will increase significantly in the next few years, but tremendous competition is already squeezing out numerous Web sites that just can't grow fast enough. Those sites that understand the importance of strong privacy programs are more likely to survive the cutthroat competition. And those that just don't get it are more likely to be among those that go from dot-com to dot-bomb.