Posts filed under 'Industry News'
In the past 2 weeks a very confusing and upsetting situation has takes place in India with the respect to Paypal and personal Indian payments.
It all started around the 1st of February.
All payments sent from personal Indian accounts are reversed. This would basically be like accepting a credit card, and 5 days later (long after the merchandise or service has been performed) that money is given back to the customer!
When reversed, there are several immediate reactions. First off, it is confusing to anyone who sent a payment and had it returned a few days later. It is more confusing and upsetting to the business that accepted that payment as they are now without the money and without the service or product that was paid for. Additionally, this unbalances the accounts of thousands and possibly millions of account holders, not just in India. Many of these recipient account holders made payments to other businesses. When the original amount was reversed and subtracted from their account, any recipient account lost money, and many Paypal accounts went negative. Some people got paid, while others lost the money. Paypal was also blocking any withdrawals to an Indian bank account, so even if a business did manage to get paid, there was no way for them to take the money out of Paypal.
As usual Paypal was completely mum about the actual details of the events of what was happening, further compounding the frustration and confusion that was sweeping Indian paypal account holders and those who received a payment from an Indian account. On February 5th, I had speculated that there was some government intervention going on, as the scope and damage that these events were causing were absolutely massive. Even at this point an Indian Paypal user could send money, and at first would seem successful, but would be returned several days later.
On the 6th of February, with Paypal users continuing to panic still trying to send money, Paypal finally publicly announced that there was a problem with personal payments.
I’m writing to let you know that personal payments to and from India and transfers to local banks in India have been suspended while we work with our business partners and other stakeholders to address questions they have about the service.
While this was an unacceptably vague response to the seemingly massive situation that was unfolding, it was nevertheless some response.
More problems…
About a day later, a second problem had been discovered with many Paypal accounts. After being refunded, many Paypal users noticed that foreign exchange fees had never been refunded. Thousands of Indian freelancers, Indian businesses, and worldwide businesses who accept payments from Indian account holders are getting more upset and confused. Although Indian payments only make up a small portion of Paypal payments, it’s clear that there is a major problem affecting far more people and businesses than just Personal Indian account holders. Now there’s money, paypal fees, and separate foreign exchange fees lost in millions of payments and refunds, a true accounting nightmare.
Everyone knows there is a problem, but nobody knows what it is and Paypal won’t say a word.
On February 10th the truth finally comes out.
1. Why did you suspend local bank transfers and personal payments to and from India?
We temporarily suspended these services to respond to enquiries from the Indian regulators, specifically questions on whether personal payments constitute remittances into India.
We’re working with the regulators and our bank processing partners in India to get this resolved as quickly as we can. We realize that this is causing considerable inconvenience to our customers and I want to reassure you that this is a top priority for the leadership at PayPal
2. When will personal payments be turned back on?
The regulators recently let PayPal know about revised licensing rules that we are now actively engaged in securing. Personal payments to and from India will be suspended for at least a few months until we fully resolve the questions from the Indian regulators.
3. When will local bank withdrawals be available?
Customers should be able to withdraw their funds to a local bank within the next few days. In the meantime, we’re going to restore the money into the PayPal accounts of any customers in India who have initiated a recent withdrawal, so they know that the money is safe in their accounts. Customers will also be reimbursed for any withdrawal fee charges.
4.The PayPal reversal has left me with a negative balance. What shall I do?
If you bought something or transferred money out of your PayPal account to your bank account before we reversed the payment then you may be left with a negative balance.
If this was a payment for a purchase of goods or services, you should contact the sender and have him or her resend the payment as follows:
(a) click the Send Money tab, and
(b) select “purchase.”
If this was a personal payment, then the sender will need to find another payment method until we restore the service. We’re sorry about this.
If you can’t recover the funds from the sender, you can bring your PayPal balance current by logging in to the PayPal account and clicking the “Resolve Negative Balance” link on the Account Overview page.
5. My payment was reversed but it was not a personal payment. What happened?
Only personal payments should have been reversed. Customers who believe that their payments were reversed in error should request that the payment be sent again by following the steps above (click the Send Money tab and select “purchase.”)
The Reserve Bank of India (RBI) put a halt to all Paypal payments when they finally realized that Paypal was a acting as a cross border money transfer system due to a law passed in 2008, “Providers of cross-border money transfer service need prior authorization from the Reserve Bank under the Payment and Settlement Systems Act,”. The reasoning behind the law is that many cross-border transactions are considered remittances, which fall under additional regulation by the RBI.
At this point, Indian Paypal account holders cannot send or receive money through paypal, and even many Business account holders cannot withdraw into their Indian bank account. Paypal has indicated that it may takes months before payments get back on track in India, leaving very few payment options for freelancers and many businesses in India’s rappidly growing IT services industry.
What strikes me as simply baffling is how it took 2 years for the Indian government to realize that Paypal users in their country could transfer money to and from Paypal users in other countries, and why they would tackle this situation is such a disruptive manner. Seriously, Paypal has been in India for several years and nobody bothered to consider that the fastest growing payment mechanism in India might fall under this new law when it was being drafted?
Equally baffling is why Paypal didn’t completely suspend Payments when they were given the request on January 27th. Instead they reversed thousands of transactions that had already been submitted, allowed these recipients to forward the money they received as payments to other businesses. They also continued to allow transactions to be sent until after the 7th, 10 days after they stated that transactions had been halted.
The combination of gross under-sight by India’s financial regulatory systems, and Paypal’s gross negligence in adequately responding to a major operational casualty, caused one of the larger payment system implosions that we’ve seen. Most of the ancillary damage was completely avoidable, had Paypal responded immediately and adequately to RBI’s request. While I’m sure that Paypal will pull through unscathed as they have so many times before, I do believe that their position in the Indian payments market will be scarred for a long time.
February 11th, 2010
Authnet suffered an outage this morning. Current rumors suggest that it was due to a fire at a data-center, which subsequently destroyed the backup generators from the sprinklers.
Authorize.net is currently the largest payment gateway in the world. This is affecting millions of websites right now. To my knowledge this is the first major outage since the DDOS attack they suffered several years ago.
A casualty of this magnitude has the ability to permanently damage / destroy this company’s trust and reputation.
July 3rd, 2009
PA-DSS, is a security standard set for payment application developers, outlining security and auditing procedures for electronic payment applications. Software that falls under the PA-DSS envelope could include anything from a POS system to online shopping cart software. PA-DSS requires that a program be audited by a 3rd party and pass a series of security test and adhere to best-practices before it can be distributed. If it is not audited or fails any part of the audit, it cannot be used as a payment application.
Phase V – July 1, 2010
Phase V mandates the use of payment applications that support PCI OSS compliance, requiring acquirers, merchants and agents to use only those payment applications that can be validated as PA-DSS compliant.
If you process credit card online and this doesn’t scare you, it should!
Put this into perspective. There are currently millions of websites using paid and open source software for their online stores. Software like Oscommerce, Zen Cart, Magento, and others have millions of users. There are only 2, online store software packages that are PA-DSS compliant. If there is not a mass-movement to get software PA-DSS compliant in the next year, almost every single online store will be out of compliance and subject to fines, or being shut down. This is only a small part of the problem. There’s still thousands of retail businesses using older payment software and the cost of upgrading would be in the millions, assuming it’s even possible.
As written by Evan Schuman
“Essentially, this standard could cause merchants of all sizes in all industries to have to switch payment application vendors.”
Where the real mess begins…
There are currently about 40 companies certified to perform PA-DSS validation. The cost to certify a single payment application could be $100,000 or more if the application is extremely complicated. There is an additional “mandatory” yearly fee of $1250 just to be listed as a Validated Payment Application. Based on cost, and complexity, there’s not many shopping cart software providers that can come close to getting PA-DSS certified in the next year. Even then, that still leaves the open source solutions, which the majority of all ecommerce sites are using.
From Rick Wilson
“What about home grown and open source shopping cart solutions? What happens to them on July 1st, 2010. I asked this question to our auditor and his answer was telling, he said that “essentially if an application can’t be PA-DSS certified because it’s not developed by a single entity for example, then the service provider of that entity will need to become PCI Level 1 certified in order to keep offering that and be in compliance”.
Level 1 certification is nearly as expensive as PA-DSS certification, so don’t expect any relief from if you’re using a custom or open source solution. They’ve truly left no way out this time…
In conclusion…
We’re about to experience a payment industry nightmare potentially having the ability to halt commerce as we know it. If you thought that the $20 per month fee from your processor was bad, you’ll really hate the $50,000 bill when you go to get level 1 certified. If Visa takes the hard-line stance that merchants not using PA-DSS certified software get shut down, it’s going to get really ugly. The current focus of the processing industry is on PCI-DSS compliance and a slew of new fees and charges related to it. But, in about a year, we’re going to see the true fallout of implementing ineffective regulations without foresight into what it actually takes to adopt them, or whether they actually do anything. The only thing we got out of the congressional hearing on PCI is that congress thinks it’s not enough, and merchants think it’s way too much.
Houston, we’re about to have a problem!
Related reading…
PA DSS in One Easy Lesson…Sort Of
PA DSS Is Remarkably Misunderstood
PA-DSS and Ecommerce Web Hosting
May 22nd, 2009
Much to the surprise of the merchant account industry, the congressional bill proposing to regulate interchange, is being attached to the credit reform act and is potentially being voted on tomorrow. Although the interchange regulation bill is related to credit cards and the credit industry, it has nothing to do with the credit reform act, and is an irresponsible means of passing an already poorly supported bill. The US Government Accountability Office, the US Justice Department, the American Banking Association, and the Federal Trade Commission have all directly warned congress against regulating interchange. To not even have a real vote on the bill is simply irresponsible governing.
Bloggers and advocacy groups like the NRF argue that this bill will level the playing field when it comes to processing costs. This may be true for huge retailers like Walmart, but will almost certainly reduce the quality of processing services to the small business in addition to a much greater overall cost. Just name a situation where government regulation ends in better quality services at a lower cost…
The argument against interchange has been fought by twisting the reality in what interchange is, who it goes to, why it’s charged, all by large corporations and angry merchants. While the US has some of the highest interchange costs in the world, we also have the lowest overall processing costs, the lowest setup cost, and by far the highest quality services in the world. In some countries, you would have to pay over a thousand dollars just to get setup processing credit cards, and your monthly bill could easily be double for the exact same services, all with lower interchange. Creating a non-competitive environment like the one proposed by regulating interchange, will create a situation much like the one described above.
I urge anyone in the processing industry, and anyone that stands against huge corporations like Walmart leveraging the government and small business owners to fight a cause that hurts everyone, to contact their representation.
March 31st, 2009
Visa issued another security alert today specifically for Floral Merchants. Given that Valentines Day is a few days off, this is important for many businesses out there. None of this is ground breaking news, but extra care should be taken by floral merchants when accepting payments over the phone, fax or online. If you aren’t, take some extra steps to prevent fraud, CVV2 may help in this case which cost nothing extra to process with. Also, be very wary of extremely large orders.
Typically fraudsters look for times when business are most vulnerable, and when business picks up a lot, oversight is often the result.
Illegitimate customers are placing orders for flowers using stolen credit card information. The orders are typically placed via fax, e-mail, and/or hearing-impaired relay calls. The perpetrator then requests that the florists wrap the flower arrangements in various amounts of cash and bill the difference to the credit card number(s) provided. These orders have been known to reach $4,000.00. A shipping address for the order is then provided to the merchant.
In some instances, the perpetrators have been known to hire an unsuspecting accomplice to pick up the flowers in person. This accomplice is then instructed to ship the flowers via UPS or the U.S. Postal Service.
When the true cardholder receives the floral charge on their monthly statement, they will initiate a chargeback, as the order was placed without their authorization. As a result, the merchant will become liable for the fraudulent sale.
February 11th, 2009
A few days ago, Visa issued a security alert (possibly in reaction to the recent Heartland breach) outlining some specific applications and IP addresses to look out for. What is unique about this alert that I’ve never seen before is that Visa gave a very specific list of malicious applications to search for on a network/computer, and a specific list of IP’s to block.
This tells me that Visa has explicitly identified threats, where they are originating from, and these locations are static enough that blocking them would actually do some good (IP blocking is a terrible way to prevent/stop malicious behavior).
Download the security alert »
| Table 1, Search for these programs: |
| Filename |
Purpose |
MD5/SHA-1 Hash(s) or Registry Key |
| appsqlio.exe |
Reverse shell tool |
387cda6eb91f0b3a054de20c02320338 |
| obsqlio.exe |
SQL output redirector |
f640e53718bc83cb8bb10b1eafb50edf |
| blobsqlio.exe |
Packed version of gsecdump |
959523fc10584da9bfb31a524ff472aa |
| sn.exe |
Packet sniffer |
e07b83abda5b566b3e9a30515a59ecc3 |
| msdtsc.exe |
Packet sniffer |
4724103b13e6ce832fbb2c08a419eac6 |
| svclhost.exe |
Network communication tool |
da4ab50185c7b246d1d2c8fa7bd7a5ed |
| rexesvr.exe |
Command line execution |
003f6cda98a40529cc87fd1387714fd7 |
| svcl.exe |
Renamed version of sn.exe |
e07b83abda5b566b3e9a30515a59ecc3 |
| eqslquery.exe |
Script that automates the installation of rexesvr.exe |
bc354dcf5221aea9fae8a3283c09504d |
| rarx.exe |
Compression tool |
fd729427144044730c572fd5b9be7dd9 |
| Soft.exe |
Backdoor |
ea75939da539a3879e5b442b11b51f24 |
| lsasstd.exe |
Backdoor |
07536e77ece9e70f5bf3d6f357c77b04 |
| lsasstm.exe |
Backdoor |
e2736b8e0628a07fc3a6dcccad99245e |
| smn.exe |
Backdoor |
b0ff54c190455feda3f67b53c4a4453d |
| mstsk.exe |
Utility to inject code on running processes |
ddfd9073a5f222e223f5f2156c71629d |
| Download original… |
Please note that normal windows processes may run under the same filename. Do not assume that a process is suspect unless the MD5 hash matches the one in the table. If you need a MD5 hash generator, try this one for free.
| Table 2, Block these IP addresses: |
| 90.15.59.86 |
85.221.136.196 |
216.55.164.44 |
82.13.14.61 |
| 85.221.196.131 |
77.253.115.137 |
200.115.173.25 |
83.99.227.209 |
| 85.221.138.252 |
213.84.163.246 |
85.17.239.11 |
89.114.215.182 |
| 64.247.58.239 |
83.110.17.228 |
82.13.14.61 |
91.177.6.209 |
| 89.37.241.180 |
12.210.14.103 |
193.11.110.32 |
216.55.126.167 |
| 83.4.164.214 |
74.138.172.183 |
207.255.204.160 |
216.55.185.9 |
| 72.36.215.253 |
85.17.239.11 |
216.244.34.155 |
212.126.1.244 |
| 202.71.103.77 |
69.244.206.15 |
24.159.22.70 |
212.126.9.154 |
| 194.146.248.7 |
69.141.149.138 |
67.182.137.29 |
212.126.11.27 |
| 85.17.105.34 |
88.156.44.152 |
67.85.92.181 |
212.126.12.89 |
| 91.193.63.15 |
216.80.124.225 |
68.50.185.130 |
212.126.14.197 |
| 89.37.240.118 |
76.100.75.1 |
68.94.212.161 |
212.126.18.171 |
| 91.145.136.65 |
216.196.173.93 |
69.110.26.21 |
212.126.20.83 |
| 82.232.177.64 |
75.64.114.45 |
69.14.110.49 |
212.126.22.64 |
| 89.76.218.105 |
89.32.130.86 |
69.212.211.243 |
212.126.25.247 |
| 89.37.241.241 |
58.65.239.58 |
70.162.2.249 |
212.126.31.182 |
| 89.76.220.36 |
66.36.229.201 |
71.238.147.129 |
212.126.32.67 |
| 83.55.141.204 |
74.54.131.130 |
71.239.155.202 |
212.126.46.199 |
| 216.55.169.234 |
74.53.114.16 |
72.242.241.189 |
212.126.47.93 |
| 89.43.45.232 |
203.190.175.39 |
74.62.212.143 |
212.126.53.23 |
| 62.21.81.104 |
203.190.172.18 |
75.118.180.255 |
212.126.55.166 |
| 89.37.242.28 |
69.70.122.98 |
76.204.117.205 |
212.126.57.215 |
| 89.43.45.159 |
65.111.171.20 |
76.22.3.137 |
212.126.72.14 |
| 77.253.108.16 |
65.111.171.21 |
76.239.29.46 |
212.126.73.220 |
| 91.189.139.168 |
174.36.196.207 |
76.242.106.40 |
212.126.78.153 |
| 79.9.108.226 |
208.43.74.19 |
79.118.160.231 |
212.126.83.57 |
| 88.214.208.44 |
216.55.162.167 |
79.139.245.79 |
212.126.84.117 |
| 212.126.94.174 |
212.126.92.167 |
|
|
| Download original… |
The IP’s above have somehow been identified as being related to malicious behavior, but by just blocking them you are not making your system inherently secure. Blocking IP addresses is generally not an effective or long-term method of preventing malicious access. There are over 2 Billion possible IP addresses, and each IP can have a virtually unlimited number of computers and networks behind it. If you block an IP address, there are a billion others that could be used for malicious behavior. Also, wrongfully blocking an IP address could potentially restrict a huge number of people from your network. In the case of a website, this could result in significant loss of business. Please make sure you understand exactly what you are doing when searching for applications, or blocking IP’s. If in doubt, contact someone more qualified in network security.
February 2nd, 2009
I have been looking over a 2007 Nilson Report, specifically about the number of credit cards being used in the US. I then though, how much of an impact could the heartland security breach have on the US credit card industry as a whole? How big is the US credit card industry?
To start off, it is still unknown how many card numbers were actually stolen in the Heartland Breach. But, it is known that as many as 600 Million card numbers were exposed to malicious software. In terms of security (and logic in general), you can only assume the worst case until you can later prove that the situation is better (There is no innocent until proven guilty when it comes to security). So how many cards is 600 Million?
These are not exact numbers but are close… In 2007, there were about 200 Million card holders in the US. Of these card holders, they owned 321 Million Visa cards, 279 Million MasterCard cards, 52 Million AMEX cards, and 57 Million Discover cards. This makes a total of 709 Million credit cards. Since the account activity averages about 60% across all cards, there are roughly 420 Million active credit cards being used in the US.
Now putting this all together, the number of cards potentially stolen is about 50% more than every single active card of every cardholder in the entire country. Given the size of the breach, it’s unlikely that your card was not compromised if you made a purchase in the US between April and December.
Unfortunately a breach like this will have a negative impact of the entire credit card industry. I’ve heard a lot of “they had it coming” and cheers of joy from other people in my industry, but make no mistake, this is bad for everyone! We have yet to see the real start of what this is going to cost heartland and the credit card industry as a whole. I cannot imagine a scenario where Heartland comes out of this in one piece. They may prove me wrong, but the damage from this looks to be too great for any processor in the world to reasonable handle.
January 27th, 2009
Heartland payment systems today has been reported to have been victim to one of the largest credit card data breaches in history.
Heartland discovered malicious software that was recording credit card information as it was being sent to heartland for processing. Heartland processes roughly 100 millions transactions per month, for 250,000 US businesses.
The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.
Right now it is currently unknown how much data has been collected, how/if it has been used, or how long the malicious software was recording information. The current largest data breach in history was about 45 million card number by TJX (TJ Max and Marshals) which cost the retailer almost $2 Billion dollars. Depending on how much data was lost, this breach could surpass the cost of the TJX breach.
I’ve been reading comments on various blogs and new sites on the internet and so far there is a lot of backlash and anger from consumers and businesses. We’ll see in the near future how this breach will affect Heartland, but it seems safe to assume that this will be an extremely costly event for one of America’s largest ISO’s.
***UPDATE***
http://www.nytimes.com/2009/01/21/technology/21breach.html?_r=1&emc=tnt&tntemail0=y
The software on the Heartland’s network was installed as early as May. Based on the volume of transactions, as many as 600 million card numbers were potentially vulnerable, although the actual number stolen was likely less than this. With that sort of exposure, and the sheer number of merchants that process with heartland, it’s not impossible that every single card holder in the US was exposed in this data breach.
January 20th, 2009
I’ve been expecting Paypal to take a shot at acquiring a buy-now-pay-later service provider, and Paypal just announced they are making a move to acquire Bill Me Later. Paypal’s definitely been missing out on a huge market that Bill Me Later owns. Bill Me Later’s only major competitor is a company called eBillMe.
While I personally think that this could be scrutinized as an anti competitive acquisition, especially considering Paypal’s monopoly over non-credit-card online payments, this should make Bill Me Later easier for smaller businesses t use. Until recently, Bill Me Later required ecommerce merchants to be processing in the seven figures per year, far out of reach for many smaller sites that could have greatly benefited from Bill Me Later.
It would probably be six months to a year before any reasonable integration with Paypal happens, but the acquisition is supposed to go through by 2009.
October 6th, 2008
This month marks the 3rd anniversary of the merchant account blog.
I’m currently working on some large time-consuming projects which is the main reason that posting has been so sparse lately. Hopefully this will change in the next few months and I can get back to a reasonable schedule for posting.
Thanks to everyone who stops by. Please feel free to jump in and comment if you’ve been a silent lurker.
Thanks again
July 25th, 2008
Page 1 of 712345»...Last »
