Hi,

I want all of my merchants to know about this. If you ship anything at all even if it’s just overnight mail you can’t lose. It’s a no brainer. Many shippers aren’t even aware that FedEx & UPS will refund your entire shipping charge if your package is delivered even one minute past the specified delivery time. I see no risk with this program because you can cancel their service at any time and it’s totally non intrusive as they do not access your computer system and they charge only on contingency. They also check for overcharges, incorrect rates and discounts and any unauthorized charges. You could track this info yourself but you probably don’t.

Go to their website http://www.veriship.com/index.aspx and if you want to log in let me know and I’ll give you a temporary password. If you are interested (and there is no reason you shouldn’t be) let me contact them for you to make sure you get a top representative. Any assessment they give you regarding your shipping is of course free.

Let me know when you’d like to get started.

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

One of my clients recently asked me about reloadable cards that they wanted to use for referral fees, gifts and bonuses. After an exhaustive search I have a found a company that is second to none in customer service and quality. They are also the most economical. Besides having a great design department they don’t have any hidden fees which I found all of the other companies had. Not only are there hidden fees to the merchant with other companies they also tack on fees to the receiver of the card which would really be a turnoff to the person you want to impress the most-the card recipient.

These cards are also ideal for use as payroll cards, fuel cards, etc. The regular card is good at over 1.000,000 retails stores such as Walmart, Walgreens, grocery stores, etc. They can also be used at an ATM or the recipient can go online and transfer the funds in the card to their bank account for no fee.

For a flavor of what they do visit their website at http://www2.transcard.com/Default.aspx .

You can order the cards plain or with your logo, etc. on them which can be very impressive. You can submit your own artwork or for just a small extra cost per card utilize their art department. Attached is an example of a nice design they did for one of my clients.

Let me know if you’re interested.

Bill

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

Article published in Issue Number: 070101

Merchant needs counsel

I’ve been a subscriber of your magazines since I began in the processing industry, and I have a question. What attorney can you recommend to defend a merchant in a large chargeback dispute?

Thanks, Bill Hoidas Matrix Payment Systems

Bill,

The Green Sheet Inc. does not recommend individuals or companies. However, following are some attorneys we know of (listed alphabetically by last name) who specialize in payments industry-related issues:

Adam Atlas
514-842-0886
atlas@adamatlas.com

Theodore F. Monroe
310-694-8161
monroe@tfmlaw.com

Anthony L. Ogden
661-775-8527
tony.ogden@bankcardlaw.com

Paul A. Rianda
949-261-7895
paul@riandalaw.com

Holli Targan
248-727-1460
htargan@jaffelaw.com

Editor

It’s time to take the majority of merchants to the woodshed. You all complain about high rates but even with prodding do very little or nothing about it. Below is action you can take that will take less than one minute. I support lower interchange rates for credit card processing and have sent this to my U.S. Representative and senators.

Please cut & paste the following message to your U.S. Representatives and Senators or if you wish send your own message.

To find your local representative go to http://www.house.gov/writerep/ and if you need your 9 digit zip code go to http://zip4.usps.com/zip4/welcome.jsp
For your U.S. senators go to http://www.google.com/search?hl=en&newwindow=1&sa=X&oi=spell&resnum=0&ct
=result&cd=1&q=contact+your+u.s.+senator&spell=1
You will be given a link to their email address. The whole process should take less than one minute of your time.

As my representative in the U.S. Congress I am a concerned merchant and voter that want you to support the investigation of usurious credit card charges to merchants and implement the necessary reductions to promote free trade. The article below describes the current state of affairs.

Using the above method took only a few seconds.

Interchange under attack

t’s almost a rite of spring: One or both of the card Associations implement new interchange fee schedules. This forces acquirers and processors to adjust their fees, and the retail sector cries foul.

This year, Visa U.S.A. rolled out a new interchange schedule, effective April 14. Within days, the National Retail Federation was rallying state lawmakers behind efforts to force major changes to interchange.

Many of Visa’s rates remain the same as last year. However, Visa introduced a new card category – Signature Preferred – which raises interchange on some transactions.

MasterCard Worldwide also recently announced rate changes, effective April and June 2007. (For information on the latest rate changes from MasterCard and Visa, see The Green Sheet, issues 07:03:01 and 07:05:01, respectively.)

“When Visa and MasterCard [assess interchange], they don’t take it on just the retail sale; they take it on the entire transaction, including the sales tax,” Mallory Duncan said during the National Conference of State Legislatures’ (NCSL) spring conference, April 19 in Washington, D.C.

Duncan is NRF Senior Vice President and General Counsel, and Chair of the Merchants Trade Coalition, a group of federal and state trade associations representing merchants who accept credit cards. He said retailers, who merely collect and do not retain sales taxes, are particularly irked that those funds are included in interchange assessments.

“The sales tax is the people’s money, and [Visa and MasterCard] shouldn’t be trying to take a piece of it,” he said. “That drives up prices even higher, and everybody ends up paying a tax on a tax.”

It also bothers merchants that monthly account statements from card servicing banks don’t break out interchange costs, Duncan added.

The NRF and other members of the Merchants Trade Coalition have been railing against interchange since the so-called Wal-Mart suit opened to public debate this long-standing industry pricing mechanism.

Several coalition members were party to that lawsuit. It resulted in a multibillion-dollar out-of-court settlement and the elimination of rules that compelled merchants accepting MasterCard and Visa credit cards to accept all other card products bearing those brand names.

Merchants managed to get the ear of the U.S. Congress, which held hearings last year. But so far this year, interchange is not high on the agendas of any pertinent congressional committees.

For now, lawmakers are more interested in card issuers. Earlier this month, Sen. Carl Levin, D-Mich., took to the Senate floor to denounce card issuer fees and fee-levying practices. He also said he was introducing legislation to rein in such practices.

Legislation pending in several states, however, would cap or exclude interchange on certain transactions.

The Merchants Trade Coalition estimates that MasterCard and Visa collected about $36 billion in interchange during 2006. The group noted that this represents a 17% increase over 2005, and an increase of 117.5% since 2001.

At least a dozen bills pending in state legislatures address topics related to interchange, according to the NCSL. Here’s a rundown of several key initiatives:

• Two bills introduced in the Florida state legislature would require refunds to merchants paying interchange on sales taxes.
• Legislation pending in Kansas would require that merchants have better access to information related to interchange rates. It also defines interchange fees for purposes of state law.
• A bill pending in Nevada would prohibit interchange on certain transactions.
• In Oklahoma, legislation has been introduced that would prohibit certain contract provisions regarding merchant transaction fees.
• Lawmakers in Tennessee are considering legislation that would cap at 0.75% all processing fees associated with credit or debit card transactions. The proposal would apply to contracts entered into with merchants by banks or their agents after July 1, 2007.
• Texas lawmakers have a bill before them that would require more transparency in disclosing interchange and related processing fees. A tougher bill, introduced and quickly withdrawn in March after a large consumer letter-writing campaign, would have allowed retailers to surcharge credit and debit card payments to cover processing costs.
• In Washington state, lawmakers want to restrict interchange to 1.5% of the total cost of a retail card transaction.

Whether this attention given to squeaky wheels will lead to a smoother ride for retailers remains to be seen.

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

Pressure mounts for retailers to comply with payment card data security standards
By Paul Demery

For six years, credit card companies have been threatening retailers with fines and loss of credit card status if they don’t comply with the payment card industry data security standards. And retailers have been routinely ignoring them.

Now that might be changing. The card companies recently upped their fines to as much as $25,000 a month for large merchants who don’t comply with the standards. And high profile data breaches, such as the one that TJX Companies Inc. discovered in January, are raising consumers’ awareness that their payment data might not be secure—to the point that they might stop shopping at retailers where they perceive a threat.

A clear message
Retailers are getting a clear message from merchant banks, credit card companies and consumers that they need to get on board with security standards designed to protect credit card account and other data in consumer databases. The goal is to prevent the kind of theft that occurred at TJX, where criminals broke into computer systems in 2005 and 2006 and stole customer information from a network that handles credit card, debit card, check and merchandise-returns transactions.

Card companies say retailers can avoid data breaches like that by implementing the payment card industry data security standards, or PCI-DSS, as they’re known in the payment industry. The standards are comprised of 12 general requirements for such actions as assuring that networks have updated security patches from software vendors, not storing sensitive customer data, and deploying software applications that encrypt the customer data that they do store in databases.

It may be true that complying with payment security standards will prevent such data breaches, but doing so is not easy—and online retailers face many other pressing issues. “Most companies don’t want to spend money on security,” says Avivah Litan, a security technology expert at research and advisory firm Gartner Inc. “They’d rather spend it on revenue-generating projects.”

A recent Gartner survey of 50 retailers found that only one-third of the largest merchants—those identified by credit card companies as Tier 1, or processing more than 6 million payment card transactions per year—were compliant with payment card industry standards. “That’s certainly well below what it should be,” Litan says.

The difficulty of implementing the standards varies based on a retailer’s extent of operations and whether it sells through a single channel or multiple ones. “99% of this is common-sense stuff that retailers should have in place already,” says Robin Bonin, IT director for Golfballs.com Inc.

Golfballs.com, which sells mostly online but operates one store, complies with the payment industry standards and took extra steps to fix security holes in its data networks during a recent site re-design, Bonin says.

Hundreds of security issues
Other retailers find compliance more difficult. Most merchants prefer not to discuss payment security issues publicly, but Mallory Duncan, senior vice president and general counsel of the National Retail Federation, a trade group which represents large retailers, says many merchants find it hard to keep up with updated software and other requirements of compliance. “Retailers are getting closer in line, but it’s a challenge,” he says.

Indeed, the 12 standards actually amount to more than 200 points that retailers may have to address, he adds. As a result, many retailers leave security standards compliance on their to-do lists.

Many retailers who have not experienced data breaches apparently operate under a false sense of security that their customer records are safe, Litan and other experts say. Such retailers wait until a highly publicized attack occurs at another retailer or until a merchant bank warns the retailer that it could get fined if it doesn’t get up to par with security, they say.

The unintended build-up
Retailers typically keep customer account data including name, billing address, credit card expiration date and card identification number—the 3- or 4-digit number that identifies a plastic card itself aside from the card account number. Criminals can use all of those elements to make fraudulent transactions.

But instead of deleting transaction data after getting payment authorization and settlement from participating banks, some retailers hold it. “So they build up a huge repository of customer transaction data that can get hacked if not properly protected,” says John Bingham, director of the technology risk practice at Protiviti Inc., a company that conducts tests of retailers’ compliance with the card industry standards.

The risk is heightened when retailers store full-track data, or the information contained in the magnetic stripe on payment cards, which includes enough account information to create duplicate cards. “If there’s a golden rule, it’s: Don’t store track data,” says Rob Tourt, vice president of network services for Discover Financial Services LLC, which issues and handles transaction processing for the Discover Card, one of the sponsors of the data security standards.

But many retailers don’t even realize they’re storing track data, often because their store point-of-sale systems are improperly designed to automatically record it in a database. “Unfortunately, merchants who are victims of database hacking often store track data without knowing it,” Tourt says.

At the same time, criminals continue to develop more sophisticated methods of cracking into and stealing that data—creating demand for more sophisticated security technology and policies.

Weighing the costs
The cost of implementing PCI standards depends on such factors as the volume of transactions a merchant handles; the state of a merchant’s infrastructure of computer databases, networks and security software; and its policies. A smaller merchant might spend $120,000 to get outfitted with data encryption software and other basic security tools, while a Level 1 merchant could spend $700,000, Litan says. But that’s just for security-related tools themselves, she adds. The cost of updating overall technology systems to comply with payment data security standards can run into millions of dollars, experts say, when new software systems require new and more robust hardware to run them.

Still, the overall cost of complying with PCI standards can be less than the cost of a security breach in terms of damage to a retailer’s brand, lost customers and a decline in sales, Litan adds.

A recent Gartner study found that the cost of security breaches can outweigh the cost of becoming compliant with security standards. When factoring in legal fees, fines, data recovery efforts, and losses in sales and market value, Gartner figures the costs of a major data security breach can run as high as $90 per customer record.

That equals more than five times the cost of implementing a comprehensive security system including data encryption, network intrusion-prevention, and regular system audits, which Gartner figures at $16 per customer record.

The PCI Security Standards Council, an organization founded by Visa, MasterCard International, Discover Financial Services, JCB International Credit Card Co. and American Express Co., provides a list of security assessment providers at PCISecurityStandards.org.

Keeping customers
Pressure is now coming not just from the credit card companies who are attempting to enforce the standards, but also from consumer awareness of the vulnerability of data. In a recent survey of 2,000 consumers by the Chief Marketing Officers Council, 40% of respondents said they had aborted a planned purchase either online or in a store because of concerns about the security of their personal data. In the same survey, 50% of respondents indicated they would avoid buying from a company whose customer databases had been hacked.

If consumer attitudes and the fear of public shame aren’t enough to sway technology plans, the credit card companies have implemented a new schedule of fines for security breaches. Visa U.S.A., for example, will fine merchant acquirers from $5,000 to $25,000 a month for each Level 1 or Level 2 (1-6 million transactions per year) merchant that is not compliant with the PCI standards by Sept. 30 for Level 1 merchants and Dec. 31 for Level 2. In addition, acquirers face monthly fines of up to $10,000 if they failed to confirm by March 31 that their Level 1 and 2 merchants were not storing full-track magnetic stripe data.

As part of the new program—the PCI Compliance Acceleration Program—merchants will not qualify for lower interchange rates for card transactions if they fail to comply with the standard.

Visa also will offer $20 million in incentives to merchant acquirers if their retailers comply by Aug. 31 and have not been involved in a data compromise. The goal is to promote faster compliance, says Eduardo Perez, Visa U.S.A.’s vice president of payment risk.

Meanwhile, government may be stepping in. State Rep. Michael Costello has submitted a bill to the Massachusetts legislature that would require merchants responsible for data breaches to pay for the replacement of plastic cards tied to stolen or compromised accounts. “If retailers know they’ll be held liable, they’ll be more likely to secure customer data,” says Adam Martignetti, Costello’s chief of staff. The first legislation of its kind, the bill has been generating interest from other states and from federal legislators, he adds.

Just the beginning
While compliance with payment card security standards is a good beginning toward preventing stolen or otherwise compromised customer data, it can be most effective when backed by continued security maintenance and improvements. As Golfballs.com got audited for compliance, for example, it realized it needed to modify its web server so it would not reveal to a hacker which version of Microsoft Corp.’s Internet Information Server software it used, preventing a hacker from learning how to break into data files. “That’s something we probably wouldn’t have done otherwise,” Bonin says.

But Golfballs.com hasn’t stopped looking for security holes, in effect going beyond the basic PCI requirements, he adds.

One of the more troublesome forms of attacks, experts say, is an SQL Injection, through which criminals insert extra characters and words at the end of web page identifiers in an effort to bypass a retailer’s network access rules to grab sensitive information like customer account data from back-end databases. Making this threat even worse is that retailers often don’t know that their network is open to such attacks, experts say.

Golfballs.com discovered it was open to SQL Injections through a security check by ScanAlert Inc.’s HackerSafe site monitoring and security system, Bonin says. So when the retailer rebuilt its web site on Microsoft Corp.’s .Net 2.0 technology platform during the first months of this year, it redesigned its web access system to block SQL Injections.

Using tools within .Net 2.0, the retailer’s two-person I.T. staff configured a system to route page requests through a software module that instantly recognizes whether a page identifier has extra characters that might be used in an attempt to pull information from protected databases. “Retailers shouldn’t have to worry about data intrusions if their site is set up properly,” Bonin says.

Hi,

Your processor is raising your rates on April 13, 2007 and June 15, 2007. Have they told you yet?

We won’t which means now we can save you even more money!

Bill

n its first large-scale realigning of interchange rates, MasterCard Worldwide’s independent board of directors is wielding power to redress concerns of some of the most vocal merchants.

MasterCard will change many rates for its U.S. Consumer Credit cards. Most striking is a switch to two card types: Core Value and Enhanced Value (rewards) cards. New rates will take effect April 13.

“The Consumer Credit Enhanced Value program provides a new economic structure for meeting minimum rewards value requirements,” one processor noted in an interchange bulletin issued to its ISOs in early February.

MasterCard did not respond to requests for information.

Enhanced Value hikes in June

On June 15, the Standard rate for a MasterCard Consumer Credit transaction will rise from 2.75% plus $0.10 to 2.95% plus $0.10.

The difference between core and enhanced values is evident in the following categories, in which Core Value will drop from the current rate on April 13, but Enhanced Value cards will take a sometimes steep hike on June 15. All these rates will carry a $0.10 fee per transaction.

· Full Universal Cardholder Authentication Field (UCAF): Core Value will drop from 1.74% to 1.68%; Enhanced Value will rise to 1.83%.

· Key-Entered and Merit I: Core Value will drop from 1.95% to 1.89%; Enhanced Value will rise to 2.04%.

· Merchant UCAF and Merit 3 – Base: Core Value will fall from 1.64% to $1.58%; Enhanced Value will climb to 1.73%.

· Passenger Transport: Core Value will drop from 1.83% to 1.75%; Enhanced Value will rise to 1.90%.

· Travel Premier Service: Core Value will drop from 1.74% to 1.58%; Enhanced Value will rise to 1.90%.

On April 13, rates in the following three MasterCard Consumer Credit categories will drop. Come June 15, they will remain at these rates.

· Merit 3 – Tier 3 will decline from 1.58% plus $0.10 to 1.55% plus $0.10.

· Warehouse Base will fall from 1.48% plus $0.05 to 1.10%, with no flat fee per transaction.

· Warehouse – Tier 1 will drop from 1.27% to .90%.

World Elite rate increases

In April, MasterCard World credit card rates will remain flat or, in some cases, drop by up to three basis points. The World Restaurant rate will be an exception. It will increase from 1.64% plus $0.10 to 1.73% plus $0.10.

World Elite cards will show the biggest rate increases in the following categories:

• Standard
• Full UCAF
• Key-Entered
• Merchant UCAF
• Merit 1 and Merit 3 – Base
• Supermarket – Base
• T&E, which is rising 45 basis points.

The company is also creating a T&E Large-Ticket category.

4 new Commercial cards

In April, MasterCard will introduce several new U.S. Commercial credit card types: Corporate World, Corporate World Elite, Business World and Business World Elite.

Commercial, Corporate World and Corporate World Elite rates will remain largely unchanged from the current fees. However, MasterCard will introduce two new Large Ticket categories for all five cards.

The new Business World and Business World Elite card rates will all be 0.15% higher than the Commercial, Corporate World and Corporate World Elite card rates.

Petroleum windfall

Gas stations will enjoy the most beneficial changes. Since the dramatic rise in gas prices two years ago, gas station owners have been calling for a reduction in interchange rates.

Come April 13, MasterCard will cap its charges on individual petroleum sales.

The U.S. Consumer Credit Petroleum rates (Core and Enhanced) will be 1.90% with no flat fee per transaction. The Petroleum rate for World and World Elite cards will be 2%. The maximum charge per transaction on all MasterCard-branded cards will be $0.95.

The cap will benefit merchants on an interchange pass-through pricing model, according to Chad Lowrey of Chase Paymentech Solutions LLC. Petroleum merchants on a three-tiered pricing model will not benefit from the cap unless their ISOs pass that on. Many station operators are still on the three-tiered model, he added.

Dee Karawadra, Chief Executive Officer of Impact PaySystem, estimated 80% of the company’s petroleum merchants are now on pass-through pricing. He said with tiered-pricing merchants, ISOs can potentially earn quite a bit from the change.

MasterCard U.S. Consumer Debit Petroleum rates will remain at 0.70% plus $0.17, but will operate on the $0.95 cap.

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

There’s no reason to suffer unjustified chargebacks. Only a liar would tell you that if you switch to us that your chargebacks will cease but I will give you advice on how to avoid them and if you do suffer them we work closely with attorneys that specialize in the credit card industry and also a firm that deals only with chargebacks. The fees can be very reasonable and on a contingency basis. And no-we don’t get a referral fee. We just like to help our merchants in any way we can.

‘ve researched the class action and here’s my findings. This is a very famous suit in our industry. Walmart was the leader because when debit cards first came out the rates were the same as regular cards and there were no options for PIN pads. The MC/Visa pirates and their member banks ripped merchants off big time. It covers the time period you were accepting between 10/25/1992 and 06/21/2003. The first point is you are entitled to money The second point is you should make a claim as it’s easy and free (except for the in place lawyer fees). Many merchants are receiving their claim forms. If you have not received yours or have misplaced it no problem just go to http://inrevisacheck-mastermoneyantitrustlitigation.com/

Merchant claims still accepted, feds to receive over $7 million

ligible merchants can still file claims to receive their fair share of the settlement in the class-action “Visa Check/MasterMoney” antitrust case, according to Lloyd Constantine, Partner with the law firm Constantine Cannon, the lead counsel for the plaintiffs.

Also called the Wal-Mart suit for its lead plaintiff, the case, which concluded in 2003, threw out the card Associations’ honor-all-cards rules. It also established a settlement fund with nearly $3 billion in damages from the card Associations.

The law firm has not yet decided when to close the class. “If and when it’s our recommendation to the court that we end that, we will give public notification well in advance,” Constantine said in an interview.

U.S. merchants who accepted cards from Visa U.S.A. and MasterCard Worldwide between October 1992 and July 2003 are eligible for an award.

Making a federal case out of it

In recent weeks, the law firm has mailed checks to most class members (see “Industry Update” in this issue) and reached a settlement with the federal government.

In early 2006, the Justice Department sought to become a member of the merchant class. The government estimated its signature debit, credit and PIN debit claims at up to $11 million.

Counsel for the merchants asserted the government could sue the card Associations on its own behalf and had no standing in the merchant class. Negotiations led to the following compromise in December:

The merchant settlement fund will pay approximately one-third the amount ($3.7 million), Visa and MasterCard will pay about one-third, and the government has agreed to forego about one-third. Visa will pay $2 million and MasterCard will pay $1.5 million.

The compromise was the best course, Constantine said, because the government’s claim was 1) not a significant portion of the proceeds, and 2) hampering efforts to award funds to class members.

“While this dispute was pending, it was … casting a shadow over the settlement fund,” he said. The government’s claim prevented the fund from making final estimations of awards.

Given that the U.S. District Court had not ruled on the government’s claim, a compromise was preferable to waiting out the estimated two-year appeals process that would have followed a court decision.

Facing the music

As part of their 2003 settlement with merchants, Visa and MasterCard agreed to label debit cards as such on their face. The deadline for complying was Jan. 1, 2007. Member banks have re-issued their more than 250 million Visa- and MasterCard-branded ATM/debit cards with the word debit on the front.

“I was pleased to see that [issuing banks] were ahead of schedule in doing that,” Constantine said. Banks appear to have fully complied, but the firm has issued advisories to consumers asking them to report any failure to distinguish debit cards from credit.

Also part of the 2003 settlement: Merchants accepting the brands would now be allowed to ask for another form of payment when either type of card is offered for payment.

The card Associations agreed to pay $250 million annually into the settlement fund for 10 years.

From this, the fund will pay new claimants and, in 2007, make a major distribution to class members who accepted PIN debit during the period covered by the lawsuit.

Although merchants have generally been given one-time payments of all damages to which they are entitled, any money left over at the end of the fund’s life will be distributed as residual payments.

The court agreed in December to Constantine Cannon’s proposal that the 35,000 claimants who were owed less than $5 apiece be paid amounts of approximately $12 each.

The larger payment compensated them in full for any future residual distributions, to avoid sending checks for miniscule amounts at a later date, Constantine said. Those checks were part of the most recent distribution.

Article published in issue number 070102

Robbery on the Electronic Highway ONLINE BROKERAGE FIRMS: THE NEWEST TARGET

The age of electronic information, for all of its upside, does have a downside – it takes something extremely valuable and turns it into something incredibly portable. This makes electronic information not only the best thing to happen to business since the telephone, it also makes it the perfect target for thieves. Information theft, particularly identity theft, is a fast-growing problem that affects millions of people around the world. It takes many forms, from “phishing” schemes targeting individuals with online shopping accounts, to mass information theft from large databases where sensitive consumer information is stored. But there’s a new game in town for information thieves – a sophisticated fraud scheme that has been targeting some of the world’s largest online brokerage firms.
In recent months, overseas hackers broke into customer accounts at major U.S. online brokerages and made trades worth millions of dollars. Ameritrade Holding/TD Ameritrade, the third largest online broker, reported that this new form of online fraud cost them $4 million in Q3 2006. E*Trade Financial Corp, the fourth largest online broker, reported that fraud losses increased by $18 million in that same quarter. Both companies reimbursed customers for losses despite the fact that brokerage accounts are not protected by the Federal Deposit Insurance Corporation (FDIC) and other rules that protect banking customers. The Federal Bureau of Investigation (FBI), National Association of Securities Dealers (NASD) and the U.S. Securities and Exchange Commission (SEC) are working to determine the cause of the fraud, which is being classified as a “pump and dump” scheme – one of the several increasingly popular information theft scams, often initiated from locations like Eastern Europe and Thailand.
In a pump and dump scheme, information thieves steal passwords for victims’ online brokerage accounts, then use this information to purchase stocks using the hijacked accounts. In recent cases, thieves purchased a large number of shares of small-cap low-volume stocks using an existing brokerage account, then liquidated the assets of the hijacked account and used the proceeds to purchase the same small-cap stocks. This drove up the price of the original shares so that the thieves made a profit when they sold the previously purchased stock. Not only was this very profitable for the thieves, it was a clean theft since the stock market essentially laundered the proceeds. In addition, pump and dump schemes may go unnoticed at the brokerage firms because funds are not withdrawn; they’re used to purchase stocks.
Regulators say they’ve seen an increase in pump and dump schemes over the last few months, along with another type of brokerage scam where thieves fraudulently obtain a customer’s log-in credentials, liquidate the account and wire the proceeds to offshore banks.
The experts believe that in recent cases, the passwords were acquired by installing keystroke-logging software on public-access computers, located at Internet cafés or hotels, or by tricking users into installing keystroke-logging software on their own computers. Once the software was installed, the thieves waited until the user typed their user name and password. The software then sent the information to the thieves via the Internet.
Thieves are also obtaining passwords and other sensitive personal information by using “screen-scraping” software. This technology captures whatever is on the screen and sends it to the perpetrator. “Phishing” is another popular method for obtaining account information. It uses e-mails that appear to be from trusted institutions to get users to visit bogus Web sites, where they are encouraged to log in, thus revealing sensitive information. Thieves will also use phishing scams to encourage people to unknowingly download keystroke-logging software.
With the number of incidents rising over the last year, it’s clear that this problem is only getting worse. At an industry conference in Phoenix on October 5, John Walsh, chief counsel in the SEC’s office of compliance inspections and examinations, publicly recognized this growing trend and acknowledged that hackers’ attacks have grown in sophistication.
While brokerage firms are responsible for protecting the sensitive information in their care, some of the responsibility for keeping personal account information safe lies with consumers. According to John Gannon, vice president of investor education for the NASD, consumers should be monitoring their accounts for any unauthorized trades. It’s likely that consumers will start feeling some of the heat generated by these fast-growing crimes as the industry may be looking to consumers to share the burden of protecting their sensitive information.
There are several things consumers can do to help keep thieves out of their online accounts. The SEC has published a guide called Online Brokerage Accounts: What you Can Do to Safeguard Your Money and Your Personal Information. You can find it online at www.sec.gov/investor/ pubs/ onlinebrokerage.htm. This guide provides helpful information on scams and how to avoid them, and includes tips on how to protect yourself online and how to know if your identity has been stolen.
But while consumers are the first line of defense, they are not the only factor in preventing online fraud. Although the online brokerage firms have demonstrated exemplary behavior towards their customers over the last few months – reimbursing them for the losses they incurred – it’s obvious from the attacks that the fraud monitoring systems that these firms have in place can be circumvented.
Fortunately, there are a host of security technologies, including new data activity monitoring and behavioral analysis solutions, that can be added to the lines of defense already in place at many firms to identify suspicious activity. It’s safe to say that reputable online brokerage firms will do everything in their power to avoid future mishaps. Breaches such as these are very expensive. Beyond the obvious losses they incur when they reimburse millions of dollars to customers affected by fraud, this is also a customer-retention and a brand equity issue.
Ultimately, the solution to brokerage fraud lies in consumers and institutions working together to address the problem. Consumers must stay informed and take the necessary precautions to protect account information and passwords, as well as closely monitor the activity in their accounts. Institutions must make sure that the layers of technology are in place to know what’s really going on with the valuable assets in their care. There will always be bad guys to be dealt with where valuables are concerned, but despite malicious hackers and information thieves, the upside of the electronic information age still far outweighs the downside.

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.