1-866-769-7981 | E-Mail Us News

April 2, 2014 2:43 am


SINCE the 1970s, paying with plastic has been pretty standard everywhere: Customers swiped their cards, signed receipts and took home their purchases.

But after security breaches at Target late last year led to the loss of personal data from as many as 110 million customers, the financial industry is racing to adopt technologies that will alter that decades-old ritual.

Driven largely by security concerns, credit card companies and issuers say they are working to make the system as consumers know it obsolete through smart chips and advanced computer programming.

To many, it is about time. The roots of the magnetic strip on credit cards extend back to World War II, ample time for thieves to learn to hack and steal those black lines of prized account information.

Credit card fraud totaled nearly $5.3 billion in the United States alone in 2012, giving the industry plenty of incentive to devise a better system. The amount lost to fraud continues to grow by 30 to 50 percent a year, according to estimates from the Aite Group, a research company.

Efforts to bolster card security were underway well before hackers broke into the systems of Target, Neiman Marcus, Michaels and other store chains. But the recent data breaches injected new urgency into adopting newer technology.

“I think this will become a defining moment about how we in the industry think about security,” said Eileen Serra, the chief executive of Chase Card Services.

The credit card industry, especially in the United States, has long relied on increasingly sophisticated analytical programs to weed out potentially fraudulent transactions. But it has also focused on a handful of technologies it contends will better protect customers in stores and online.

One is placing microprocessors onto cards, a standard known as E.M.V. for its initial backers: Europay, MasterCard and Visa. Another is known as tokenization, a way of masking consumers’ card information over the Internet.

“It’s about taking vulnerable data out of the merchant environment,” said Ellen Richey, Visa’s chief legal officer.

E.M.V. is the best-known technology. Such cards are embedded with smart chips authenticating that their bearers are their rightful users. The chip is also extraordinarily difficult for thieves to counterfeit.

Cardholders verify the transaction with a PIN or a signature. Though the latter is less secure, it will likely be more prevalent in the United States at first, though Chase and others expect to offer chip-and-PIN cards this year.

Europe and parts of Asia have already used the system for the better part of a decade, while American merchants and issuers have balked, largely because of cost. Chip-equipped cards cost an estimated $1.30 each to make, while a standard plastic card with a magnetic stripe on the back costs roughly 10 cents. Retailers, too, have been loath to update their systems to accept chip technology because of the added cost.

“E.M.V. is going to cost billions of dollars to implement in this country,” said Shirley W. Inscoe, an analyst at the Aite Group.

But research suggests that the system works. In 2005, when Britain fully phased in the E.M.V. technology, credit counterfeit card fraud was 25 percent; such fraud plummeted to 11 percent seven years later, according to the Aite Group.

Visa, MasterCard and American Express all announced road maps for adopting smart chips more than a year and a half ago, with the aim of forcing most retailers and issuers to put E.M.V. in place by October 2015 in the United States. By then, the liability for any counterfeit fraud will fall on whoever has not adopted the chip technology. (Gas stations and A.T.M.s will have until 2017 to meet the new requirements.)

From 17 million to 20 million chip cards have been issued in the United States, according to the Smart Card Alliance, an industry group. But that represents just 2 percent of the one billion cards in use.

In many ways, the chip technology is already decades old. It has been around since the 1990s, born in an era before the Internet and widespread e-commerce.

Industry officials concede that such technology would not have prevented the data breach at Target, or any sort of online fraud in which thieves obtained lists of customers’ credit card numbers. Markets where E.M.V. has been adopted have shown a significant increase in Internet fraud.

That is a gap that tokenization is meant to fill. The technology works behind the scenes of a digital transaction: Customers still put in their card number, but software then transforms that information into a one-time token — a randomly generated code — that is sent through the payment-processing chain. Thieves who intercept the code can do little with it without the means to unscramble the token.

To many in the industry, part of the technology’s appeal is that it requires less upheaval than E.M.V. Customers still put in card information as they always have. And the digital tokens are largely in the same format as traditional card numbers, but mask identifying information.

“Now you don’t have personal information around the world,” Ms. Serra said. “With tokenization, we can keep that data much more secure.”

The hope of digital tokens is that they will not be confined to any one way of paying. Websites, digital wallets and mobile devices could all use the technology, broadening its utility.

“Every device should have the same foundation,” Ed McLaughlin, MasterCard’s chief emerging payments officer, said.

Still, for years token technology lacked the sort of universal standard that underpins chip cards. But in recent months, a joint venture of Visa, MasterCard, American Express and others announced a proposed framework to ensure that everyone was on the same page. At least two of the five biggest card issuers in the United States are adopting some form of tokens, Ms. Inscoe said.

A framework for token systems is still being built, and meaningful adoption is years away, said Randy Vanderhoof, the executive director of the Smart Card Alliance. For now, chip cards will help eliminate the most obvious and pressing kinds of fraud. “If your boat is leaking in multiple places, and you can’t plug them all up at the same time, you plug the biggest one first,” Mr. Vanderhoof said.

Ultimately, while physical cards will remain in use for some time, many in the industry predict plastic as the primary way to pay will give way to digital wallets embedded in smartphones, tablets and other devices.

MasterCard is already testing a way for Australian consumers with Samsung Galaxy S4 phones to pay using their phones.

Smart chips and tokens eventually will be embedded in an array of computers, providing multiple layers of security, Mr. McLaughlin of MasterCard said. A consumer’s smartphone will not only have a unique ID, it will also generate one-of-a-kind tokens for every transaction — ones that can be easily be disabled if the phone is lost or stolen.

“The mag stripe will become functionally obsolete,” Ms. Richey of Visa said. “Mobile will take over.”



Join AOneATM on LinkedIn!Follow AOneATM on Twitter!Like AOneATM on Facebook!


April 1, 2014 3:26 am


CEO, Market Platform Dynamics

The Innovation Project 2014 is a wrap. And to paraphrase the words of one of our delegates, the series of rich and relevant “conversations” among the industry’s elite that started last week in Boston will fuel the actions and activities of those dedicated to driving innovation in the payments and commerce space in the years to come.

Ten such facilitated conversations took place over two days, covering topics as diverse as the differences in how payments innovators and incumbents are igniting new payment methods, how to get consumers to shift from plastic to mobile, lessons learned in igniting payments in developing markets that can be applied in developed markets, the feasibility of Bitcoin as a currency, and whether cash could be on life support, for real, some time soon.

One of the most spirited discussions was on the topic of cyber crime and what the payments industry needs to do about it. Former White House Cyber Czar and cyber security expert Richard Clarke and First Data’s GM of Cyber Crime, Paul Kleinschnitz, initiated this conversation. Panelists included a group of security and fraud experts whose diverse backgrounds and points of view inspired a very candid conversation including The Clearing House’s Dave Fortney, Experian’s Michael Bruemmer, Cortex MCP’s Shaunt Sarkissian, Loop’s George Wallner and Fiserv’s Tom Tobin.

Richard Clarke set the stage by telling us that cyber crime really does pay and is a business that recruits highly qualified Ph.D’s in math from Eastern European universities who go to work every day relentlessly focused on stealing money and data from our financial systems. He told our group that there are only two kinds of companies – those who’ve been hacked, and those who have and don’t know it. He pointed out that almost every large and midsize company in the U.S. has been compromised and that it takes an average of 253 days for a company to realize it has been hacked. He also said that 85 percent of those breaches are caused by people “doing the wrong thing,” citing the Target breach as the poster child for that data point.  He also mentioned that, while the hackers are profiting from the fruits of their labor – Target’s 100 million compromised accounts that could sell for anywhere between $20 and $100 per account – Target has since seen a 46 percent drop in profit quarter over quarter and has said that ongoing expenses related to the breach could have a material adverse effect for the 2014 Q1 earnings and beyond.

Yes, cyber crime really does pay and, yes, cyber crime really does cost its victims dearly.

But I have another, even more controversial takeaway from this panel, and that’s this: we should push the “pause” button on EMV right now, rethink our approach to keeping cardholder data secure, and reinvent how the card industry protects itself from the risks of cyber security.

Here are the 6 reasons why:

1.  EMV solves the wrong problem – and an old one at that.  

Yeah, I know, you’ve heard this from me before. But last week, it wasn’t just me expressing this point of view; someone on the panel even went so far as to say, “EMV is a swear word.”   Sure, we need to “fix” the problem of static PAN data transmitted via the mag stripe, but EMV-issued cards in the U.S. won’t eliminate that risk since they will include mag stripes for some time, just as those issued by non-U.S. banks do today. And at the moment, the prevailing standard is “Chip and Choice,” where a PIN is not required. Published reports suggest that using a PIN with debit transactions reduces fraud by a factor of 5x. Not clear that EMV implemented without requiring a PIN makes much sense.

And in terms of eliminating fraud? Well, we don’t even need to speculate as to whether this is a fait accompli. It isn’t. In the countries where EMV has been implemented, fraud via card counterfeiting has declined dramatically, but card-not-present fraud has increased by as much as the card fraud has declined, if not more. It’s like the fraud “whack a mole” game – beat down fraud via card counterfeiting, and it pops up online.  Now advocates say that the online risk is lower since the volume is lower, but as card transactions increasingly move to the cloud, which is where payments is headed, that risk will only intensify. And the industry will have to spend even more money to eliminate that risk, after having spent lots of money on a solution that just moves the problem to a different place.

2.  It’s not really clear that we have a real problem to solve.  

There was an interesting discussion about how much of a fraud problem we really have in the U.S. and worldwide. In the U.S., fraud exists, but it is very low. In fact, the rate of fraud for online transactions is less than 1 percent, which is exactly where it was in 2010. When fraud dollars are reported, those numbers are higher, which makes sense, of course, since the base since 2010 has grown, but the rate at which fraud is occurring remains constant. Interestingly, outside of the U.S., and where EMV has been implemented, online fraud rates are more than twice that rate.

According to Nilson, in 2012 worldwide total transaction volume of credit, debit, prepaid, private label cards was $21.604 trillion, with fraud losses worldwide of $11.27 billion – or roughly 0.05 percent, or 5.2 cents, per $100.  Douglas King, who authored a report for Atlanta’s Federal Reserve Bank, questioned whether the U.S., looking at these overall numbers, felt there was enough of a problem to invest the billions needed to move to EMV, which, as I’ve noted, doesn’t really eliminate fraud but simply moves it to a new playing field. It’s worth noting that this report was published before the Target breach, but the question remains: how much should the payments industry invest to reduce fraud – and to reduce it to what level?

It’s an important and valid question.  Every industry, not just payments, has to make decisions about investing to eliminate its major source of risk entirely versus reducing it to an acceptable level that also doesn’t impose too much friction on their customers in the process. And, in fact, those in law enforcement have to do cost benefit calculations, too. We can always spend more money to get less crime, but the question is whether the additional spending is worth the additional crime reduction.

9/11 is also a good proxy for this thought process. Post 9/11, the U.S. invested in new systems and policies designed to reduce the risk of terrorists using airplanes as weapons of mass destruction. In the early days of that horrific incident, that even included forcing passengers to stay seated during the first and last 30 minutes of flights headed into or departing from Washington, D.C.  We could have made a decision to eliminate such risks entirely by having people completely disrobe for scanning before boarding an airplane or banning carry-on luggage entirely – as was done to and from the UK in the early days following the aftermath of 9/11, or subject passengers to El-Al airline screening prior to every flight. Hey, we could even have stopped flying and made people walk or take the train or the bus everywhere.

Instead, over the last several years, the TSA has implemented systems like Pre-Check that allows expedited screening for passengers who have gone thru a background check and have installed the somewhat controversial body scanners that check passengers for hidden explosives and have adjusted acceptable levels of carry-on stuff.  But all of those things don’t eliminate entirely the risk of bad things happening – it just makes it more of a pain for the bad guys to do bad things, which, I say as a TSA Pre-Check passenger, is a tolerable amount of friction introduced into the system.

Now back to payments. We could eliminate the risk of payments fraud completely by making consumers use cash to pay for their purchases. Or subjecting them to an arduous authentication process that would, as we’ve seen with 3-D Secure, eliminate the consumer’s appetite for making purchases online, which only hurts merchants. Or, as we are now about to do, spend billions on a standard that only attacks a small piece of a problem that isn’t really that big to begin with.  And, as our panel said, to what end – to eliminate a risk that is already really low? Where’s the ROI – and for whom?  I haven’t seen any of the advocates produce a real ROI analysis—please send, and we’ll post on

3.  EMV makes the wrong people pay

Richard Clarke made a point that “we” as an industry need to understand who’s suffering as a result of the breaches, and then upon answering that question who should pay.

This is where the conversation gets really interesting.

Someone on the panel remarked that the big conundrum of payments is that the parties who issue the cards are completely disconnected from the parties who accept the cards who are completely disconnected with the people who use the cards. Further, today, the parties being asked to change – and being forced to pay – are the consumers who will be inconvenienced by being asked to “dip” and not swipe and the merchants who are being asked to install new equipment or else face the risk of liability and the banks who will be forced to issue new, more expensive cards. According to Nilson, issuers last year absorbed roughly 63 percent of the risk while merchants absorbed 37 percent.

Target has said it will spend $100 million installing EMV readers, but that’s just the tip of the iceberg. There are more than 16 million devices in the U.S. that will have to be upgraded to support EMV payments at a cost of between $200 and $1,500 per device. Taking the low end of the scale, at $200 per device, that’s a $3.2 billion expense (just for the equipment) to the industry, borne by the merchants, not to eliminate fraud but to simply watch it move to another channel, that they’ll also have to invest in new solutions, like tokenization, to fight.

And if you wanted to put a price tag on this to the consumer, assuming that consumers would pay a penny not to have to dip instead of swipe, they’ll be paying another three-quarters of a billion dollars annually (assuming 75.6 billion credit, debit and private label card transactions in 2013) notwithstanding, of course, any of the price increases that they’ll be paying for merchandise bought at merchants to offset the costs of these new devices, they’ll absorb. And these price increases will be borne by consumers, who, for all of the wailing and gnashing of teeth over the Target breach, don’t really feel the pain – roughly 90 percent of those whose accounts are at risk because of a retailer’s breach sign up for credit monitoring after the fact.

Consumers know that they are protected in the event of a compromise and don’t sweat it too much. But 100 percent of consumers will be asked to change how they use their cards and be inconvenienced by it, and maybe even pay more for the things they buy because of it. The big question left unanswered is the extent to which they feel that the tradeoff they are being asked is helping them in any way since they don’t perceive a real problem today.

But here’s the real crime. Those who are perpetrating these crimes are laughing all the way to the bank. Cyber crooks operate today in sanctuary countries like Russia, well out of our reach to find, much less prosecute. If we, as a payments industry, really wanted to put some teeth into getting rid of cyber fraud, we’d be knocking on the doors of our members of Congress about putting the screws to the countries that harbor these bad guys, slapping on fines and penalties, even cutting off their ability to access U.S. Internet sites.  We, as an industry, would be far better off mobilizing Congressional hearings on that point rather than risking that the government decides it needs to intervene on imposing a fraud standard for the industry because of the media coverage of the breach and the faulty assumption that fraud rates are out of control.  At the moment, the people who inflict the pain and impose the costs on our payments system are getting off scot free.

To put this another way, we could take some of the billions we’re spending on the EMV upgrade and use it to lobby Congress and the president to put the screws on countries that harbor these criminals that are wreaking havoc on us.

4.  EMV does nothing to help in the short term.

Yes, Virginia, there is a deadline set for the liability shift, but it’s not realistic to think that most merchants will be able to make that deadline. Until the Target breach, the prevailing wisdom was that EMV was going to be languish as merchants looked to other, cloud-based payment options, and security solutions linked to those payments alternatives. Now, out of fear and motivated by the PR value of saying that they are embracing EMV, their priorities have shifted sharply.

Even so, there just isn’t enough time to implement EMV in 16 million terminals in about a year’s time. So between now and whenever all 16 million terminals are upgraded,  two, three or even more years from now, cardholder data transmitted by EMV cards with mag stripes will continue to be at risk of compromise at the physical point of sale, not to mention moving online as history tells us will be the case.

There are solutions available now that could, for a lot less of an investment, protect cardholder data by making it useless to the bad guys. After all, if data are what they want, then making it useless should be the focus. And tokenization and end-to-end encryption solutions, among other things, are technologies that are available today that can accomplish that goal and are embraced by the networks.

5. EMV is taking our eye off the real threat.

I think that even EMV advocates would agree that EMV wouldn’t have prevented the Target problem. But as one panelist said very well, point-of-sale fraud is bupkus when compared with the volumes that pass over the ACH network, CHIPS and the Fed Wire every day.  NACHA reports that in 2013, an estimated $40 trillion dollars moved from bank account to bank account every day at an average value of $1,760 per transaction. If the bad guys really wanted to wreak havoc, that’s where they’d turn their attention, if not to steal money outright, to shut down our ability to conduct commerce as a nation and as a world.

Ditto with the SWIFT network, which passes secured messages related to financial transactions between more than 10,000 users at FIs and companies in 210 countries resulting in an average of 10 million messages a day. A question raised by someone on the panel was the degree to which our efforts should be focused on ensuring that these systems remain rock solid versus spending tens of billions on systems that have relatively low risks of fraud to begin with. Sorry Target, you get all the press, but you are really small potatoes.

6.  EMV is taking our eye off the real opportunity.  

A big question related to the risk/return/reward equation of investing in EMV raised by this panel is the consequence of diverting attention away from the move to digital payments enabled by connected devices that can secure cardholder data in superior ways. Merchants are interested in supporting mobile payments for a variety of reasons, something underscored by the decision of MCX to adopt a mobile/digital only scheme.

Mobile commerce provides merchants with the opportunity to communicate with their customers and target and serve their most profitable and desirable consumers better with a solution that is potentially more secure than what exists today at the physical point of sale. The deployment of EMV only forces them to divert attention and resources away from something that adds value to the consumer as well as the merchant and the overall payments system.

The discussion that we had last week laid out a number of facts that took the conversation about the merits of EMV from one that simply waved hands around why we should embrace it to one centered on a bunch of facts that paint a very compelling picture about why we might need to push pause and rethink it all.  As I’ve said  before, simply implementing a 30-year-old technology because everyone else in the world has already done it, doesn’t make it the right thing to do right now. And the facts bear this out.



Join AOneATM on LinkedIn!Follow AOneATM on Twitter!Like AOneATM on Facebook!



March 31, 2014 12:44 pm

Dialing for Dollars

At least one brand of ATM can be robbed by sending the machine a text message, then walking up and collecting the ejected cash.

It’s not quite as simple as it sounds. The ATMs, which in this case are actually Windows PCs, need to be running Windows XP and need to be infected with a Trojan called “Backdoor.Ploutus.B” or simply “Ploutus,” which can only be installed by loading a CD into the ATM’s optical-disk reader.

Criminals also have to open the plastic cowling covering the ATM’s innards to access the computer. But they don’t have to crack into the ATM’s safe, where the money is held.

Once the malware is installed, the ATM also has to be hooked up to a mobile phone via a USB port, as Symantec reports on its blog.  But if you can complete these two steps without anyone finding out, you can then command the infected ATM to spit out cash just by texting a message to the attached mobile phone.

When the mobile phone receives a properly phrased text message, it then translates the text into a network packet and send it to the ATM. Ploutus then transforms the packets into command-line instructions.

“It may seem incredible, but this technique is being used in a number of places across the world at this time,” Symantec’s Daniel Regalado wrote on his company blog.

As Regalado pointed out, this setup means the criminals only have to tell their “money mules” which ATMs to go in order to get the discharged money. All the other information — the necessary code, the contents of the text message, the amount of money to be output and the time of the output — stay in the cybercriminals’ sole control.

The setup could last indefinitely too: Because the phone is connected to the ATM, it is constantly recharging and never runs out of power.

Symantec first identified Ploutus in Mexico back in October 2013, when the malware had to be controlled from a computer keyboard plugged into the ATM’s hidden guts.

Ploutus apparently only affects a single brand of ATM, but Symantec has not released the brand name. It did note that the Trojan, originally written in Spanish, now has an English-language variant, suggesting that the criminals behind it might hope to expand their operation.

Because the criminals need time to tamper with an ATM to set this up, a good old security camera is probably the best line of defense against Ploutus.

In his blog posting, Regalado notes that on April 8, Microsoft will end all support and security patches for Windows XP — the so-called “XPocalypse.”

“ATMs are basically computers that control access to cash, and as it turns out, almost 95 percent of them run on versions of Windows XP,” Regalado wrote. “The banking industry is facing a serious risk of cyberattacks aimed at their ATM fleet.”

The reality may not be that dire. Most ATMs running XP actually run a stripped-down version called Windows XP Embedded, which Microsoft will support until December 2016. Most ATMs are not connected to the Internet and are at minimal risk of network-based attacks. And most non-bank ATMs, such as you’d find in a convenience store, run something other than Windows.

What is indisputable is, as Regalado wrote, that “cybercriminals are targeting ATMs with increasingly sophisticated techniques.” But that would true no matter which operating system an ATM runs.

(Source: Yahoo News)


Join AOneATM on LinkedIn!Follow AOneATM on Twitter!Like AOneATM on Facebook!


March 25, 2014 1:18 pm


On Friday, March 21, 2014 the last NEW RL1600 traveled through the Triton production line. LastRL16

The RL1600 was the third and final addition to the popular RL line of ATMs and was launched at the ATMIA U.S. Conference in 2009. Since then, over 10,000 have sold, including over 3,000 internationally.

“The RL5000, RL2000 and RL1600 are all now officially legacy products of Triton,” said James Phillips, vice president of sales and marketing. “We are of course sad to see that popular line end, but our newest ATM, ARGO has definitely moved in to that space in the industry.”

Feeling nostalgic? Take a look at the press release for RL1600.

PR March 2009 Launch of RL1600

(Source: ATM ATOM)


Join AOneATM on LinkedIn!Follow AOneATM on Twitter!Like AOneATM on Facebook!


March 25, 2014 1:09 pm

Customers, Third Parties Among the Greatest Concerns

Windows XPBanking institutions should be taking specific steps to prepare for Microsoft’s dropping of support next month for the Windows XP operating system, banking regulators have warned. But industry experts disagree on whether the zero-day vulnerabilities and other risks related to XP’s demise should be a major concern.

Doug Johnson of the American Bankers Association says the demise of XP support, including security patches, isn’t a cause for great concern, as long as banking institutions continue to roll out layered security controls and sufficient vendor management measures called for in the Federal Financial Institutions Examination Council’s online-banking guidance

But Tom Hinkel, a compliance consultant at financial services auditing firm Safe Systems, says zero-day XP vulnerabilities are substantial. It’s a topic he blogged about back in October, when the FFIEC issued a warning about operating system risks banking institutions are obligated to address (see What Happens When Windows XP Support Ends?).

“There is evidence that hackers have been stockpiling XP exploits for some time,” he says. “I’m truthfully baffled that it hasn’t gotten more attention. I hope this is just another Y2K scare – more hype than reality. But I don’t think that’s going to be the case.”

According to some estimates, hackers’ black-market asking price for a zero-day XP exploit could easily double after April 8, when Microsoft drops its support. Today, zero-day exploits can easily net between $30,000 and $150,000.

But Johnson, who oversees risk, physical and cyber security and fraud deterrence for the ABA, says banking institutions should not get overly concerned about the possibility of zero-day attacks aimed at XP. Attacks against numerous operating systems are happening every day, he says.

“I have a hard time seeing a great deal of threat,” he says. “I don’t think there is any stockpiling of an XP exploit.”

Banking institutions need to follow the same policies and procedures they would for any potential software or online banking risk, including customer education, Johnson says.

FFIEC Recommendations

In October 2013, the FFIEC issued risk mitigation and regulatory and security compliance consideration related to Microsoft’s discontinuation of support for XP. The FFIEC warned banks and credit unions of risks associated with computer systems, servers and payments devices, such as ATMs and point-of-sale terminals, that continue to run XP.

Regulators also noted the need for assessments related to ongoing compliance with authentication and online security guidelines outlined in the FFIEC Information Technology (IT) Examination Handbook, as well as with mandates, such as the Payment Card Industry Data Security Standard.

Specifically, the FFIEC notes the need for:

  • Ongoing risk assessments to identify and measure risks that could result from the continued use of XP throughout the organization and at third parties;
  • Considering the impact on business continuity and disaster recovery;
  • Considering compatibility with other systems and applications, as well as costs and new risks;
  • Developing an implementation plan to prioritize changes and monitor related third parties’ mitigation and migration activities;
  • Monitoring risk and ensuring the effectiveness of controls is tested periodically with results reported to senior management or the board of directors.

Both Johnson and Hinkel say banking institutions, as well as their customers and vendors, do not have to immediately upgrade their operating systems. But eventual migration away from XP is recommended, they say.

Meanwhile, banking institutions need to work with their customers on the issue. “Customer education is important; but the last thing you want to do is create undue concern,” Johnson says.

“It would not be prudent to allow customers to conduct high-risk transactions,” through an operating system that could have unknown vulnerabilities, he explains. “But institutions need to be prudent as well, and be very willing and able in the high-value market to be responsive.”

Regardless of the operating system, banks and credit unions must and are constantly monitoring their high-value and high-risk online transactions, Johnson says, continually “looking for where the vulnerabilities may exist and finding ways to patch those vulnerabilities and their customer systems.”

Mitigating Risks

Johnson and Hinkel agree that banking institutions’ two greatest areas of risk regarding XP are customers and third parties.

“The eBanking Handbook does clearly state that banking institutions have to manage risk, which includes the customer location,” Hinkel says. “So institutions have an obligation there. They have to understand the risks of using the customer’s systems.”

Banking institutions should ensure their commercial customers have completed an inventory of how many XP devices they have and how many are still being used to conduct online banking transactions, he adds.

And some additional care related to XP vulnerabilities is warranted, at least for the short-term, Hinkel says.

“Forget about commercial reasonableness for a moment,” he says. “You are expected to understand the risk of any and all high-risk electronic banking transactions. So if you are certain that a certain banking operating system is going to be obsolete after a certain date, aren’t you required to reach out to the customer?”

Johnson also points out: “Clearly, the [regulatory] agencies have shown a greater interest in both third-party and outsourcing risk, and, potentially, part of that is always ensuring that third parties are practicing the same level of security that the banks are in their XP migration.”

Layered security controls and due diligence should help address most third-party risks, says fraud expert Avivah Litan, an analyst for consultancy Gartner Research. “This event is not as ominous as it seems,” she says. “The banks can put in a lot of layered compensating controls around XP that they should have had in there in the first place. XP already had plenty of vulnerabilities.”



Join AOneATM on LinkedIn!Follow AOneATM on Twitter!Like AOneATM on Facebook!


March 25, 2014 12:43 pm

Interchange Lawsuit

Why Merchants Lost The Durbin Appeal (And Billions)

In a swift decision, a three-judge panel of the D.C. Circuit Court of Appeals upheld the Federal Reserve Board’s final rules on debit card swipe fees and routing, reversing Judge Leon’s stinging decision in favor of retailers.  It turns out that if only Congress had used “that” instead of “which” the merchants might have billions more.

The D.C. Circuit Court of Appeals sided with the Federal Reserve Board in upholding virtually all aspects of the board’s interpretation of the Durbin Amendment and its final rules concerning interchange fees and routing.  In a 38-page decision, it sent one minor issue concerning the inclusion of transaction-monitoring costs in the interchange fee back to Judge Leon. Otherwise, it reversed Judge Leon’s lower court decision in favor of the merchants.  The court concluded that the Federal Reserve Board deserved a lot of deference in interpreting the Durbin Amendment.

Sloppy Drafting

The court started by taking a swipe at the sloppy drafting by Congress. “Perhaps unsurprising given that the Durbin Amendment was crafted in conference committee at the eleventh hour, its language is confusing and its structure convoluted.” As it turns out, English grammar more so than economics was central to the court’s analysis.

The Multibillion Dollar ‘That

The court’s interchange fee analysis, on which billions of dollars of bank revenue and merchant costs depend, examined the use of “which” rather than “that” and the ramifications of not including a comma before the which.  By concluding that the “which” in Congress’ “other costs incurred by an issuer which are not specific to a particular electronic debit transaction” as a restrictive clause. The court concluded, crucially, that the Federal Reserve Board had properly concluded that there was a third category of costs that it could consider if it wanted to. According to the court’s analysis, if Congress had used “that” instead of “which,” the merchants might have saved billions of dollars in interchange fees.

Deference to the Fed

The court decided that the Federal Reserve Board did a reasonable job of interpreting a piece of legislation that was not artfully crafted. It followed precedence in giving great deference to regulators who are asked to implement Congressional legislation.

What’s Next?

The court’s decision isn’t necessarily the end of the battle between the merchants, the banks, and the Fed.  The merchants can appeal the three-judge decision to the full Court of Appeals. The appeals court can decide whether to take them up on that. The merchants also can ask the Supreme Court to review it.

For now, though, the Federal Reserve Board rules on debit interchange fees and routing stand.



Join AOneATM on LinkedIn!Follow AOneATM on Twitter!Like AOneATM on Facebook!


March 21, 2014 3:02 pm


As information and knowledge grow, it becomes increasingly difficult to convey concepts and opinions without some assistance. Re-enter the information graphic, which has been with us since Homo erectus first learned to draw.

In this current age we know these mechanisms as infographics. For the purposes of this discussion we will focus on currency infographics.

I was recently contacted by Madison Taylor, who works for It is common for [Counting on Currency] to be contacted by businesses wanting access to our readers.

I always decline those offers. But as Master of Finance is of an academic nature — and as I am a proponent of higher education — I decided to support their operation with the following infographic representing the current (at the time created it) value of a dollar — domestically and internationally.

Further validation for devoting a post to graphical currency knowledge was found in an infographic by Garda Cash Logistics, which represents more of an historical perspective of currency.

My thanks to both organizations for their contributions.

master of finance


garda money facts

(Source: ATM Marketplace)


Join AOneATM on LinkedIn!Follow AOneATM on Twitter!Like AOneATM on Facebook!


March 21, 2014 2:48 pm

Cardless ATM

The ATM maker Diebold has deployed a machine at Diebold Federal Credit Union that operates without a card reader or PIN pad.

The ATM relies solely on mobile authentication, the vendor says in a March 20 press release.

When a pre-registered customer scans a QR code at the ATM using a smartphone, the machine will authenticate the user via the cloud by sending a one-time password to the user’s smartphone. (The user types the code into the ATM using a virtual keyboard on the machine’s touchscreen.) This technology is designed to eliminate fraud schemes that rely on skimming card data and observing PINs as they are typed.

The ATM will also integrate the Mobile Cash Access wallet application, which allows consumers to pre-stage cash withdrawals on their smartphones. Diebold developed Mobile Cash Access with mobile wallet provider Paydiant. Users receive their ATM receipts through a mobile app rather than on paper.

Wintrust Financial Corporation and City National Bank are also testing the Mobile Cash Access software.

(Source: Payments Source)


Join AOneATM on LinkedIn!Follow AOneATM on Twitter!Like AOneATM on Facebook!


March 19, 2014 12:42 pm

Mobile Integration

When Texas bank USAA introduced mobile remote deposit capture in 2009, nobody knew how big the tool would get and how fast. But ask credit union mobile banking experts today for the defining moment in the niche’s brief history and all signs may point to MRDC.

That’s because the mobile tool potentially lets users do something they could not do quickly or easily with online banking, some insiders say. For now, deposits via MRDC are bigger than deposits at ATMs. A growing number of financial institutions are on the prowl for the new tool that may bring in that next big wave of mobile banking users with some of the larger ones leading the way.

“We already see more money coming in through MRDC,” said Christopher Owens, mobile product manager at the $4.1 billion Pennsylvania State Employees Credit Union in Harrisburg, Pa.

Meanwhile, other credit unions and vendors are expecting to see a number of new innovations deployed in the remote and mobile arenas.

1. Virtual Assistants

“I can guarantee you it won’t be long before a Bank of America rolls out a virtual assistant,” said Brett Wooden, senior vice president of marketing and innovation at the $192 million Cy-Fair Federal Credit Union in Houston.

Wooden pointed to Apple’s Siri and said, “Already, you can tell Siri to open an app. Soon, you will be able to tell her to ‘pay $75 to the electric company.’”

He strengthened his case by pointing to the huge investments that both automobile makers and established tech players such as Google and Apple are investing in in-car computer technology. Where better to reconcile an account with the help of a virtual assistant, said Wooden, than stuck in traffic.

The $2.5 billion MSU Federal Credit Union in East Lansing, Mich., is heading in that direction, said Sarah Bohan, vice president of corporate relations.

“We plan soon to build at least limited voice commands into our mobile app,” she said. “We will introduce new features in stages.”

In its first iteration, members probably won’t be allowed to pay bills but may transfer funds between accounts, make balance inquiries and do similar actions, Bohan explained.

Add it up and voice-activated virtual assistants have much going for them in a mobile phone context, some experts say. And with the rising popularity of Siri and its competitor, Android virtual assistant apps, advocates think virtual commands will be the next big thing.

2. Cardless ATM Cash Access

“We believe this can be as big as MRDC,” said Chris Gardner, a co-founder of mobile payments company Paydiant Inc. in Wellesley, Mass. “It’s super compelling. It is faster and easier and more secure than using a card at an ATM.”

Here’s how it works: A member opens the mobile banking app, selects cardless cash access, designates an amount and an account, then goes to an ATM, taps that same selection and a bar code appears on the screen. The member scans the code with his or her smartphone, it’s validated, and the ATM dispenses the requested cash.

Gardner said the service is in a pilot phase at three financial institutions with five to 10 more in a queue to get active.

“We really believe this will become very big,” he predicted.

3. Personalization

“The mobile banking app is very impersonal. Everybody gets the same. But you already see the big banks moving towards a next gen app that will be highly personalized for each user,” said Ido Ophir, vice president of product management at Personetics Technologies, a White Plains, N.Y.-based firm that develops apps that predicts customer behaviors.

“Banks are fearful they will become commodities. Personalization will help create loyalty,” Ophir suggested.

If the app knows the user and his or her interests, who would want to leave that app for a financial institution that does not know them? Ophir said the cutting-edge financial institutions get this and it may well become a battleground in the next generation of mobile banking apps.

4. Marketing Smarts

At the $5.2 billion Digital Credit Union in Marlborough, Mass., there is growing interest in finding ways to push appropriate marketing messages to members via the mobile channel, said Julie Moran, vice president of support services.

Industry watchers say with branch traffic down, some institutions are detecting a shift in volume from online to mobile banking. The problem is that with its small screen size, mobile is a challenging place to market in ways that do not annoy members.

Moran said DCU is using what it calls account manager tools to send individualized, custom messages, including members’ credit scores on a monthly basis – “so people want to look at it,” she noted. If a member has been just approved for a car loan or a home equity line of credit, a message will pop up in account manager.

While mobile marketing is in an early phase, the recognition is spreading that making the strategy work has to be solved.

5. Photo Bill Pay

“We believe photo bill pay is up and coming,” said Christopher Whalen, an e-services specialist with the $400 million Connex Credit Union in North Haven, Conn. “We don’t presently offer it, but we are investigating this. We believe it will explode.”

Experts say the genius behind photo bill pay is that it uses a strong feature of the mobile phone – a high-quality camera – to do the data input that is otherwise clumsy and slow for many who find typing on glass to be cumbersome.

“Photo banking – anything with a photo – will be big,” said Mary Monahan, an executive vice president with Javelin Strategy + Research in Pleasanton, Calif.

Ralph Marcuccilli, president/CEO of Allied Payment Network Inc., a Fort Wayne, Ind.-based firm that sells a photo bill pay service currently live at three credit unions with two more in the queue, said that half of photo bill pay customers are not signed up for Internet bill pay. This may mean the product appeals to a different user.

“People use this because of the simplicity,” said Marcuccilli. “Snap a picture, put in an amount and the day you want to pay it, and you are finished.”

He said there is also is growth in where the one-time payments can occur such as to a physician dentist, or perhaps a plumber. For that consumer, paying by snapping a photo is much easier than inputting the required data to create a new payee.

Will photo bill pay take off? Adoption has been slow and so far, no money center bank has signed up. However, little by little, Marcuccilli said the sheer simplicity of paying with a snap of a lens will take off.

With a number of channels on the cusp of breakouts, experts believe what is certain is that there will be a next MRDC and the real question will be who gets to deploy it first. Advocates are convinced that those will be the financial institutions that sprint ahead of their competitors.

(Source: Credit Union Times)


Join AOneATM on LinkedIn!Follow AOneATM on Twitter!Like AOneATM on Facebook!


March 17, 2014 2:37 pm

Genmega ATM w StethoscopeDespite myriad challenges — EMV migration, interchange reduction, and fast-changing technology, and more — the majority of IADs in the United States expect their business to grow in 2014.

This upbeat finding comes from the fourth annual IAD survey, co-sponsored by the ATM Industry Association and Kahuna ATM Solutions, and presented by Kahuna president Bryan Bauer at the 15th ATMIA U.S. conference in Orlando last month.

Results are based on an opt-in survey of 92 IADs between Dec. 16, 2013, and Jan. 24, 2014. Issues covered by the survey included:

  • legislative issues;
  • compliance issues;
  • migration to EMV;
  • mobile and contactless payments;
  • incremental revenue; and
  • the future of the IAD business in the United States.

Legislative, compliance and network concerns

“Not surprisingly the survey results showed that IADs are most concerned about EMV migration, reductions in interchange and surcharge restrictions,” said David Tente, executive director of the ATMIA U.S. chapter.

Closely mirroring last year’s results, EMV migration was cited as the No. 1 concern with 61.9 percent of IADs choosing it as one of their three biggest legislative, compliance, and network fears, worries or concerns regarding the health of the ATM industry.

Reduction in interchange, which was the number one concern for IADs in 2013, came in second with 52.1 percent, followed by surcharge restrictions, at 29.3 percent.

Rounding out the top five responses: governmental changes and interference based on lack of information (27.1 percent); and the impact of the Durbin Amendment (20.6 percent).

EMV migration

With the MasterCard EMV liability shift for U.S. ATMs set for October 2016, the uncertainty surrounding the development of a common debit solution, routing choices and the implications of the Durbin Amendment lawsuit, EMV migration is a major concern for IADs.

“Our clients are very concerned about the financial strain of EMV migration,” said Bauer. “Their top concern is the obvious capital investment in upgrading hardware and dispatching service personnel, but the larger, more frustrating variable is the lack of a common debit solution that would negatively impact routing choice.”

According to Tente, not much has changed in regard to EMV debit status or the Durbin lawsuit in the last few months. “There was oral testimony in the Federal Reserve Board’s Durbin appeal case last month, which seemed to favor the Fed.

As far as adoption of a common debit solution for the U.S., Tente said the three debit solutions that were announced last July remain largely unchanged.

The survey revealed that IADs are anxious to find out more about EMV and what it means for the industry. Of the respondents, 64.8 percent want more information on EMV migration, while 47.8 percent want to know about the upgrade paths for ATMs in the U.S., and 41.3 percent want to know more about the implications of the Visa and MasterCard liability shifts.

The survey indicated that IADs are beginning to embrace the idea of contactless and mobile transactions at the ATM as part of their EMV migration strategy. In 2013, only 14.6 percent of those surveyed said they were developing a contactless and mobile transactions strategy. This year 34.7 percent of IADs said they were interested in contactless transactions.

Asked what they would most like to know about contactless and mobile transactions at the ATM, 46.7 percent of IADs said they wanted to know how contactless transactions and payments could affect the ATM industry; 28.2 percent wanted to know how they could benefit IADs; and 23.9 percent wanted to know what contactless ATM transaction options are available from retail manufacturers.

Interchange reductions, surcharge restrictions

Declining ATM interchange revenue and increasing fees are among the greatest threats to U.S. IADs.

Depending on the region and the data source, average interchange income has declined by 35 to 59 percent since 2004. Kahuna reports a 35 percent decline since 2004, with average interchange income per transaction now at about 29.5 cents per transaction; ATM Data Pro reports a 59 percent decline, with average interchange income per transaction now at about 27.5 cents.

Tente said that IADs fear surcharge restrictions because, for most, it’s the only real revenue source tied to the operation of their ATMs. Any new restrictions on surcharge would be an immediate knock-out blow to the successful operation of a certain amount of ATMs, and possibly even some IADs.

Bauer agrees. “It simply doesn’t make sense to limit business or consumer activity with any surcharge restrictions. A consumer chooses to use, or not to use, an ATM based on the price of a surcharge already — we don’t need government for this. More importantly, a consumer also chooses an ATM based on the value of their time — this is the convenience factor — as well as other factors such as security. Government should not dictate what a consumer’s time or security is worth,” he said.

Growth amid challenges

Despite their concerns, 32.5 percent percent of the IADs surveyed said they expect their business to grow more this year than last; 11.1 percent said they expect growth equal to last year’s; and 6.6 percent said they planned to sell their business or were unsure of their growth strategy for 2014.

Asked how they planned to achieve business growth, 20.3 percent of IADs said they planned to acquire portfolios and 12.5 percent said they planned to align with another business to increase efficiency.

As the market changes, IADs are changing, as well. Rather than rely solely on transaction income, many IADs have added new products and services to their offerings.

According to the survey, the top five new products and services offered by IADs are (in descending order):

  • credit card processing;
  • advertising and branding packages;
  • professional support and managed services;
  • surcharge-free network access; and
  • deposit automation.

Empowerment through education

Educational topics of greatest interest to survey respondents were (in descending order):

  • EMV education;
  • the future of ATM interchange;
  • contactless ATM transactions;
  • branding and advertising at the ATM; and
  • increasing bottom-line profitability and reducing transaction expenses.

Tente said that, as they did last year, ATMIA and Kahuna would work to address those needs in 2014.

“Based on the 2013 survey results, [we] jointly developed two white papers and webinars on the top IAD concerns — interchange reductions and EMV. We received a lot of positive feedback from our membership and plan to continue the series based on the 2014 survey results,” he said.

Also at the conference, ATMIA officially launched the ATMIA Academy, an industry-endorsed online training and certification program. The academy offers 100 sessions that fall within five categories. Course material is based on intensive global research into current ATM operational practices and procedures.

(Source: ATM Marketplace)


Join AOneATM on LinkedIn!Follow AOneATM on Twitter!Like AOneATM on Facebook!


« Page 1, 2, 3, 4, 5 ... 45, »