Your phone is your next credit card

You already have your next credit card. It’s sitting in your front pocket.

People have possessed the ability to spend and send money with their smartphones for years, but mobile payments have yet to take off in a big way. Plastic and cash are still the preferred modes of buying stuff — by a long shot.

But four recent events suggest that mobile payments are about to take off in a big way.

1. This week, investors pumped $150 million into Square, the mobile-payments company that lets people turn their smartphones into virtual cash registers. The investment values the company at $6 billion.

2. Last week, eBay opted to spin off payments service PayPal. A big part of the reason: PayPal has been held back by its parent company, and the move is expected to free PayPal to increase its mobile payments presence.

3. Facebook is experimenting with a one-touch payments system, and this week TechCrunch reported that Facebook is about to release a peer-to-peer money transfer feature in its Messenger app.

4. And then there’s the big kahuna: Apple Pay. Set to be released later this month, Apple Pay will let iPhone 6 and iPhone 6 Plus users make payments at participating retailers simply by using their phones’ fingerprint scanner then holding the phone up to a scanner. Retailers who have already signed up include Bloomingdale’s, Macy’s, McDonald’s, Staples, Walgreens and Whole Foods Market.

More than 70% of U.S. adults have smartphones, and more than one in five have already used a “mobile wallet” in the past 90 days, according to Mary Monahan, executive vice president and research director at Javelin Strategy. More than half of mobile purchasers bought physical goods with their phones.

The trend lines are clear. And as more apps and smartphones push mobile payments, consumers will become increasingly willing to ditch plastic for their phones.
“Recent history would dictate that pretty much anything that has required a physical world medium for delivery — CDs, film cameras, the Encyclopedia Britannica — have been all but replaced by a digital equivalent,” said Nick Holland, a senior analyst at Javelin Strategy.
What’s not clear is which form of mobile payments will become dominant.

Square, for instance, is hedging its bets by selling a credit card reader and a mobile app that lets you pay without taking your card out of your wallet. Although the company was a mobile-payments innovator, products like Apple’s could make its most visible product, a reader for credit cards, obsolete.

“This won’t happen for many years, but in a new world where Apple Pay is seen as the shiniest new thing — where the plastic cards have the ability to be physically removed from the payment process — Square has lost quite a lot of its sheen,” Holland said.

Monahan said she believes mobile users up to age 45 will make the transition to mobile payments relatively seamlessly. As to the others, she expects the transition to be slower, but to eventually come the same way other digital adoptions have — with a nudge from the younger folks around them.

“Most likely, it will be the sons and daughters who sweet talk and cajole the parents ….” she said. ” Dad — I need the tuition check now, please. Just send it to me using mobile P2P.”
“That’s how teens got parents to text — just so parents could talk to their teens on the phone, they learned in self-defense. Now it’s the next step.”

AT&T Upgrading Wireless Towers

AT&T has begun announcing shutdown of its 2G network in some US metro areas, and we expect that they will continue to shut down 2G support city-by-city as they upgrade their network to support newer technologies. AT&T has advised that it plans to sunset its 2G network by January 1, 2017.

As a result, 2G coverage will become increasingly inconsistent going forward. In order to ensure that your wireless merchants can continue processing transactions without interruption, you should upgrade 2G wireless terminals to 3G terminals. VeriFone’s VX 680 3G is equipped with HSPA+ 3G, making it one of the fastest portable, handheld payment devices on the market today. The VX 680 3G is the way to go to maximize performance and power up your business potential. Please visit the VeriFone Zone home page to view the approval matrix listing specific processor certifications

Apple Pay Tries to Solve a Problem That Really Isn’t a Problem

I recently bought a cup of coffee, but I did not have any cash handy. I used a credit card, and the result was a veritable dystopia that will surely haunt my sleep forever.

First, I had to reach into my back pocket and remove my leather wallet. Then I had to pick out a plastic card, taking care not to pull out my driver’s license or Metro fare card. Somehow I managed to succeed on the first try. Then I swiped my credit card on a device positioned near the cash register. (Should the magnetic strip face right or left? That was my horrific choice.) Then I returned the plastic card to my wallet and went on with my day, scarred yet unbroken. I understand my credit card company will be including the $2.25 I owe them for that coffee on some sort of invoice later in the month, the receipt of which will surely will be yet another brutal reminder of the burdens of that day.

I kid, of course. Charging a cup of coffee or pretty much anything else is not a big deal. At most stores it is a remarkably seamless process, particularly now that most retailers have gotten out of the habit of requiring signatures for smaller purchases. But that’s not how Tim Cook sees it.

Tim Cook introducing Apple Pay on Tuesday in Cupertino, Calif. The system would replace credit cards.

Mr. Cook, the Apple chief executive, introduced a new mobile payments service Tuesday as part of the company’s big product rollout. The idea is that instead of experiencing the misery of fishing around for a credit card, you put your phone up to a transponder and touch the screen, and your transaction is complete.

It’s a dangerous business to bet against Apple’s ability to make a product that you didn’t think you needed as part of your daily life. But “Apple Pay” looks as if it may be one of those offerings that don’t live up to the company’s hype. It would seem that in Mr. Cook’s mind, the current process of a retail transaction is something actually resembling the series of horrors described above. The core challenge Apple faces is that buying things with a credit card isn’t nearly as onerous a process as they make it out to be.

Mr. Cook showed a video at the product rollout of a woman burrowing in her purse for a credit card, navigating past a box of Tic Tacs — Tic Tacs! — and struggling to open her wallet in order to find her card, then being asked to show her driver’s license before completing the transaction. It had a lot in common, actually, with those infomercials in which actors manage to horribly bungle the most basic tasks until some new product solves a nonproblem.

Apple Pay does appear to be more secure than plastic credit cards. As Mr. Cook pointed out in the presentation, a credit card reveals all the necessary information for a thief to exploit and go on a shopping spree, whereas Apple Pay requires the purchaser’s fingerprint to run a charge. The only problem from Apple Pay: The costs of fraud are borne by credit card issuers, and sometimes retailers themselves. Just ask Target, and now Home Depot, both of which have faced huge data breaches and are paying the price.

So you can see how banks and retailers will be enthusiastic about switching to a more secure way of paying. Indeed, Apple has already lined up giant banks — including Bank of America, Chase and Wells Fargo — and giant retailers, including McDonald’s, Walgreens and Macy’s, to use the service.

Times technology columnist Molly Wood says consumers may see a rise in the use of mobile payments now that the iPhone has a chip that will work at tap-to-pay payment terminals. So Apple Pay certainly has the potential to revolutionize how people buy goods. But security chips widely in use in Europe are gradually becoming available in American credit cards. The recent breaches are only making that process more urgent for card issuers.

But the bigger question for Apple Pay is whether consumers find it handy enough to convert from credit and debit cards.

So why do many merchants refuse to accept cards?

Credit and debit cards are nearly as common as cash. Nearly everyone in the USA has at least one in their wallet, including business owners. But data from Intuit shows that 55 percent of the nation’s 27 million small businesses do not accept credit cards.

According to a recent infographic from Community Merchants USA, an educational nonprofit project of the electronic payments industry, 66 percent of all point-of-sales (POS) transactions are done with plastic – credit, debit, or gift cards. That is a lot of sales for millions of businesses to miss out on. Only 27 percent of purchases are made with cash. In fact, they estimate that cash sales will drop to only 23% by 2017.

Technology is making it easier for any business to accept and manage credit card transactions. Gone are the days of complicated machinery via dedicated dialup lines. Paypal, Square, Intuit’s GoPayment, WePay, and a host of others are making it simple and relatively affordable to accept cards.

So why do many merchants refuse to accept cards? The common reason is the fees, but with $127 billion being added to the economy between 2008 and 2012 through card usage, most merchants are starting to pay attention to accepting credit cards.

I was in Staples, the office supply store, and walked by a kiosk that had both a PayPal credit card reader and a Square credit card reader for sale in the store. I don’t remember it being so accessible and so easy to add point of sales equipment to your business. Granted, this is not high-end point of sales equipment but a simple credit card reader, nonetheless it is easier and easier for any merchant to add technology to their business.

In another survey conducted by WePay, which offers an online payment mechanism to accept credit cards (not dramatically different from Paypal), it found that 58 percent of small businesses are regularly asked by their customers to accept credit cards. So that tells me that many are still missing out on potential revenue by accepting credit cards. Sure, there are fees, but you can account for it in your pricing.

The benefits of accepting credit and debit cards far outweigh the cost. The various studies show that when people are given more payment options (beyond cash); they are more likely to make impulse purchases, join loyalty programs, and spend more per purchase – and that can only help your business to grow.

Largest Hacking and Data Breach Scheme Ever to be Prosecuted in the United States

Indictments were announced last Thursday in a case that U.S. Attorney Paul Fishman called “the largest hacking and data breach scheme ever prosecuted in the United States.” The group of hackers managed to amass more than 160 million credit and debit card numbers, Fishman said in a statement. According to the indictments, the group was selling the card numbers to “dumps resellers,” who then sold them to individuals and companies.

The hackers indicted last week were originally part of the crime ring led by Albert Gonzalez, of  Heartland Payment Systems breach fame.  Gonzalez was arrested back in 2008, and is now serving a twenty year sentence in prison, while these five continued their data “acquisitions”.

The purchasers of the data, or “the cashers” as they are referred to, used the information by encoding it into blank plastic cards.  In the case of debit cards, they withdrew money from ATMs; credit cards were duplicated and used to make purchases.

“Financial institutions, credit card companies and consumers suffered hundreds of millions in losses, including losses in excess of $300 million by just three of the corporate victims, and immeasurable losses to identity theft victims,” the indictment states. The companies targeted include the NASDAQ, Visa Inc., 7-Eleven Inc., Global Payment Systems Inc., the Belgium bank Dexia Bank Belgium, as well as Carrefour SA (CA), France’s biggest retailer, and Citibank.

Several companies were victims of a Structured Query Language, (SQL), injection attack.  SQL is a programming code that connects online databases, including those containing credit card data, to the portion of websites that visitors see.  Hackers can “inject” code to access the database if website owners fail to put up safeguards, such as preventing certain characters from being inserted into forms.  In the NASDAQ hack, attackers exploited a feature designed to help legitimate users recall forgotten passwords. In Citibank’s case, hackers were able to circumvent a safeguard that limited users to three tries a day. In 2008, they entered 300,000 of the 900,000 customer accounts they tried to breach through Citibank’s website, stealing $3.6 million from those accounts, the indictment said.

“This type of crime is the cutting edge,” Fishman said in a press release. “Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy and our national security. And this case shows there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day.”

Electronic Payment Card Settlement

In the last few months, many businesses should have received letters regarding the large settlement reached in the long-running lawsuit over the interchange rates that Visa and Mastercard have charged businesses and non-profits in the past. Any person, business or other entity that accepted Visa or MasterCard credit or debit cards in the U.S. at any time between January 1, 2004 and November 28, 2012 may be eligible to receive a payment from the $6.05 billion settlement fund.

Under the terms of the settlement, local businesses will be able to collect money from the credit card companies based on past credit card transactions. If you ignored the letter in the mail, it’s not too late to register your business for your share of the settlement money.

This is an opportunity to recoup the money that is owed to you from credit card fees. The more you have paid in fees since 2004, the larger your settlement could be. The amount paid from the Cash Settlement Fund will be based on actual or estimated interchange fees attributable to Visa and MasterCard transactions from January 1, 2004 through November 28, 2012.

You can learn more about the settlement and preregister for reimbursement at the court authorized website –

This is the only website with court authorized information about the settlement. The Judge on this case recently required some groups to change the misleading language on their sites –

Here is some of the media coverage regarding the outreach efforts underway in other parts of California to help businesses recover fees:

In San Diego –

In Santa Barbara –

Please contact Aaron or Stefeni if you have any questions – 415-824-0582 or or

For more information, please see the FAQ section of the court approved settlement website:

All Merchants Have to Comply with EMV

Don’t succumb to complacency; become EMV compliant today! Make sure you are informed and prepared with EMV-capable point-of-sale devices to protect against counterfeit-card fraud.

The October 2015 liability shift set by the major card networks to implement the Europay-MasterCard-Visa (EMV) chip card standard will leave unprepared merchants vulnerable to counterfeit fraud for the first time. Merchants that have not installed EMV-capable point-of-sale terminals within the next three years will assume liability for counterfeit-card transactions conducted in their stores.

Acquirers that sell EMV to small merchants will not have an easy task. It is important to stress that this deadline is real and is coming quickly. Even if a merchant’s acquirer isn’t yet ready to process EMV transactions, the merchant can install the equipment now and then be ready to download the EMV application software to the existing device.

Let VeriFone be your guide and partner with us during this transition. We have years of experience helping thousands convert to EMV worldwide and offer an unmatched line of EMV-compliant hardware and software – as well as training and support – to deliver complete solutions for meeting migration plans.

The newest EMV contact and contactless-complaint solution is the VX 805 PIN pad. This powerful, fast PIN pad provides everything needed to securely accept payments and other transactions, with the agility to quickly embrace future technological change, including NFC, mobile commerce and EMV.  It also offers the latest security protections – including full compliance with PCI PTS 3.0 – plus EMV Level 1 and 2 Type Approval.

Click here to find out more about VeriFone’s EMV-compliant hardware and software solutions.

Source: Oct. 3, 2012. 

The State of EMV Smartcards in the U.S.?

EMV smartcards are the card standard in Europe, many countries in Asia and most recently in Canada. U.S. issuers have been reluctant to adopt the technology. But now, the prospect of widespread adoption of smart cards in the US is finally gaining some traction, indicating a desire to offer the greater security of smart cards and align itself with the rest of the world. Most recently, MasterCard Worldwide unveiled its EMV roadmap, five months after Visa, Inc. announced their guidelines and deadlines. A handful of U.S. issuers are piloting EMV chip cards, albeit to very select group of customers. Large retailers, most notably Wal-Mart, which pushed for EMV conversion two years ago, are supporting the effort.

Since many view the growing fraud dangers as the weakest link in the U.S. payments chain, the impetus to move EMV along could only grow stronger.

But many questions remain.
•Are the compliance dates from the major networks realistic?

•MasterCard’s plan explicitly states that the party–the issuer or merchant–offering the least secure method would be held liable for a fraudulent transaction. A liability shift by Visa and MasterCard has worked elsewhere in the world. Will it work in the US?

•Will there be any interchange rate relief? Will the Fed consider the cost in its bi-annual review of Durbin pricing for debit cards?

•Large merchants may be behind the conversion, but will smaller merchants follow? Can the smaller merchants afford the technology upgrade?

•Are there other technology enhancements (like NFC) that , if included, might strengthen EMV’s value to merchants, issuers and consumers?

•Will the move to the EMV standard at the POS speed-up or slow down the adoption of mobile payments?

•How will the EMV standard impact the growth of prepaid?

Stay tuned on this one…

VeriFone Perspectives on EMV in the U.S.

MasterCard’s announced roadmap for EMV adoption in the U.S., with Visa’s similar initiative last August, signals that the U.S. is embarked inevitably on a path to embrace the global standard for authenticating credit and debit card transactions and further reduce the potential for fraud.

VeriFone welcomes these clear directives from the two leading card brands. VeriFone’s expertise in implementing EMV compliant payment systems around the world provides assurance to U.S. merchants, processors and acquirers that a speedy and successful migration is possible.

With the coming shift in liability for fraud costs, and in light of growing evidence that card fraud is increasingly migrating to non-EMV countries, VeriFone encourages earliest adoption of this critical payment technology to assist in building a complete defense against criminal elements.

EMV’s authentication technology ensures stronger security of the payment system and better protection of consumer data. Both MasterCard and Visa are encouraging adoption by offering economic incentives that effectively lower the overall costs of PCI compliance.

VeriFone endorses adoption of the most secure option – EMV Chip & PIN – so that merchants, acquirers and processors place themselves at the most advantageous position in the liability hierarchy articulated by MasterCard, and therefore achieve maximum protection.

As MasterCard points out, when used with EMV payment acceptance devices, EMV cards can be instantly authenticated through a process called dynamic authentication and “when used with a PIN (Personal Identification Number), the chip verifies that the consumer is indeed holding his or her own device.” The Merchant Advisory Group (MAG), a cross-industry association of large merchants involved in the payments industry, has also endorsed Chip & PIN for U.S. electronic payments.

A recent Federal Reserve article “Retail Payments Risk Forum Working Paper” pointed out that “Transactions conducted with EMV chip-embedded cards that use PIN verification are more secure than transactions conducted using magnetic stripe technology.”

The Federal Reserve paper also asserts that markets that have migrated or are in the process of migrating to EMV chip-and-PIN have seen a significant decrease in fraud, while “overall fraud levels in the United States are trending upward.”

To date, VeriFone has shipped millions of EMV payment acceptance devices globally and provides a comprehensive portfolio of services and software to implement EMV. VeriFone supports these important initiatives and our experience delivering EMV solutions internationally ensures a smooth path to adoption in advance of upcoming deadlines.

PC viruses are mostly your fault, Microsoft says


If your PC is riddled with infections, they probably came in through files you installed yourself.

If your computer is infected, it’s probably because of something you did, according to a Microsoft study released this week.

In its semi-annual Security Intelligence Report, the software giant found that the largest group of malware attacks on its Windows operating systems — 44.8% — occurred because of some kind of action taken by the computer’s operator. It may have been as simple as clicking a link or downloading an infected file, but a human was the culprit.

But let’s not be too hard on ourselves — we were most likely duped into doing it. According to Microsoft’s report, one of malicious software’s primary entry mechanisms is through phishing schemes.

Phishing schemes come in many forms. Often they are spam e-mails sent to thousands and sometimes millions of recipients, typically with the intention of getting the user to click on and open an infected file. They can be very rudimentary or incredibly sophisticated, depending on the skill of the attacker.

They’re also hard to escape: Most of the e-mail messages sent over the Internet are unwanted, Microsoft said. It can also be difficult to discern phishing scams from wanted e-mails. Overall, 47.8% of phishing attacks sent in the first half of this year posed as legitimate e-mails from social networks like Facebook, according to the report. Banks and other financial institutions were also popular camouflage for bait e-mails.

0:00 / 2:46 Phishing made simple

When malware, or malicious code, is installed as a result of a clicked-on link or downloaded file, it can give hackers any number of capabilities, including complete control of an infected computer. If a computer infected with malware is connected to a network, attackers can often access other connected systems and servers.

Since humans are behind such a large chunk of computer infections, Microsoft suggested that security professionals rethink the way they approach security.

“IT professionals are accustomed to thinking about the technical aspects of security; however, as this report has shown, the human element has become just as important for attackers as the technical element, if not more so,” the report’s authors wrote.

“By implementing effective technical safeguards, programs, and processes designed to defend against social engineering, you can help your users avoid being taken advantage of by attackers,” they continued.

How they hack you

Of course, the technical side of security remains important. Microsoft reported that 43.2% of PC attacks were automatically installed by taking advantage of Microsoft Windows’ AutoRun function in the XP and Vista versions of the operating system, which automatically executes certain files and programs. As a result, Microsoft in February released an update to make the AutoRun feature more secure. Windows 7 already had the more secure AutoRun feature set up as its default option.

About 6% of attacks on Windows PCs were attributed to other kinds of exploits — malicious codes that attempt to take advantage of known vulnerabilities in applications or operating systems.

Exploits of Oracle’s (Java software, which runs rich applications on the Web, was responsible for between 33% and 50% of all exploits during each of the past four quarters, Microsoft said. Nearly all document exploits this year targeted Adobe Acrobat and Reader.

Despite alarm bells and widespread coverage in the media, only about 0.1% of successful attacks were from so-called “zero-day” exploits. Zero-day exploits are attacks on a newly discovered security problem in an application or software, which the vendor had not had time to patch before the attack.

Those attacks, while extremely rare, capture a lot of attention because they’re theoretically impossible to defend against, leaving consumers and security professionals at the mercy of attackers.

Though zero-day exploits “continue to capture the imagination,” Microsoft found that those fears are mostly misplaced. The vast majority of zero-day vulnerabilities are immediately patched once discovered and are never exploited.

Newer protections baked into the Windows operating system can also help mitigate attacks.

The newer the version of Windows you have, the less likely it is to get infected. About 1% of computers running Windows XP were found to have infections, according to Microsoft. That dropped off to roughly 0.5% with the latest Windows Vista software and just 0.15% of machines running the latest Windows 7 version.