The Extortionists Behind Ransomware Are Demanding Dramatically Higher Sums

Phishing attacks, typically launched via email, were the vector in 30% of cases, with software weaknesses accounting for the remainder. For the fourth quarter, the number of unique phishing reports received by the Anti-Phishing Group, a cross-industry research organization, totaled 239,910, down from 264,483. But the reason for the drop, says the APWG in its latest quarterly report, is that it’s getting harder to detect phishing sites “because phishers are obfuscating phishing URLs with multiple redirections.”

Financial-services firms sustained 3.4% of ransomware attacks in the first quarter, according to the Coveware data, while retailers were victimized in 5.2% of cases and consumer services in 6%. The biggest victims were professional-services firms (22.4%) and companies offering software services (17.2%).

But even if victims pay up, they don’t always recover their data. The Coveware report indicates that the decryption key received after sending the ransom failed in 4% of cases. “Files and servers can be damaged during or after the encryption process and this can affect data-recovery rates even when a decryptor tool is delivered,” the report says.

Also, even if the tool works, firms don’t always get all of their data back. Recovery averaged 93% in the quarter, according to the report, which notes, “sometimes the decryption tools are simply prone to error.”

Of course, firms can always protect against ransomware attacks by backing up their data. But, depending on how much data must be copied and on how many servers, it sometimes turns out to be cheaper to pay the ransom, experts caution.

Five Firms Hit by ‘Crypto-Sweep’ in Alabama as Regulators Step up Operation

Cease and desist letters have been sent to five crypto companies operating in Alabama, as part of the ongoing “Operation Crypto-Sweep.” The campaign, led by the North American Securities Administrators Association, is targeting ICO projects and blockchain startups suspected of fraudulent activities and violations of existing securities laws. Actions have been taken already by NASAA members in a number of states and provinces in North America.

Three LA-Based Companies Among the Targeted

The Alabama Security Commission (ASC) has recently taken enforcement actions in five investigations as part of “Operation Crypto-Sweep.” The international crackdown on fraudulent Initial Coin Offerings (ICOs) and crypto-related investment products is coordinated by the North American Securities Administrators Association (NASAA), a voluntary organization whose membership consists of 67 state, provincial, and territorial securities administrators in the US, Canada and Mexico, of which the ASC is also a member. The Commission has issued a total of five cease and desist orders “to protect Alabamians”, according to an official announcement.

Five Firms Hit by ‘Crypto-Sweep’ in Alabama as Regulators Step up OperationThe respondents are ICO organizations that have been targeting residents in more than one state. That’s why Alabama regulators have teamed up with their colleagues from Texas and New Jersey to go after the firms implicated in illegally soliciting investors. “Fraudulent activity involving ICOs and cryptocurrency-related investment products is a significant threat to Main Street investors in Alabama,” said ASC director Joseph Borg. The Commission is “committed to swiftly and effectively protecting investors from schemes and scams involving these products,” he added, noting that the measures taken are just the tip of the iceberg.

Cease and desist letters have been sent to three Los Angeles based companies. Extrabit Ltd., a purported crypto mining operation, offered through an ad the project’s EXB token at half price, conducting, according to regulators, an illegal and unregistered securities offering. Potential investors were told they had to spend $20,000 in the presale and expect the tokens within 48 hours. A 185 percent quarterly return was promised to those keeping a constant positive EXB balance. Returns were said to come from mining bitcoin, monero and zcash. The second firm form California, Leverage, has advertised itself as a crypto lending platform offering to investors a variable, daily interest. This case is again about an unlicensed security, the ASC said. Pool Trade is the third sanctioned company from LA.

Platinum Coin, another of the targeted crypto businesses, from Miami, Florida, has been caught offering investors an annual return of at least 320 percent. It has been issued with cease and desist order based on the same accusations – conducting sales of unregistered securities and making unrealistic promises. The fifth recipient of a cease and desist letter is an entity that purports to conduct business as an Internet-based escrow company. According to the ASC announcement, Chain Group Escrow Service is based in Kirkland, Washington.

Regulators Across North America Join “Crypto-Sweep”

Regulatory authorities in other states have also taken similar actions against dubious crypto businesses. The blockchain firm Shipchain, an operator of an etherium-based logistics platform, has received a cease and desist order from the Office of the Attorney General of South Carolina. The startup has been trying to sell its Shipcoin tokens without proper registration in the state, advertising its project to local investors. The state’s legislation treats investment contracts as securities and the tokens should have been registered as such. A permanent cease and desist order has been delivered to a company in neighboring North Carolina – Power Mining Pool. Another firm, Adosia LLC, has received a consent order in the state.


According to NASAA’s website, cease and desist orders and letters have been sent so far to crypto and blockchain businesses in the following states: Missouri, Texas, Colorado, Maryland, New Jersey, and Ohio, as well as in the Canadian provinces of Quebec, British Columbia and New Brunswick.

“Operation Crypto-Sweep” is coordinated by NASAA which has united the efforts of more than 40 state and provincial securities regulators in the US and Canada for a series of investigations into ICOs and crypto-related investment products. There have been more than 70 inquiries and investigations so far, as well as 35 pending or completed enforcement actions since the beginning of May. The campaign was recently applauded by the chairman of the US Securities and Exchange Commission (SEC), Jay Clayton, as reported.

Developers Work To Combine NFC With Blockchain for POS Transactions

So far, neither near-field communication nor blockchain has been a blockbuster technology for payments in the U.S. market, but now developers are working on combining the two in a way they hope will give cryptocurrencies a big boost at the point of sale.


The idea is to create a standard for a new protocol called the Lightning Network that would allow consumers to make a tap-and-go payment with Bitcoin or another digital currency, just as she might with a contactless card or with Apple Pay.


Lightning, which has been in development since 2015, is the fruit of an effort to vastly expand the processing capacity for cryptocurrencies by taking much of the activity off the blockchain. The network then broadcasts to the blockchain only when the transaction is culminated. Indeed, estimates are that the network could handle, in theory, millions of transactions per second. Currently, traffic logjams have plagued currencies like Bitcoin, moving some major merchants and processors like Valve Corp. and Stripe to stop accepting Bitcoin.
With the first version of Lightning going live late last month, a developer has proposed combining the system with NFC to make digital currencies more practical at the point of sale. The developer, Igor Cota, says in an online post that he has succeeded with an NFC experiment that links both a mobile device and a contactless terminal to the Lightning network and to each other. “I feel that one of the biggest promises of Lightning lies in it being used for everyday retail payments,” says Cota in his post.


One problem with this approach is that the adoption of contactless payments, even with chip cards, has been spotty in the United States, though it has met with much more success in Europe. Visa estimates that less than 1% of payments on its network so far are contactless. That could change soon as the card network is gearing up to push NFC in the American market.
NFC is a sophisticated protocol that allows cards or mobile devices to link via radio waves to specially equipped terminals in the blink of an eye, vastly speeding up transactions. A competing protocol that relies on quick-response codes has met with success in China and other markets, but Cota in his post calls QR codes “a bit unwieldy,” particularly in instances where consumers are buying a good many items, say, in a grocery run. “This relatively large amount of data makes them impractical to scan,” he argues.


Payments providers that have been early proponents of Bitcoin, Ether, Litecoin, and other digital currencies applaud the move to incorporate NFC and Lightning for POS transactions. “I think it’s great,” says Eric Brown, chief executive of Aliant Payment Systems Inc., a Fort Lauderdale-based independent sales organization. “Crypto processing has made another step into mass adoption utilizing the NFC technology the credit card companies use to initiate digital wallet transactions.”


Aliant has been working with a Canadian processor called NetCents Systems Ltd. to sign merchants for cryptocurrency acceptance.

The security of pretty much every computer on the planet has just gotten a lot worse

(CNN)The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution — which,of course, is not a solution — is to throw them all away and buy new ones that may be available in a few years.
On Wednesday, researchers announced a series of major security vulnerabilities in the microprocessors at the heart of the world’s computers for the past 15 to 20 years. They’ve been named Spectre and Meltdown, and they operate by manipulating different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets from elsewhere on the computer.
This means that a malicious app on your phone could steal data from your other apps. Or a malicious program on your computer — maybe one running in a browser window from that sketchy site you’re visiting, or as a result of a phishing attack — can steal data elsewhere on your machine. Cloud services, which often share machines amongst several customers, are especially vulnerable. This affects corporate applications running on cloud infrastructure, and end-user cloud applications like Google Drive. Exactly how, we don’t know yet.
Information about these flaws has been secretly circulating amongst the major IT companies for months as they researched the ramifications and coordinated updates. The details were supposed to be released next week, but the story broke early and everyone is scrambling.
Patching against Meltdown can degrade performance by almost a third. And there’s no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years.
“Throw it away and buy a new one” is terrible security advice, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.
The first is that these vulnerabilities affect embedded computers in consumer devices. Unlike our computers and phones, these systems are designed and produced at a lower profit margin with less engineering expertise. There aren’t security teams on call to write patches, and there often aren’t mechanisms to push patches onto the devices.
We’re already seeing this with home routers, digital video recorders, and webcams. The vulnerability that allowed them to be taken over by the Mirai botnet last August simply can’t be fixed.
The second is that some of the patches require updating the computer’s firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong. It also requires more coordination. In November, Intel released a firmware update to fix a vulnerability in its Management Engine (ME): another flaw in its microprocessors.
But it couldn’t get that update directly to users; it had to work with the individual hardware companies, and some of them just weren’t capable of getting the update to their customers.
The final reason is the nature of these vulnerabilities themselves. These aren’t normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.
It shouldn’t be surprising that microprocessor designers have been building insecure hardware for 20 years. What’s surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren’t thinking about security. They didn’t have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors.
Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.
Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they — and the research into the Intel ME vulnerability — have shown researchers where to look, more is coming — and what they’ll find will be worse than either Spectre or Meltdown.
There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.
This isn’t to say you should immediately turn your computers and phones off and not use them for a few years. For the average user, this is just another attack method among many. All the normal security advice still applies: watch for phishing attacks, don’t click on strange e-mail attachments, don’t visit sketchy websites, patch your systems immediately, and generally be careful on the Internet.
You probably won’t notice that performance hit once Meltdown is patched, except maybe in backup programs and networking applications. Embedded systems that do only one task, like your programmable thermostat or the computer in your refrigerator, are unaffected. Small microprocessors that don’t do all of these fancy performance tricks are unaffected. Browsers will figure out how to mitigate this in software. Overall, the security of the average Internet-of-Things device is so bad that this attack is in the noise compared to the previously known risks.
It’s a much bigger problem for cloud vendors; the performance hit will be expensive, but I expect that they’ll figure out some clever way of detecting and blocking the attacks.
But more are coming, and they’ll be worse. 2018 will be the year of microprocessor vulnerabilities, and it’s going to be a wild ride.

Biometrics Scare Sends a Reminder About the Need for Thorough Data Protection

What appears to be only a scare about a breach of fingerprint data from a kiosk deployer is sending a reminder to the payments industry that biometrics are no panacea for data-security problems.

“Any security system is not 100% bulletproof,” says David Lott, payments risk expert at the Federal Reserve Bank of Atlanta. “Anything can be penetrated. You have to take very strong steps to protect that data.
The scare came late last week when Tukwila, Wash.-based Avanti Markets Inc., a deployer of payment card-accepting kiosks that dispense food and snacks in company break rooms, disclosed that malware compromised an undisclosed number of its kiosks. Some of the compromised machines were provisioned with fingerprint readers that enable cashless payments through Avanti’s Market Card, a payment and loyalty service that includes a mobile app. The malware may have captured Market Card users’ fingerprint data as well as names and email addresses, Avanti said in a notice on its Web site late last week.

The KrebsOnSecurity news service reported that many of the kiosks did not use point-to-point data encryption. Later, however, Avanti updated a notice on its Web site to confirm that the biometric data were protected.
“In an abundance of caution, our original notice advised customers who used their Market Card to make payment that they may have had their names and email addresses compromised, as well as their biometric information if they used the kiosk’s biometric verification functionality,” the notice says. “We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data, and as such this biometric data would not be subject to this incident as it is encrypted.”

The company did not make a spokesperson available to Digital Transactions News for further comment.
Avanti Markets, which claims 1.6 million customers, said the breach affected about 1,900 kiosks. The malware, which the company believes got into its system shortly before July 4 through a workstation belonging to a third-party vendor and became active July 2, may have captured cardholder names, account numbers, and expiration dates of the payment cards used by employees who weren’t paying with cash or the Market Card. Avanti turned off the cashless-payment functions on the compromised machines soon after discovering the breach on July 4.
Avanti said it worked with the vendor to remove the malware within hours of discovering the attack. The company is working with a forensics investigator to investigate the attack, the perpetrators of which aren’t yet known. Avanti Markets in May began working with its partner operators to provision all of its kiosks with point-to-point encryption technology, a project that as of last week was about half done.

Lott of the Atlanta Fed, who moderated a panel about biometrics at a recent payment-industry conference, notes that biometric technologies convert fingerprints, voice patterns, irises, and other physical attributes into data, which means where and how that data are stored is highly important. For example, Apple Inc.’s iPhone stores fingerprint data on the phone’s secure element, which means a compromise of one phone is limited to that device, whereas systems that store biometric data in central databases could be the source of widespread damage if hacked.
“If they compromise a central database … they could compromise thousands, millions of records,” Lott says.
Security experts say biometrics are most effective as part of a so-called layered security approach that includes other data protections. Rather than relying on physical attributes, some companies are rolling out so-called passive biometric systems that record consumers’ physical motions and usage patterns of payment-originating mobile phones and computers.

Al Pascual, senior vice president and research director at Pleasanton, Calif.-based Javelin Strategy & Research, says it is not surprising that fraudsters are interested as usage of biometrics increases. The Avanti incident is the kind of event “that the industry needs to learn from before biometrics are even more broadly deployed,” Pascual says by email. “If true, it is fortunate that the biometric data is encrypted, but there are undoubtedly a wealth of systems where biometric data is co-located in the clear with other data of value” such as payment information and customer personal identifying information.

“If this type of data was consistently compromised, then it would diminish consumers’ perception of the security value of biometrics,” says Pascual.

COMMENTARY: A Look at the Top 4 Security Trends for 2017 in the Payments Industry

After years of card-data breaches and other bad news, four very encouraging trends are emerging that bode well for better security. Here’s a quick look at all four:

Integrators are taking the QIR program seriously. When the PCI Security Standards Council and Visa Inc. initially released the Qualified Integrator and Reseller (QIR) certification program in 2015, it was welcomed with little to no enthusiasm. Many thought the short timeline for QIR certification was unfair; most did not take it seriously. The initial due date overlapped with the EMV liability shift, and resources were strained just to keep up with EMV certifications.

In fact, only 73 companies completed and passed the QIR program in 2015 with the original due date of Jan. 1, 2016. The PCI Council and Visa took quick notice and moved the due date to Jan. 31, 2017, when, under Visa rules, acquirers had to begin using only QIRs for integration work with small merchants.

In 2016, with the help of associations such as the Retail Service Providers Association (RSPA), which helped promote QIR awareness, and companies such as Vantiv Inc., which helped sponsor QIR certifications, many more companies jumped on the QIR bandwagon. In fact, 233 U.S. companies received their QIR certification in 2016.

This trend is continuing to grow. Another 51 companies have passed their certification so far in 2017, and it is expected that the number of companies to pass this certification will rise in the coming years, which is good news since it doesn’t look like PCI will extend the due date again. However, with an estimated 5,000 ISVs and VARs in the U.S. alone, there is still have a long way to go.

More payment solutions are seeking P2PE validation. When the PCI Point-to-Point Encryption (P2PE) certification requirements were first released three years ago, the process was very costly and somewhat ambiguous. This is probably why, until recently, only a few companies in the U.S. pursued and completed their PCI P2PE validation.

A little over a year ago, the PCI Council released its new certification requirements with more transparent rules. It also allowed companies to certify in the individual components that they participate in in the P2PE chain. For example, key-injection facilities (KIFs) are allowed to obtain certification for the key-injection, key-management, and device-tracking services required by PCI for a P2PE- validated solution. One such company to explore this was ScanSource, which was part of one of the initial validated solutions in the U.S., completed its PCI validation in January as a standalone PCI P2PE-validated KIF. This allows any gateway to use ScanSource’s key-injection services.

The demand for a PCI-certified P2PE solution is also on the rise. Since merchants can’t be out of scope or obtain reduced scope status without a PCI-validated solution for credit card processing, more merchants are putting the PCI validation in their requests for proposals to reduce the risks and costs of compliance associated with having credit card data in their network. For these reasons, more payment providers will pursue their P2PE certification in 2017, keeping qualified security assessors in heavy demand.

EMV certifications are faster and more robust. In 2015, EMV certifications came at a snail’s pace, and most were not released until after the liability shift due date. The few that were released were basic, excluded debit support, and only included one processor. Some of the EMV upgrades even broke the transaction process and had to be turned off shortly after being implemented.

Now that the initial certifications are complete and everyone has been trained on how to get EMV-certified, we are seeing more merchants with EMV fully deployed.

The EMV solutions are also more complex now, including debit, near-field communication, and a shorter transaction time, as well as being available for more intricate environments, such as pay at the table and health care. Certified solutions are being released much faster because of changes made around “faster EMV” and Visa’s allowing acquirers to self-certify their merchants’ solutions. This increased pace for EMV-certified solutions will continue well into 2019 now that many have figured out the EMV puzzle that until recently plagued the payment industry.

End users are willing to pay for security. Data breaches, credit card fraud, and cyber attacks are the new normal. Gone is the shock that we felt when we first heard of the TJX Cos. Inc. and Target Corp. breaches. Every other day, we hear of yet another breach, shrug our shoulders and move along. These days, it isn’t about if a merchant will be breached but a matter of when. For that reason, there are more and more services that help meet PCI compliance.

Many resellers have developed a software-as-a-service solution for PCI services for things such as patch management, antivirus monitoring, password management, and terminal management. Merchants are willing to outsource these services instead of developing and maintaining the tools to stay in PCI compliance. Additionally, merchants are also willing to invest in PCI security in order to protect themselves. In many cases, merchants are even electing to outsource these services as an added layer of protection.

US to Hand Over Control of the Internet ‘Address Book’ to ICANN

A tiny branch of the U.S. Commerce Department is preparing to hand over control of the Internet’s “address book”—the highest level of the Domain Naming System, or DNS—to the Internet Corp. for Assigned Names and Numbers, a Los Angeles-based international nonprofit, effective Oct. 1, Ars Technica reports.
Republican lawmakers have tried to block the move, with the attorneys general for Arizona, Oklahoma, Nevada and Texas filing a lawsuit in a Texas federal court Wednesday, according to Politico.
The lawsuit contends that the transition amounts to the illegal giveaway of U.S. government property. The plaintiffs also fear that ICANN could prohibit speech on the Internet and revoke the U.S. government’s exclusive use of .gov and .mil domains.
Republican presidential candidate Donald Trump’s campaign weighed in on the issue, according to Ars Technica:
The Republicans in Congress are admirably leading a fight to save the Internet this week, and need all the help the American people can give them to be successful. Congress needs to act, or Internet freedom will be lost for good, since there will be no way to make it great again once it is lost.
Ars Technica also reports comments that Sen. Ted Cruz (R-Texas) made in a recent speech on the Senate floor:
Today our country faces a threat to the Internet as we know it. … If Congress fails to act, the Obama administration intends to give away the Internet to an international body akin to the United Nations. I rise today to discuss the significant, irreparable damage this proposed Internet giveaway could wreak not only on our nation but on free speech across the world.
ICANN says that these assertions by Republicans are unfounded.
“The US government has never, and has never had the ability to, set the direction of the (ICANN) community’s policy development work based on First Amendment ideas,” ICANN said in a statement, as reported by Ars Technica. “Yet that is exactly what Senator Cruz is suggesting. The US government has no decreased role. Other governments have no increased role. There is simply no change to governmental involvement in policy development work in ICANN.”
The change has been characterized as a symbolic takeover. The only thing that changes, according to Ars Technica, is that the U.S. will not have oversight over a contract between ICANN and Virginia-based company Verisign over the maintenance of the Internet’s global DNS.
Facebook,, Google and Twitter are some of the bigger tech companies that back the change, according to Ars Technica. They say it is imperative that Congress not block it.

‘Digital ID’ Is the Solution for EMV’s Online Blind Spot

In order to successfully and scalably combat card-related fraud and digital payments hacking, organizations need to rely less on standards like EMV and PAN/PRN, and recognize today’s currency is no longer just about money.

Instead, digital identity has emerged as a new form of currency, and it requires protection too.

Counterfeit fraud, card-not-present fraud, fraudulent applications, card-not-received fraud, and lost and stolen fraud have all contributed to the digital payments fraud so many U.S. organizations and consumers are experiencing.

Additionally, hackers have become adept at compromising user account data, rendering protective tactics like PAN (i.e. the personal account number or the 16 digit number on credit cards) and PRN (i.e. the provisional receipt number or a unique 15-digit token) nearly useless.

What is digital identity? Previously, money was transacted via highly tangible items such as coins, symbols or even farm animals. But in the 21st century, money has become increasingly digital. The way people interact online directly affects their digital reputation, and that resulting digital identity gives people access to their bank account, allows them to apply for peer-to-peer loans, and enables them to participate in our shared economy.

A helpful way to consider digital identity is to think of it as the bridge between physical identities and online user identities. Digital identities are unique and impossible to fake, as they leverage the infinite number of connections users create when they transact online, so they work well to ensure legitimate users are recognized and provided with seamless online experiences. At the same time, digital identities can help accurately detect fraudsters using stolen or spoofed identities before the fraudulent transaction is processed.

In order to facilitate advanced fraud protection and accurately authenticate valid users, organizations need to capture and fully understand the complete digital makeup of each of their individual users. There are a variety of unique data points that make up a user’s digital DNA, including the following five elements:

User Credentials: This includes any/all associations between an individual’s accounts and email addresses with anonymized, non-regulated, personal information. This data might include user names and telephone numbers, or even more advanced intelligence relating to devices, locations and online behavior.

Trust Tags: Trust tags are digital labels that can be applied to various combinations of entities within a user’s persona to indicate their trustworthiness. Trust can be associated dynamically with any combination of online attributes such as devices, email addresses, or card numbers, allowing for trusted users to be quickly recognized.

Persona ID: This element captures connected entities such as email addresses, transactions, accounts, devices, IP addresses, geolocations, proxies, and physical addresses relating to an individual.

Links and Associations: Leveraging persona IDs, organizations can benefit from real-time linkage of a current transaction to related transactions through a matrix of attributes associated with the user, device and connection.

Behavioral Biometrics: Behavioral biometrics evaluate current user and device interactions, and compare that information to historical user and device interactions and to known bad behaviors.

The reality of today’s business landscape is that all customers are digital, and unfortunately it’s becoming harder and harder to verify the authenticity of these valued, online customers. Organizations are growing more adept at adapting their business to a more online-centric user experience, but in terms of preventing digital payments fraud, the majority remain focused on the wrong problem.

So much of digital payments security is focused on the protection of networks and devices, however determined and persistent hackers are usually undeterred by such safety measures. Organizations should instead focus their valuable resources on the digital identities that hackers may have already stolen. By stitching together verified customer data points such as location, payment details, websites visited, login credentials or typical transaction behavior, organizations can more effectively identify and transact with legitimate users, and at the same time thwart nefarious hackers in real-time.

‘I Need Knowledge:’ Merchants Express Befuddlement About EMV, Breaches, System Issues

Merchants would like nothing more than to decipher what they call the “mysteries” of the payments universe, a select group of them told attendees Thursday at the Western States Acquirers Association conference in Scottsdale, Ariz.

These mysteries, they said, include knowing whom to call when a problem crops up, what to know about EMV chip cards, and how to protect their point-of-sale systems from hackers.

For merchants, much of the mystery is wrapped up in the problem of how to avoid juggling payments issues while also trying to manage a retail business. “We don’t want to think about it,” J. Brandon Maxwell, president and chief executive of M Culinary Concepts, a Phoenix-based catering business, said of payments. “We don’t want to be burdened by it.”

For Jim Buhr, chief financial officer and chief information officer at Bashas’ Supermarkets, a Chandler, Ariz.-based grocery chain, knowing what’s going on with payments is a constant attention getter. “If we’re down for an hour we can lose millions,” Buhr told attendees. The chain’s payment system did indeed fail for a few hours in August, costing the company $1 million in sales, some of which was not recoverable, Buhr said. Seventy percent of its overall transactions are made with credit, debit, or electronic benefits transfer cards.

When something like that happens, or when there is a breach, the merchants agreed they need someone to help them understand what happened and how it can be corrected.

For many merchants, like Michelle Simpson, controller and chief financial officer at Thunderbirds Charities, a charitable organization that distributes funds raised by the Waste Management Phoenix Open golf tournament, her merchant-sales provider is the go-to resource. “We want to have the best experience for our customers,” Simpson said. “We have huge payments coming in the lead-up to the Open. When the Open hits, people want to instantly use their credit cards for $20.”

Buhr discovered which payments organizations could help him in the aftermath of a data breach that occurred a few years ago. “You don’t really find out who can help you until you have a breach,” he said. Contacting the card brands and processors Bashas’ Supermarkets used yielded little aid until a fraud expert at First Data Corp. guided him.

Merchants also are perplexed by the lack of a unified message about EMV adoption from the payments industry.

“The chip has always confused me,” Maxwell said. His business usually involves a contract covering a large upfront payment, and secondary payments in a workplace café. “I know where that person works,” he said, alluding to employees patronizing the café. “All I care about is the speed of transaction on that second type of transaction. If chip ever becomes the rule, it needs to become a hell of a lot faster.”

Others have been more proactive about chip enablement.

“I spent millions of dollars and I get chargebacks,” Buhr said. Bashas’ Supermarkets achieved 100% EMV enablement in July, and installed the terminals in 2014 while it waited for its payments vendors to be EMV-certified. “It’s very important that we work together,” he said. “I ask the industry to start with the retailer. He’s the guy who eats it all,” referring to the costs of implementing EMV.

“What is frightening is this chip business,” said Kerry Dunne, principal of R Entertainment, a Scottsdale, Ariz.-based event-production company. “We have to get our customers in and out in seconds,” he said. “One fear we have is chip takes so much longer to process.” Impatient consumers, especially when they’re at an entertainment event and just want to grab a beer and return to the event, won’t like waiting for a chip transaction, Dunne said.

He too admitted he knows little of how payments work, calling it a “mystery.” His advice for the payments industry is to do a better job educating merchants. “I need knowledge,” Dunne said.

Credit Card Surcharging Expected To Continue Despite Rejection of Interchange Settlement

“Visa is disappointed by the decision of the U.S. Court of Appeals for the Second Circuit,” a Visa spokesperson says in a statement. “We are reviewing the specifics of the ruling and will decide our next steps. Visa remains committed to working with retailers to grow their businesses and provide them with efficient and valuable payment options.”

Though MasterCard Inc. and Visa Inc. have their own rules for surcharging, generally the amounts are capped to actual acceptance costs, or 4%, whichever is lower. The rules also require consumer disclosure. Debit card surcharges are not permitted.

According to a person familiar with surcharging practices, no changes are anticipated, at least for Visa’s rules.

Others, too, expect that surcharging will remain in place.

“If anything, this upset is more likely to increase exposure to the existing petitions for the Supreme Court to hear this case, and eventually decide that surcharging should be legal everywhere,” says David Leppek, president of Transactions Services, an Omaha, Neb.-based payments provider.

The company offers a surcharging program for merchants in the 42 states that allow it, Leppek says. Certain merchant types are good candidates for it, including those that don’t accept payment cards because of costs and those that deal primarily with business-to-business transactions. Other prime candidates include providers of highly emotional purchases, those frustrated by payment-acceptance costs, and merchants selling high average-ticket items that consumers are more likely to use credit cards than debit cards to pay for.

Leppek views the appeals court’s veto of the settlement as based on procedural issues pertaining to class-action lawsuits. “As a result, the card brands changed their rules and have no motivation to now change them back,” Leppek says.

At Berwyn, Pa.-based JetPay Corp., which late last year debuted its Limitless program that enables merchants to offer discounts to consumers who pay with cash, Peter Davidson, vice chairman, expects a similar outcome.

“Given the reasons why the settlement was overturned—that it was essentially being too lenient towards the card networks for the merchants in the later class—it should have no long-term impact on JetPay’s Limitless program,” Davidson says via an email. “We believe any future final settlement will incorporate the allowance for different prices for cards versus other payment forms.”

Others, however, are less than enthused about surcharging in general.

“The new ruling by the appeals court is a significant victory for merchants,” says Alex Nouri, president of EFT Direct, an Ann Arbor, Mich.-based payments provider. “I applaud the reversal. The 2012 settlement is effectively null and void. While it’s usually good to have a choice, surcharging should not have been one of the facets of the lawsuit because it would hurt merchants more than not. Consumers frown on having to pay for extras, let alone an added fee for using their credit card.

Nouri says he would be surprised at a discontinuation of surcharging, but he argues nonetheless that the networks should ban the practice “because it never made practical sense and is being used by some merchants to increase their bottom line instead of counting it as a business expense.”

Nouri says the 4% cap often results in some unscrupulous independent sales organizations and agents setting the discount rate automatically at 4% and also charging “hefty” terminal-lease fees, “thereby guaranteeing themselves a huge windfall on the back of both merchants and consumers.”

Both Visa and MasterCard have online forms for consumers to complete if they suspect a merchant violation of the surcharging rules.

“There are limits on what we can do about proactive compliance with over 9 million merchants in the U.S. alone,” says a MasterCard spokesperson. “However one thing ensures an investigation: It’s receiving a compliant form from a cardholder who believes that he or she has been wrongly surcharged.”