Authorize.net is currently the largest payment gateway in the world. This is affecting millions of websites right now. To my knowledge this is the first major outage since the DDOS attack they suffered several years ago.

A casualty of this magnitude has the ability to permanently damage / destroy this company’s trust and reputation.

Phase V – July 1, 2010
Phase V mandates the use of payment applications that support PCI OSS compliance, requiring acquirers, merchants and agents to use only those payment applications that can be validated as PA-DSS compliant.

Put this into perspective. There are currently millions of websites using paid and open source software for their online stores. Software like Oscommerce, Zen Cart, Magento, and others have millions of users. There are only 2, online store software packages that are PA-DSS compliant. If there is not a mass-movement to get software PA-DSS compliant in the next year, almost every single online store will be out of compliance and subject to fines, or being shut down. This is only a small part of the problem. There’s still thousands of retail businesses using older payment software and the cost of upgrading would be in the millions, assuming it’s even possible.

As written by Evan Schuman
“Essentially, this standard could cause merchants of all sizes in all industries to have to switch payment application vendors.”

Where the real mess begins…

There are currently about 40 companies certified to perform PA-DSS validation. The cost to certify a single payment application could be $100,000 or more if the application is extremely complicated. There is an additional “mandatory” yearly fee of $1250 just to be listed as a Validated Payment Application. Based on cost, and complexity, there’s not many shopping cart software providers that can come close to getting PA-DSS certified in the next year. Even then, that still leaves the open source solutions, which the majority of all ecommerce sites are using.

From Rick Wilson
“What about home grown and open source shopping cart solutions? What happens to them on July 1st, 2010. I asked this question to our auditor and his answer was telling, he said that “essentially if an application can’t be PA-DSS certified because it’s not developed by a single entity for example, then the service provider of that entity will need to become PCI Level 1 certified in order to keep offering that and be in compliance”.

Level 1 certification is nearly as expensive as PA-DSS certification, so don’t expect any relief from if you’re using a custom or open source solution. They’ve truly left no way out this time…

In conclusion…

We’re about to experience a payment industry nightmare potentially having the ability to halt commerce as we know it. If you thought that the $20 per month fee from your processor was bad, you’ll really hate the $50,000 bill when you go to get level 1 certified. If Visa takes the hard-line stance that merchants not using PA-DSS certified software get shut down, it’s going to get really ugly. The current focus of the processing industry is on PCI-DSS compliance and a slew of new fees and charges related to it. But, in about a year, we’re going to see the true fallout of implementing ineffective regulations without foresight into what it actually takes to adopt them, or whether they actually do anything. The only thing we got out of the congressional hearing on PCI is that congress thinks it’s not enough, and merchants think it’s way too much.

Houston, we’re about to have a problem!

Related reading…
PA DSS in One Easy Lesson…Sort Of
PA DSS Is Remarkably Misunderstood
PA-DSS and Ecommerce Web Hosting

As always, please send any recommendations of websites that should be included. Please keep in mind that blogs and websites will only be added if they’re mostly objective. Many of the merchant account blogs out there are only for self-promotional purposes, and these will not be included in the search engine.

Equipment:
http://www.magtek.com/
http://www.apriva.com/
http://www.bluebamboo.com/
http://www.waysystems.com
http://www.dejavoosystems.com
http://www.hypercom.com/
http://www.verifone.com/
http://www.ingenico.com/
http://www.magtek.com/
http://www.chargeanywhere.com/
http://www.commerciant.com/

Blogs:
http://www.paysimple.com/blog
http://paymenttalk.blogspot.com/
http://www.glenbrook.com/
http://blog.bwplawyer.com/
http://googlecheckout.blogspot.com/
http://www.paymentsystemsblog.com/
http://www.amazonpaymentsblog.com/amazon_payments_blog/
http://www.andyorrock.com/
http://blog.elementps.com/element_payment_solutions/
https://www.thepaypalblog.com/
http://waytoohigh.wordpress.com/
http://pindebit.blogspot.com/
http://aneace.blogspot.com/
http://www.storefrontbacktalk.com/
http://www.merchant-account-services.org/blog/
http://digitaldebateblogs.typepad.com/digital_money/
http://www.creditcardsonline101.com/

Data Security:
http://pcidss.wordpress.com/
http://www.pcianswers.com/
http://www.askaboutpci.com/

Bloggers and advocacy groups like the NRF argue that this bill will level the playing field when it comes to processing costs. This may be true for huge retailers like Walmart, but will almost certainly reduce the quality of processing services to the small business in addition to a much greater overall cost. Just name a situation where government regulation ends in better quality services at a lower cost…

The argument against interchange has been fought by twisting the reality in what interchange is, who it goes to, why it’s charged, all by large corporations and angry merchants. While the US has some of the highest interchange costs in the world, we also have the lowest overall processing costs, the lowest setup cost, and by far the highest quality services in the world. In some countries, you would have to pay over a thousand dollars just to get setup processing credit cards, and your monthly bill could easily be double for the exact same services, all with lower interchange. Creating a non-competitive environment like the one proposed by regulating interchange, will create a situation much like the one described above.

I urge anyone in the processing industry, and anyone that stands against huge corporations like Walmart leveraging the government and small business owners to fight a cause that hurts everyone, to contact their representation.

Typically fraudsters look for times when business are most vulnerable, and when business picks up a lot, oversight is often the result.

Illegitimate customers are placing orders for flowers using stolen credit card information. The orders are typically placed via fax, e-mail, and/or hearing-impaired relay calls. The perpetrator then requests that the florists wrap the flower arrangements in various amounts of cash and bill the difference to the credit card number(s) provided. These orders have been known to reach $4,000.00. A shipping address for the order is then provided to the merchant.

In some instances, the perpetrators have been known to hire an unsuspecting accomplice to pick up the flowers in person. This accomplice is then instructed to ship the flowers via UPS or the U.S. Postal Service.

When the true cardholder receives the floral charge on their monthly statement, they will initiate a chargeback, as the order was placed without their authorization. As a result, the merchant will become liable for the fraudulent sale.

Every time a credit card is reported as stolen, a huge amount of past data about that card is put into a big database. This database of pre-fraud activity is used in a large algorithm to look for similarities, which can signal the origination of stolen or lost credit card numbers. Since Visa and MasterCard have access to billions of transactions worth of information, they can screen for events that may signal that a business is losing card numbers.

If you were to greatly simplify this system and a map from it, it would look something like this:

In this case, the similarity is a single business where all of the stolen credit cards had been used before the cards had been involved in fraudulent activity. This could potentially be the sign of an employee skimming card numbers, or a breach in a database. There are always going to be coincidences involving data on a large scale, but because of the scale, it’s very difficult to end up with false positive fraud once a margin of error is established.

Let’s assume there isn’t any conclusive evidence that cards were stolen from a single business. Issuers are also looking at the processor a business is using. If there is a common processor or processing network that many businesses are using, it could be a signal of a data breach on a processor level.

The similarity in this case is the processor that many of the businesses were using. This is basically how the Heartland breach was discovered. Unfortunately, the only companies that can see fraud like this are ones that have access to huge amounts of past card usage. Their computer systems basically load billions of pieces of data about transactions, the businesses that accepted a customer’s card, and the processors who processed them. When enough lines meet up at a single point, there’s a chance that something happened there. It really doesn’t matter where in the process of a transaction the lines all cross, just that they do cross.

Keep in mind that these diagrams are grossly simplified, think a billion times simplified. But, it’s easy to see that if you have the right data and know what to look for, fraud can be easy to spot.

This tells me that Visa has explicitly identified threats, where they are originating from, and these locations are static enough that blocking them would actually do some good (IP blocking is a terrible way to prevent/stop malicious behavior).

Download the security alert »

Table 1, Search for these programs:
Filename	Purpose	MD5/SHA-1 Hash(s) or Registry Key
appsqlio.exe	Reverse shell tool	387cda6eb91f0b3a054de20c02320338
obsqlio.exe	SQL output redirector	f640e53718bc83cb8bb10b1eafb50edf
blobsqlio.exe	Packed version of gsecdump	959523fc10584da9bfb31a524ff472aa
sn.exe	Packet sniffer	e07b83abda5b566b3e9a30515a59ecc3
msdtsc.exe	Packet sniffer	4724103b13e6ce832fbb2c08a419eac6
svclhost.exe	Network communication tool	da4ab50185c7b246d1d2c8fa7bd7a5ed
rexesvr.exe	Command line execution	003f6cda98a40529cc87fd1387714fd7
svcl.exe	Renamed version of sn.exe	e07b83abda5b566b3e9a30515a59ecc3
eqslquery.exe	Script that automates the installation of rexesvr.exe	bc354dcf5221aea9fae8a3283c09504d
rarx.exe	Compression tool	fd729427144044730c572fd5b9be7dd9
Soft.exe	Backdoor	ea75939da539a3879e5b442b11b51f24
lsasstd.exe	Backdoor	07536e77ece9e70f5bf3d6f357c77b04
lsasstm.exe	Backdoor	e2736b8e0628a07fc3a6dcccad99245e
smn.exe	Backdoor	b0ff54c190455feda3f67b53c4a4453d
mstsk.exe	Utility to inject code on running processes	ddfd9073a5f222e223f5f2156c71629d
Download original…

Please note that normal windows processes may run under the same filename. Do not assume that a process is suspect unless the MD5 hash matches the one in the table. If you need a MD5 hash generator, try this one for free.

The IP’s above have somehow been identified as being related to malicious behavior, but by just blocking them you are not making your system inherently secure. Blocking IP addresses is generally not an effective or long-term method of preventing malicious access. There are over 2 Billion possible IP addresses, and each IP can have a virtually unlimited number of computers and networks behind it. If you block an IP address, there are a billion others that could be used for malicious behavior. Also, wrongfully blocking an IP address could potentially restrict a huge number of people from your network. In the case of a website, this could result in significant loss of business. Please make sure you understand exactly what you are doing when searching for applications, or blocking IP’s. If in doubt, contact someone more qualified in network security.

To start off, it is still unknown how many card numbers were actually stolen in the Heartland Breach. But, it is known that as many as 600 Million card numbers were exposed to malicious software. In terms of security (and logic in general), you can only assume the worst case until you can later prove that the situation is better (There is no innocent until proven guilty when it comes to security). So how many cards is 600 Million?

These are not exact numbers but are close… In 2007, there were about 200 Million card holders in the US. Of these card holders, they owned 321 Million Visa cards, 279 Million MasterCard cards, 52 Million AMEX cards, and 57 Million Discover cards. This makes a total of 709 Million credit cards. Since the account activity averages about 60% across all cards, there are roughly 420 Million active credit cards being used in the US.

Now putting this all together, the number of cards potentially stolen is about 50% more than every single active card of every cardholder in the entire country. Given the size of the breach, it’s unlikely that your card was not compromised if you made a purchase in the US between April and December.

Unfortunately a breach like this will have a negative impact of the entire credit card industry. I’ve heard a lot of “they had it coming” and cheers of joy from other people in my industry, but make no mistake, this is bad for everyone! We have yet to see the real start of what this is going to cost heartland and the credit card industry as a whole. I cannot imagine a scenario where Heartland comes out of this in one piece. They may prove me wrong, but the damage from this looks to be too great for any processor in the world to reasonable handle.

Heartland discovered malicious software that was recording credit card information as it was being sent to heartland for processing. Heartland processes roughly 100 millions transactions per month, for 250,000 US businesses.

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

Right now it is currently unknown how much data has been collected, how/if it has been used, or how long the malicious software was recording information. The current largest data breach in history was about 45 million card number by TJX (TJ Max and Marshals) which cost the retailer almost $2 Billion dollars. Depending on how much data was lost, this breach could surpass the cost of the TJX breach.

I’ve been reading comments on various blogs and new sites on the internet and so far there is a lot of backlash and anger from consumers and businesses. We’ll see in the near future how this breach will affect Heartland, but it seems safe to assume that this will be an extremely costly event for one of America’s largest ISO’s.

***UPDATE***

http://www.nytimes.com/2009/01/21/technology/21breach.html?_r=1&emc=tnt&tntemail0=y

The software on the Heartland’s network was installed as early as May. Based on the volume of transactions, as many as 600 million card numbers were potentially vulnerable, although the actual number stolen was likely less than this. With that sort of exposure, and the sheer number of merchants that process with heartland, it’s not impossible that every single card holder in the US was exposed in this data breach.

One of the few good things that comes from unemployment, is that it creates situations that allow new businesses to start up. What better motivation to start your own business than getting laid off?

One of the interesting facts about the credit card processing industry, is that we generally see an increase in new businesses during an economic downturn, especially when it involves a lot of lay offs and lost jobs.

This is blatantly apparent when comparing Google’s trend graph for the term “Merchant Account” to the S&P500 Index. The increase in searches for merchant account is a delayed inverse to the crash in stock price, which in this case is a good indicator of the country’s economy.

This is a positive trend to me, because it’s apparent that people are still getting out there and trying to open their own businesses. Financing is a major hurdle right now, but there are signs that we will see an increase of new businesses in the months to come. Real-estate is cheap, competition is evaporating, and those businesses who can get established in a difficult economy should excel when things do pick up again.