Monday, October 24, 2011

Tales From the Inbox - Iwueke

Dear Mrs. Iwueke,

Thank you very much for bringing this to my attention. I didn't even know I had a $1.8m ATM card and it very much concerns me that it is about to expire! Please act immediately upon my behalf to claim the outstanding balance and send me the proceeds via a certified check ASAP -- or better yet, exchange it for solid gold or silver and have it shipped. Please deduct the shipping costs from the proceeds. Also, in exchange for your kindness, please deduct an additional $500 from the proceeds for your time.

Again, thank you very much!

--Steve


From: Mrs. Elizabeth Iwueke [mailto:xxxxx.xxxxxxxxx@yahoo.com.ph]
Sent: Monday, October 24, 2011 11:37 AM
To: undisclosed recipients:
Subject: Contact Global Express Shipping Company Benin Repub.


ATTN, PAYMENT NOTIFICATION

This is to bring to your notice that, I have paid the re-activation and the delivery of your ATM, I paid it because the ATM Card ($1.8m),has less three days to expire and when it expires, the money will go into Government purse. With that I decided to help you pay the money so that the ATM will not expire, because I know when you get your ATM definitely you must pay me, my money back and even compensate me for helping you.

Now I want you to contact The Shipping Company Benin with your Full Contact information’s so that they can deliver your Card to your destination address without any delay. Like i stated earlier, The delivery charges has been paid but i did not pay their official keeping fees since they refused.

They refused and the reason is that they do not know when you are going to contact them todat before dumourage might increase. They told me that their keeping fees is USD$25 per day and i deposited it yesterday .

Below Is the Shipping Delivering Company Contact Information’s,

Contact Person: Dr.James Nelson.


The Director General Global Express
Shipping Company Benin Republic
E-Mail:(xxxxxxxxxxxxxxxxx@w.cn)
Contact Number: +229-########

Contact Today to avoid increase of their keeping fees and let me know once you receive your Card.


Best Regards,
Mrs. Elizabeth Iwueke

Monday, October 17, 2011

Is PCI Even Legal?

Back in September 2008 I put myself on PCI SSC's dung list as well as a separate entry on Bob Russo's personal ignore list with my post "PCI SSC Show Their True Colors -- Regulate for Profit". Recently I found an interesting post on Magtek's website: Fraud Mythology in the Payment World. It details a speech by Magtek CEO Mimi Hart where she rips into PCI, calling it "one of the more dangerous 'false gods' in payments." Now finally I have company on the dung lists! I have one small criticism about her speech though, every false GOD is dangerous so "dangerous" in that sentence is redundant. ;-)

Within the speech, Mimi Hart states "PCI has rapidly become a self-perpetuating, self-aggrandizing, profit-motivated authority", this got me thinking, is PCI even legal? Antitrust laws prevent the card brands from getting together in a room to set rates or make common rules for members, merchants, and customers. But before I go further, let me give a brief history lesson...

In the early days, prior to cardholder data security (pre-9/11/2001), the card brands, for the most part, relied on trust that cardholder data was being securely stored and properly used by merchants and applications. Sure, there was fine print in merchant agreements and various unpublished rules stating that merchants must do this or don't do that, but for the most part, there was no mechanism to enforce these hidden rules and fine print. After 9/11, the government decided payments needed better security and told the card brands to get it under control or they would step in.

Each of the card brands rapidly scrambled to create their own set of security mandates for merchants and vendors to follow. Visa had CISP, MasterCard had SDP, American Express had DSOP, Discover had DISC, and JCB had "security standards" (hmm, very creative!). While there were many common and compatible requirements, there were many that were unique to each, and worse, there were a few mandates that contradicted or deviated from mandates of other brands. In all this turmoil, PCI SSC was formed to unite all the security mandates and create one ring to control them all.

Ok, back to my question -- Is PCI legal?

Per the PCI SSC website: "The Council's five founding global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. -- have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs." Then a little further down on the same page, "All five payment brands share equally in the Council's governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization."

I'm not a lawyer but to me this seems to imply that while PCI SSC is a separate organization, it is controlled by a round table of the five card brands. And because this is a "for profit" organization, this seems to have antitrust implications that may threaten PCI SSC's legal legitimacy.

PCI SSC was created as a way for the card brands to conspire to create a common set of security mandates without breaking antitrust laws. The problem is, PCI SSC is setup as a "for profit" limited liability corporation controlled by the card brands. If this was setup as a non-profit organization (as I assumed it was because of the .org domain name - silly me, another future rant) and a true standards committee like ANSI or ISO, I feel there would not be an issue. But as a "for profit" organization under the direct control of the card brands, there seems to be an issue here.

My recommendation: restructure as a non-profit organization, make the books public, and become a real open standards board eliminating the antitrust concerns.

If any antitrust attorney happens to read this, I would love to get your take on this question. Until next time...



P.S. For another take on the same speech, see the post in StorefrontBacktalk: Federal Reserve Listens to Security Vendor CEO Rip into PCI

P.S.S. Mimi, welcome to the list!



Friday, October 14, 2011

House Democrats Ask Justice Department to Probe Debit Fees

This is an interesting and quick read in Bloomberg Businessweek: House Democrats Ask Justice Department to Probe Debit Fees

If you don't have the time and need a Reader's Digest version: Lawmakers are crying because banks are making them look like incompetent boobs. That's about it.


Thursday, October 13, 2011

Swipe Fees Revisited

I hate to say I told you so but:
Oh, by the way, while I agree with most National Retail Federation stances, I believe they were dead wrong on this one. I have to imagine that someone over there is smarter than I and could have predicted side effects like these -- I guess not!  Asking the government to step in and regulate costs and fees for an industry cannot ever end well. If someone arrives on your door and says "I'm with the government and I'm here to help", RUN! But in this case, the NRF invited them in with open arms.