Dear Mrs. Iwueke,
Thank you very much for bringing this to my attention. I didn't even know I had a $1.8m ATM card and it very much concerns me that it is about to expire! Please act immediately upon my behalf to claim the outstanding balance and send me the proceeds via a certified check ASAP -- or better yet, exchange it for solid gold or silver and have it shipped. Please deduct the shipping costs from the proceeds. Also, in exchange for your kindness, please deduct an additional $500 from the proceeds for your time.
Again, thank you very much!
--Steve
From: Mrs. Elizabeth Iwueke [mailto:xxxxx.xxxxxxxxx@yahoo.com.ph]
Sent: Monday, October 24, 2011 11:37 AM
To: undisclosed recipients:
Subject: Contact Global Express Shipping Company Benin Repub.
ATTN, PAYMENT NOTIFICATION
This is to bring to your notice that, I have paid the re-activation and the delivery of your ATM, I paid it because the ATM Card ($1.8m),has less three days to expire and when it expires, the money will go into Government purse. With that I decided to help you pay the money so that the ATM will not expire, because I know when you get your ATM definitely you must pay me, my money back and even compensate me for helping you.
Now I want you to contact The Shipping Company Benin with your Full Contact information’s so that they can deliver your Card to your destination address without any delay. Like i stated earlier, The delivery charges has been paid but i did not pay their official keeping fees since they refused.
They refused and the reason is that they do not know when you are going to contact them todat before dumourage might increase. They told me that their keeping fees is USD$25 per day and i deposited it yesterday .
Below Is the Shipping Delivering Company Contact Information’s,
Contact Person: Dr.James Nelson.
The Director General Global Express
Shipping Company Benin Republic
E-Mail:(xxxxxxxxxxxxxxxxx@w.cn)
Contact Number: +229-########
Contact Today to avoid increase of their keeping fees and let me know once you receive your Card.
Best Regards,
Mrs. Elizabeth Iwueke
Monday, October 24, 2011
Monday, October 17, 2011
Is PCI Even Legal?
Back in September 2008 I put myself on PCI SSC's dung list as well as a separate entry on Bob Russo's personal ignore list with my post "PCI SSC Show Their True Colors -- Regulate for Profit". Recently I found an interesting post on Magtek's website: Fraud Mythology in the Payment World. It details a speech by Magtek CEO Mimi Hart where she rips into PCI, calling it "one of the more dangerous 'false gods' in payments." Now finally I have company on the dung lists! I have one small criticism about her speech though, every false GOD is dangerous so "dangerous" in that sentence is redundant. ;-)
Within the speech, Mimi Hart states "PCI has rapidly become a self-perpetuating, self-aggrandizing, profit-motivated authority", this got me thinking, is PCI even legal? Antitrust laws prevent the card brands from getting together in a room to set rates or make common rules for members, merchants, and customers. But before I go further, let me give a brief history lesson...
In the early days, prior to cardholder data security (pre-9/11/2001), the card brands, for the most part, relied on trust that cardholder data was being securely stored and properly used by merchants and applications. Sure, there was fine print in merchant agreements and various unpublished rules stating that merchants must do this or don't do that, but for the most part, there was no mechanism to enforce these hidden rules and fine print. After 9/11, the government decided payments needed better security and told the card brands to get it under control or they would step in.
Each of the card brands rapidly scrambled to create their own set of security mandates for merchants and vendors to follow. Visa had CISP, MasterCard had SDP, American Express had DSOP, Discover had DISC, and JCB had "security standards" (hmm, very creative!). While there were many common and compatible requirements, there were many that were unique to each, and worse, there were a few mandates that contradicted or deviated from mandates of other brands. In all this turmoil, PCI SSC was formed to unite all the security mandates and create one ring to control them all.
Ok, back to my question -- Is PCI legal?
Per the PCI SSC website: "The Council's five founding global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. -- have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs." Then a little further down on the same page, "All five payment brands share equally in the Council's governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization."
I'm not a lawyer but to me this seems to imply that while PCI SSC is a separate organization, it is controlled by a round table of the five card brands. And because this is a "for profit" organization, this seems to have antitrust implications that may threaten PCI SSC's legal legitimacy.
PCI SSC was created as a way for the card brands to conspire to create a common set of security mandates without breaking antitrust laws. The problem is, PCI SSC is setup as a "for profit" limited liability corporation controlled by the card brands. If this was setup as a non-profit organization (as I assumed it was because of the .org domain name - silly me, another future rant) and a true standards committee like ANSI or ISO, I feel there would not be an issue. But as a "for profit" organization under the direct control of the card brands, there seems to be an issue here.
My recommendation: restructure as a non-profit organization, make the books public, and become a real open standards board eliminating the antitrust concerns.
If any antitrust attorney happens to read this, I would love to get your take on this question. Until next time...
P.S. For another take on the same speech, see the post in StorefrontBacktalk: Federal Reserve Listens to Security Vendor CEO Rip into PCI
P.S.S. Mimi, welcome to the list!
Within the speech, Mimi Hart states "PCI has rapidly become a self-perpetuating, self-aggrandizing, profit-motivated authority", this got me thinking, is PCI even legal? Antitrust laws prevent the card brands from getting together in a room to set rates or make common rules for members, merchants, and customers. But before I go further, let me give a brief history lesson...
In the early days, prior to cardholder data security (pre-9/11/2001), the card brands, for the most part, relied on trust that cardholder data was being securely stored and properly used by merchants and applications. Sure, there was fine print in merchant agreements and various unpublished rules stating that merchants must do this or don't do that, but for the most part, there was no mechanism to enforce these hidden rules and fine print. After 9/11, the government decided payments needed better security and told the card brands to get it under control or they would step in.
Each of the card brands rapidly scrambled to create their own set of security mandates for merchants and vendors to follow. Visa had CISP, MasterCard had SDP, American Express had DSOP, Discover had DISC, and JCB had "security standards" (hmm, very creative!). While there were many common and compatible requirements, there were many that were unique to each, and worse, there were a few mandates that contradicted or deviated from mandates of other brands. In all this turmoil, PCI SSC was formed to unite all the security mandates and create one ring to control them all.
Ok, back to my question -- Is PCI legal?
Per the PCI SSC website: "The Council's five founding global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. -- have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs." Then a little further down on the same page, "All five payment brands share equally in the Council's governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization."
I'm not a lawyer but to me this seems to imply that while PCI SSC is a separate organization, it is controlled by a round table of the five card brands. And because this is a "for profit" organization, this seems to have antitrust implications that may threaten PCI SSC's legal legitimacy.
PCI SSC was created as a way for the card brands to conspire to create a common set of security mandates without breaking antitrust laws. The problem is, PCI SSC is setup as a "for profit" limited liability corporation controlled by the card brands. If this was setup as a non-profit organization (as I assumed it was because of the .org domain name - silly me, another future rant) and a true standards committee like ANSI or ISO, I feel there would not be an issue. But as a "for profit" organization under the direct control of the card brands, there seems to be an issue here.
My recommendation: restructure as a non-profit organization, make the books public, and become a real open standards board eliminating the antitrust concerns.
If any antitrust attorney happens to read this, I would love to get your take on this question. Until next time...
P.S. For another take on the same speech, see the post in StorefrontBacktalk: Federal Reserve Listens to Security Vendor CEO Rip into PCI
P.S.S. Mimi, welcome to the list!
Friday, October 14, 2011
House Democrats Ask Justice Department to Probe Debit Fees
This is an interesting and quick read in Bloomberg Businessweek: House Democrats Ask Justice Department to Probe Debit Fees
If you don't have the time and need a Reader's Digest version: Lawmakers are crying because banks are making them look like incompetent boobs. That's about it.
If you don't have the time and need a Reader's Digest version: Lawmakers are crying because banks are making them look like incompetent boobs. That's about it.
Thursday, October 13, 2011
Swipe Fees Revisited
I hate to say I told you so but:
- With a $1.67 Average Ticket, Vending Processor USAT Predicts Pain from Durbin Rate - A vending-machine payments processor highly dependent on debit cards is bracing for a 247% increase in its average cost for accepting big-bank debit cards as a result of new Visa Inc. and MasterCard Inc. interchange schedules set to take effect Saturday...
- Durbin Casts a Wary Eye on Rising Small-Ticket Debit Interchange - U.S. Sen. Richard Durbin on Tuesday said he is aware that new Visa and MasterCard interchange schedules will cause some merchants to pay much more in interchange when a consumer uses a debit card from a big bank to pay for small purchases...
- New BofA Fee May Hasten Debit's Demise - Bank of America Corp., the largest bank by assets, plans to start charging its checking customers $5 per month, or $60 annually, if they use their debit cards to make purchases...
- Durbin Attacks BofA's Decision - Sen. Richard Durbin, D-Ill., author of the debit-interchange regulation, attacked BofA's decision, charging the money-center bank is "trying to find new ways to pad their profits by sticking it to its customers."...
- National Retail Federation also denounced BofA’s Decision - The National Retail Federation also denounced BofA’s debit card fee.
- Bill Would Repeal Debit Fee Cap - ...Although the bill is expected to face resistance, Chaffetz and Owens believe it will gain momentum as consumers begin to see the consequences of the new price cap...
Subscribe to:
Posts (Atom)