Recent News

04/21/2010 - Visa, Inc. Acquires CyberSource – What Does this Mean?

I came across Visa’s announcement that they will be acquiring CyberSource for $2 billion. CyberSource owns Authorize.net, a major Internet payment gateway. CyberSource claims to processes about 1/3 of all ecommerce transactions in the US, serving almost 300,000 merchants. What does this mean for the credit card processing industry? Honestly, I am flabbergasted and have all sorts of thoughts and feelings about this. Because of how complex this business is and how everyone is interconnected with one another, this action can result in so many different negative scenarios. Visa/MC have always strictly been an association. They have never provided any services and their member banks are the ones that do everything. This includes issuing credit cards to consumers as well as providing merchant accounts to merchants. For anyone that knows how this business works, this is a little bit of scary news. You could say that Visa will now be a conflict of Interest. I can however understand why they are making a move such as this. They are a publicly traded company and the core motivation behind any publicly traded company is profit. Only time will tell on what they do with it and how it affects the industry.

At the end of their Q&A session on their webcast announcement, Visa does suggest that they will be doing away with the acquiring division of CyberSource / Authorize.net and turning it primarily into a referral based business. This part is good news for Authorize.net resellers such as ourselves. They have been competing with their resellers for several years by providing merchant accounts themselves through a partnership.

For years, there have been reps or companies that make the claim that they are direct with Visa. This has never been true for what I explained above. However, now that Visa is acquiring CyberSource, I would not be surprised if anyone working for CyberSource now tries to makes use of that line even though it is still not true. Visa may now legally own CyberSource, but that does not change any of the relationships, costs or how everyone is interconnected with one another.

10/2/2009 - New Credit Card Processing Rules Kill off WEP (in 2009)

The credit-card industry has finally revised rules to make WEP persona non grata: The PCI Security Standards Council was founded by Amex, Discover, JCB, Visa, and MasterCard, and each organization agreed to adopt the standards that the group decides on. The latest update of the Data Security Standard (DSS), drafted early this year, was adopted and released yesterday, and profoundly alters Wi-Fi security practices for any company that accepts any of major credit card. A summary can be downloaded under PCI DSS Summary of Changes.

The new rules prohibit the use of the highly broken WEP (Wired Equivalent Privacy) standard as part of any credit-card processing--such as from a store terminal to a server--after 30-June-2010, and prohibit any new system from being installed that uses WEP after 31-March-2009. In practice, WEP has remained in relatively wide use among retailers as of last year because many individual and chain stores continue to use ancient point-of-sale gear. The supplier side changed slowly, too, with WEP still included as a standard feature long after WPA was widely available starting in 2004 in business and consumer Wi-Fi gear and computers. The use of WEP is what led to the TJ Maxx parent company network invasion.

The DSS sets both security and audit standards: Merchants must conform to the document's guidelines, and if examined by their merchant card issuer, must be found to conform. If not, they could have the ability to process cards turned off, which makes it hard to be a retailer of any kind.

An analysis of the changes in SearchSecurity states that 802.1X as being required, but I believe that may have been a typo. The SearchSecurity article notes that "802.1x" and "802.11x" are cited as examples of industry best practices in the summary document. However, in both the summary and full version of the DSS, I see "802.11i" listed, which is a generic way to refer to WPA2 with TKIP and AES keys.

This would seem to indicate that the DSS would allow the use of WPA and WPA2 Personal, as is noted in Section 2.1.1. That same section, however, recommends the use of AES, which is only available in WPA2 compliant hardware. There doesn't seem to be any mention of 802.1X or WPA/WPA2 Enterprise elsewhere in the document or its summary.

9/22/2009 - Some Grocery Stores Considering Not Accepting Checks

A recent article in the LA Times talks about how some large grocery store chains are looking to discontinue check acceptance and only accept cash, credit and debit cards.

According to recent studies check usage has declined so much in exchange for debit and credit card usage that it's no longer necessary to offer check processing, cashing, etc as a convenience to customers. Check processing costs more than it's worth in many cases to these businesses.

Of course in addition to the costs involved of offering these check services, the rise in bad checks also has something to do with the grocery store's reasoning in not accepting checks anymore.

Check acceptance is a great service to offer to customers, but though some customers will threaten to find another store, evidence suggests that many more customers aren't bothered by the move as they now use primarily debit and credit cards as the primary form of electronic payment anyway.