themerchantserviceinsider.com

Attorney General Andrew Cuomo launched an investigation Wednesday into health care credit cards after receiving hundreds of complaints from consumers who were convinced by doctors and dentists to sign up for them.

Investigators will look into financial incentives providers receive for promoting the cards that can leave patients struggling with overcharges and high interest rates, Cuomo said.

“You can’t wear two hats in the operating room,” the attorney general and Democratic candidate for governor said in Buffalo. “You can’t have the hat of a doctor and the hat of a financing agent at the same time. That’s a conflict of interest.”

Subpoenas have been issued to 10 providers, some with multiple offices, that promote GE Money’s CareCredit card, Cuomo said. Meanwhile, medical associations that endorse the card, including the American Dental Association and American Society of Plastic Surgeons, are being asked to explain their support.

Cuomo’s office also issued subpoenas to learn how three other health care card programs are run: Chase Health Advance, Visa Health Benefits and Citibank Health Card.

Cuomo said providers have been urging cardholders to finance procedures including dental work, cosmetic surgery and veterinary services not covered by insurance and even when they can pay in cash. He said CareCredit, for instance, charges providers a fee to offer the card and rebates part of the fee based on how much business the providers get consumers to charge.

Providers are paid within two days of the charge, giving them even more incentive to push the cards, Cuomo said.

“Health care debt is the number one cause of individual bankruptcy and this scheme is contributing to the economic burden being felt by consumers,” Cuomo said.

GE Money, a subsidiary of Fairfield, Conn.-based General Electric Co., received a subpoena to provide its customer list. The card is accepted by more than 125,000 health care practices nationwide. The company did not immediately respond to an e-mail request for comment.

Philip Palumbo, 80, of Rochester said he signed up for CareCredit to pay for an estimated $5,600 in dental work, not realizing he was agreeing to a credit card. After having the work done elsewhere, he continued to receive bills from CareCredit and wound up with a strike on his credit report.

“We are concerned that some health care providers are aggressively marketing these high-interest credit cards to patients without providing appropriate disclosures, protections or refunds,” said Chuck Bell, program director for Consumers Union, which publishes Consumer Reports.

American Dental Association President Ronald Tankersley said the group, after receiving Cuomo’s letter, shares the attorney general’s concern about credit financing practices.

“Financing can greatly benefit patients when it comes to paying for their dental treatment, provided that patients fully understand the terms of the financing program,” Tankersley said.

Phil Hayes, spokesman for the American Society of Plastic Surgeons, said his group had yet to receive the letter. He reserved comment.

Health care providers sent subpoenas include: Allcare Dental Management Inc. of Buffalo; American Laser Centers of Farmington Hills, Mich.; Aspen Dental Management Inc. of East Syracuse; East Syracuse Family Dental Arts; Laser Cosmetica of New York City; Lifestyle Lift of Troy, Mich.; Northern Lights Chiropractic of Watertown; S & Y Diamond Dental P.C. of Brooklyn; Sunshine Dental of Watertown, and Toothsavers of New York City.

By Peter Eichenbaum and Patrick O’Connor

June 17 (Bloomberg) — U.S. Senator Richard Durbin, faced with growing opposition and slipping support for his proposal to cap debit-card “swipe” fees, said he is working to exempt prepaid cards governments use to distribute benefits.

“It’s a special-case situation,” the Illinois Democrat and majority whip said yesterday at a hearing on fees federal agencies pay to accept debit and credit cards. “No decisions have been made as to how we’ll address those concerns, but we are working on way to carve out state-issued prepaid cards from the legislation,” Durbin spokesman Max Gleischman said today.

Durbin’s public concession, his first on the debit legislation since the Senate voted 64-33 to approve it last month, followed mounting opposition from card-industry lobbyists and lawmakers who have said that regulating swipe fees, or interchange, will enrich merchants at consumers’ expense.

U.S. Representative Maxine Waters, a lead negotiator for the Congressional Black Caucus on the financial overhaul bill, initially backed merchants in their campaign to regulate the fees, which are set by Visa Inc. and MasterCard Inc. and exceed $40 billion a year. Now, the California Democrat said she’s concerned the plan will hurt credit unions and community banks, which oppose the measure.

Regulating the fees is “a very complicated issue,” Waters said last week in her opening remarks as a member of the conference committee assigned to merge the House and Senate bills. The debate “must be resolved in a manner that doesn’t harm community banks or credit unions but provides some relief to small businesses and merchants, while protecting consumers.”

‘Pleasing Banks’

During an April 28 hearing on a separate interchange bill, Waters said the fees are boosting profits for the biggest lenders while hurting merchants. “The banks are doing everything they can to reap fees from debit-card purchases,” she said. The competition between Visa and MasterCard “has become more about pleasing the banks that actually issue the cards rather than the consumers who use them.”

Waters has been the focus of a lobbying blitz that included a visit last week from hip-hop entrepreneur Russell Simmons, who co-founded the Def Jam rap label, and a June 1 letter from Robert Johnson, America’s first black billionaire. The two, who own stakes in firms that offer prepaid debit cards, said the poor and minorities with limited access to banks may be among the biggest losers if Congress limits swipe fees.

“The Durbin amendment imposes price controls on the fees merchants pay for debit-card acceptance and it threatens to undermine the ability of banks to serve working-class customers who are often shunned by the financial mainstream,” Johnson, the founder of Black Entertainment Television and the chairman of the RLJ Companies, based in Bethesda, Maryland, said in his letter. Waters declined to comment yesterday.

‘Turning Point’

“Her opposition to this would be a real turning point,” said Trish Wexler of the Electronic Payments Coalition, which represents Visa, MasterCard and banks.

Representative Debbie Wasserman Schultz, a member of the House majority’s leadership team, persuaded 130 colleagues, including 70 Democrats, to join her in signing a letter that urges the bipartisan conference committee to strip Durbin’s proposal from the bill.

“If this amendment stands, our constituents will pay more for basic banking products and credit cards and no longer receive valuable services like fraud and identity-theft protection paid for by the current interchange system,” Wasserman Schultz said in a statement.

Editorial Criticism

Durbin also has lost the support of his home state’s largest newspaper. “When Senator Durbin starts picking winners and losers among competing industries, anyone who cares about free enterprise should worry,” the Chicago Tribune said in a June 10 editorial. “The rough-and-tumble fight over interchange fees should be settled in boardrooms, courtrooms and, especially, the marketplace — not by federal fiat.”

Visa and Purchase, New York-based MasterCard, the world’s biggest payment networks, set interchange fees and pass the money to card-issuing banks including JPMorgan Chase & Co., Bank of America Corp. and Citigroup Inc.

Merchants groups including the National Retail Federation, which estimate that U.S. retailers paid $48 billion in interchange fees in 2008, say their members are powerless to negotiate with MasterCard and San Francisco-based Visa, calling them a duopoly. The companies accounted for 91 percent of global purchase transactions made with general-purpose cards last year, according to the Nilson Report, an industry newsletter.

“There is no agency with regulatory authority over the nearly $50 billion collected per year in interchange fees,” Durbin said during yesterday’s hearing. “Nor is there any real competition or negotiation in the market to keep fees in check. Visa and MasterCard set the fee rates as they see fit, and tell merchants to take it or leave it.”

Federal Reserve Role

Durbin’s plan would empower the Federal Reserve to set swipe fees that are “reasonable and proportional” to the cost of processing debit transactions. The fees merchants paid to accept MasterCard and Visa debit cards last year averaged 1.63 percent of each sale, according to the Nilson Report.

The measure also permits retailers to offer discounts based on the form of payment, or for a particular card brand, and set minimums and maximums for credit-card purchases.

Durbin’s decision to exempt governments is a “tacit admission” that his amendment is flawed, according to Wexler of the Electronic Payments Coalition.

“If it would hurt government programs, then that means it would also hurt everyday debit-card holders,” Wexler said. “It is simply not possible to destroy the economics of debit and prepaid card networks and then attempt to shield favored constituencies from the aftershocks.”

–Editors: William Ahearn, Rick Green

To contact the reporters on this story: Peter Eichenbaum in New York at peichenbaum@bloomberg.net; Patrick O’Connor in Washington at poconnor14@bloomberg.net

To contact the editor responsible for this story: Alec McCabe at amccabe@bloomberg.net

Two technologies–end-to-end encryption and tokenization–may go a long way toward protecting credit-card data.
By Andrew Conry-Murray

InformationWeek
May 22, 2010 12:00 AM (From the May 24, 2010 issue)

Security pros have a love-hate relationship with PCI. On one hand, the standard compels management to invest in security and mandates operational best practices. Failure to toe the line can result in fines and penalties, including increased costs for credit card transactions. Visa, MasterCard, and other card brands could go so far as to revoke a company’s right to process cards, effectively killing the business.

Such consequences get noticed by executives. “We have a security operation because of PCI,” says Bob Kemp, manager of IT security for Sheetz, a chain of gas stations and convenience stores. Sheetz is a Level 1 merchant, which means it processes at least 6 million credit card transactions every year. As such, Sheetz is required by PCI to be assessed by a third-party entity called a Qualified Security Assessor, or QSA, to ensure it complies with the standard.

But on the other hand, security pros also have beefs with the standard. At the top of the list is the notion of safe harbor–or the lack of it. While PCI is mostly sticks, one carrot for merchants is that the card brands can’t fine them if they’re breached, provided the merchants were compliant at the time of the breach. This safe harbor is offered as an incentive to promote compliance. Visa’s Web site includes this statement: “Visa may waive fines in the event of a data compromise if there is no evidence of noncompliance with PCI DSS and Visa rules. To prevent fines a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach.”

The key phrase is “full compliance at all times.” On the surface, that’s reasonable, until you understand that an company is technically compliant only at the time of the assessment. Once the QSA leaves, the company’s status falls into a zone of uncertainty.

How to overcome manual, fragmented ERP budget management

7 Ways To Rein In Spending On SAP

Two technologies–end-to-end encryption and tokenization–may go a long way toward protecting card data and ending this uncertainty. As we’ll discuss in detail in our full report, available free for a limited time at information week.com/analytics/pciupdate, several large card processors offer, or will soon offer, devices that can encrypt card data at the point of sale.

For instance, Merchant Warehouse offers encrypted card readers, which the company says are being used in about 1,000 locations. The system can also return tokens rather than card data to merchants and retailers, which can be used for common transaction requirements such as voiding or refunding a purchase. In 2009, payment processor First Data announced Secure Transaction Management, a service that encrypts card data at the PoS application and sends it to First Data to be decrypted. And Heartland Payment Systems will soon launch E3, a program for point-to-point encryption and tokenization. The processor is offering PoS terminals that have a hardware-based encryption module from Thales.

Shifting liability is a key selling point of end-to-end encryption and tokenization. If these technologies can reduce the scope of PCI and lower the risk of card data being stolen at the retailer’s site, widespread adoption is virtually assured. And that’s good for all of us.

5 AREAS TO VET CRYPTO, TOKEN VENDORS

1. Depth of knowledge:Ensure the vendor can demonstrateits products adhere to PCI guidelines.

2. Level of commitment:You could end up locked in to the payment processor that provides your encryption or tokenization service. Can you live with that?

3. Hard trumps soft:Systems that encrypt card data at the point of swipe using a hardware module are superior to point-of-sale terminals that perform encryption using only software.

4. Ask for assurance:Therearemany potential points of failure.Shoddy key management,places in the processing chain whereencrypted data is decrypted and re-encrypted,caches of clear-text card data outside your boundaries.Get audit results.

5. Don’t get complacent: Adopting end-to-end encryption and tokenization won’t magically make you PCI compliant. Any business process that demands card data in the clear should raise a red flag.

Chicago, May 6, 2010 — Trustwave, a leading provider of information security and compliance solutions, has launched a first-of-its-kind Data Privacy Program comprised of security services that help businesses protect their customers’ personally identifiable information (PII) and other sensitive data.

Organizations in specific industries have long been subject to compliance mandates, such as the Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA), requiring them to protect sensitive data. New data privacy legislation broadens that scope to all businesses that receive, store or have access to PII, which is sometimes defined simply as a person’s name and driver’s license number. Data privacy laws already exist in 46 states and legislation designed to protect PII is currently pending on the federal level. Securing sensitive consumer data has become a required ongoing process, including businesses that do not handle credit card information or other sensitive financial data.

The cost of protecting PII is significant, with businesses that experience a breach often incurring the direct expenses of public notification, additional customer service burdens and credit monitoring for affected consumers. Indirect costs such as brand damage can result in loss of business and deterioration of market value. However, recent industry analyst reports have shown that the implementation of a data protection program can cost less than two percent of the expense of containing a data breach once it has occurred. Trustwave’s Data Privacy Program is the first such data protection offering specifically designed to help organizations protect PII.

“Our compliance engagements and forensic investigations reveal that many organizations do not know where sensitive data is stored within their environment,” says Robert J. McCullen, chairman and CEO of Trustwave. “Trustwave’s program is a comprehensive approach that will help implement key security initiatives to facilitate data management and protect sensitive data to help ensure the business is meeting data privacy regulations.”

The Trustwave Data Privacy Program helps businesses and organizations establish and maintain a compliance program that meets data privacy requirements. To help protect organizations from breach-related expenses, the program offers the following for large and small businesses:

• Assistance in developing applicable security policies for the protection of personal information
• Discovery and classification of personal information stored in the corporate environment
• Encryption of personal information at rest and in transit
• Identification of asset vulnerabilities
• Employee education regarding computer system and personal information security

The Trustwave Data Privacy Program is structured to protect the information handled by all types of businesses and organizations, regardless of the manner in which personal data is stored or transmitted. Key components of Trustwave’s program focus on Physical Data Privacy (PDP) and Electronic Data Privacy (EDP) and include the following options:

• PDP – protects entities that maintain PII physically, but do not store or transmit such information electronically
• EDP Core – protects entities that store PII electronically
• EDP Mobile – protects PII stored electronically on mobile devices
• EDP Transport – protects PII electronically transported over public networks

“I’m proud of our role as pioneers in the evolution of data protection – there’s not another program like this in the marketplace,” says McCullen. “This is really just another demonstration of Trustwave’s commitment to delivering security and compliance solutions that solve real world problems for our customers.”

About Trustwave
Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today’s challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper® compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations—ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers—manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, Asia and Australia. For more information, visit https://www.trustwave.com .

Source: Company press release.

ATLANTA, May 03, 2010 (BUSINESS WIRE) — First Data Corporation today announced that its STAR(R) Network has signed a multi-year agreement with top-ten debit card issuer SunTrust Banks Inc. to provide PIN-secured debit point-of-sale (POS) and ATM access to its cardholders.

Atlanta-based SunTrust is one of the largest banks in the United States, with approximately 1,700 retail branches and 2,800 ATMs across the Southeast and Mid-Atlantic. STAR is one of the nation’s leading electronic funds transfer networks with more than two million retail and ATM locations.

“Our choice of PIN debit network was based on a client-centric approach to decision-making and required an exhaustive evaluation of the leading providers in the market,” said Steve Karp, senior vice president, Enterprise Payments Strategy, for SunTrust. “Throughout that process, STAR demonstrated to SunTrust its unwavering focus on creating value for their members, bringing best-in-class innovation to the market, and leveraging their talented and committed senior leadership team. We believe we’ve selected the best network and long-term partner.”

“This is a huge win for us,” said Kevin Barry, general manager for the STAR Network. “Our new relationship with SunTrust is a validation of our commitment to lead the industry with superior customer service and the most innovative products. SunTrust’s progressive view of payments will be a great match for STAR and our members.”

First Data provides signature debit and credit card processing and production to SunTrust, as well as merchant processing services to the bank’s business and commercial customers. Through the merchant processing alliance, SunTrust can offer a full suite of electronic payment products and services including credit, debit, check, and gift card programs to its business customers throughout the Southeastern United States.

Terms of the agreement remain confidential.

About SunTrust Banks, Inc.

SunTrust Banks, Inc., headquartered in Atlanta, is one of the nation’s largest banking organizations, serving a broad range of consumer, commercial, corporate and institutional clients. As of March 31, 2010, SunTrust had total assets of $171.8 billion and total deposits of $118.7 billion. The Company operates an extensive branch and ATM network throughout the high-growth Southeast and Mid-Atlantic states and a full array of technology-based, 24-hour delivery channels. The Company also serves clients in selected markets nationally. Its primary businesses include deposit, credit, trust and investment services. Through various subsidiaries the Company provides mortgage banking, insurance, brokerage, investment management, equipment leasing and capital markets services. SunTrust’s Internet address is SunTrust.com.

About First Data

First Data powers the global economy by making it easy, fast and secure for people and businesses to buy goods and services using virtually any form of electronic payment. Whether the choice of payment is a gift card, a credit or debit card or a check, First Data securely processes the transaction and harnesses the power of the aggregate data to deliver intelligence and insight for millions of merchant locations and thousands of card issuers in 36 countries. For more information, visit www.firstdata.com.

SOURCE: First Data