Payment card system breaches can cause millions of dollars in damages. Consumer losses are generally minimal, because Regulation E obliges card issuing banks to generally reimburse consumers for fraud. There are nevertheless millions of dollars of damages associated with responding to payment card breaches in the form of fraud reimbursements and card re-issuance costs. These damages are apportioned among the various banks and card networks involved in processing credit and debit card payments. That was the environment the case of Spec’s Family Partners v. First Data Merchant Services arose in, a case decided by the United States Court of Appeals for the Sixth Circuit.
The case involved a credit card breach at dozens of liquor stores in Texas owned by Spec’s Family Partners (“Spec’s”). The breach occurred because of the chain’s failure to comply with and implement the Payment Card Industry Data Security Standard (“PCI DSS”). As a result, fraudsters were able to install malware that harvested the credit and debit card data of Spec’s customers. The damages were created when banks that issued customer credit and debit cards learned of the breach. The issuing banks had to reimburse customers for fraud losses, and incur the costs of reissuing cards to customers.
by Hunton & Williams LLP, reprinted with permission
A Pittsburgh law firm has recently trained its sights again on community banks. This same law firm previously filed a number of class-action lawsuits against community banks: first, for alleged violations of the ATM fee-disclosure requirements in the Electronic Funds Transfer Act and, more recently, for alleged violations of the Americans with Disabilities Act (ADA) with regard to ATM-accessibility by disabled customers. In its latest attack on community banks, the law firm is sending demand letters to banks threatening litigation over the banks’ websites. The law firm contends the banks’ websites do not comply with the ADA because they allegedly are not accessible by disabled patrons.
ADA website-accessibility standards have not been issued by the federal government. In 2010, the US Department of Justice (DOJ) announced that was considering issuing regulations applying the ADA to websites. Originally, it was expected that DOJ would issue website-accessibility standards for places of public accommodation by the spring of 2014,  but the DOJ has now delayed issuing those regulations until 2018.
Many have anticipated that ADA website-accessibility rules, if and when they are issued, will resemble the standards set forth in the Web Content Accessibility Guidelines (WCAG), which are promulgated by the Web Accessibility Initiative (WAI) of the World Wide Web Consortium.  As described by the DOJ, the “WAI has created recognized voluntary international guidelines for Web accessibility” which “detail how to make Web content accessible to individuals with disabilities.”
Two weeks ago the National Association of Attorneys General (NAAG) sent a sign-on letter to attorneys general across the nation urging the implementation of chip and PIN technology in their states. The letter, to be sent to major card brands and issuers after those attorneys general added their signatures, sets forth the belief that chip and PIN should be the standard in the US and should be implemented without delay. This letter contains several mis-characterizations of security technology currently being used in the financial services industry, and directly contradicts the official positions of all four federal bank regulators, including the CFPB.
In response to this letter sent by the NAAG, CBI in conjunction with the Iowa Bankers Association and the Iowa Credit Union League have issued a statement to Iowa's Attorney General Tom Miller asking that he either decline to sign the above mentioned NAAG letter, or to withdraw his support if already given.
ATM card skimming is on the rise in the nation, and hit home in Iowa last week. Two men have been charged with using skimmer devices to capture bank account information at three locations around Des Moines.
A skimmer device fits over the ATM's card reader slot and has its own memory chip to record the information on the card as it is swiped. Skimmers secretly record bank account data when a user inserts an ATM card into the machine. Criminals then can encode the stolen data onto a blank card and use it to access the customer's bank account. Skimmers also come in different colors like the green one used in Des Moines, or in a grayish color that would look similar to an ATM, making it hard to tell it's fake. Original card readers are usually concave in shape (curving inward), while skimmers are more convex (curving outward).
The use of keypad overlays placed directly on top of the factory-installed keypad is a relatively new technique that takes the place of a concealed camera. Instead of visually recording users punching in PINs, circuitry inside the phony keypad stores the actual keystrokes.
View the gallery below for examples of skimmers and keypads being used to steal account info from ATMs:
by Joe Adler, Deputy Washington Bureau Chief for American Banker
Impending "net neutrality" rules would help level the playing field for an ever-changing assortment of companies competing for financial services success, according to observers.
The Federal Communications Commission is moving closer to a plan to regulate online and mobile providers like other utilities, which would impede their ability to act as Internet gatekeepers and block or limit access to specific sites.
The effects of the FCC plan — assuming it is approved at a scheduled vote on Thursday — will likely not be immediately felt by banks, and the financial industry has stayed out of the debate. But experts say keeping the Internet open would afford financial institutions future benefits similar to other online players. Net neutrality would prevent a carrier from "throttling" sites of institutions offering similar products, as well as from charging certain banks a higher price for faster online service.
"They would be prohibited from doing anything that could be viewed as discriminatory toward competing applications provided by banks," said Brooks Harlow, a principal at Lukas Nace Gutierrez & Sachs. "To our knowledge, this hasn't been an issue yet. But one of the concerns is that an Internet service provider that has its own payments applications might in some way favor its applications at the expense of competitors."
The FCC's plan has received strong backing from Chairman Tom Wheeler, but some commission members had pushed either to narrow the rule's scope or delay the vote, according to published reports.
Community bankers should ensure their processors are aware of the “Poodle” hack and to take steps to block the cyber-attack. Banks and other institutions are susceptible to the attack, which can intercept sensitive data used by website visitors. The name of the hack is an acronym for Padding Oracle On Downgraded Legacy Encryption.
The good news for banks is that Poodle attacks are fairly easy to block. The first step for a company is to check its websites to see if they're vulnerable. There are a several free scanners that check for the presence of flawed encryption that allows it, such as https://www.poodletest.com.
Community Banking News
Current news, events, regulations and other information in banking.