Thursday, July 31, 2008

Using the Internet for Utility Payments

Posted by Mark Brousseau

An interesting article written by Bob Craig at Energy Central on another benefit of using the Internet for billing:

Internet Channel Can Help Utilities Ease the Sting of Delinquent Payments

Robert Craig, Executive Vice President and General Manager, eCommerce Services, Online Resources Corporation

Across the United States, personal financial stability is decreasing as the “perfect storm” of record-high energy, food and healthcare costs collide with spillover from the deepening mortgage crisis to push millions of families into financial trouble.

In April 2008, my company conducted a survey of U.S. households which found that 25 percent have at least one bill 30 or more days overdue, and that 52 percent of households are finding it harder to meet their financial obligations than they did twelve months ago -- an increase from 43 percent who said the same in October 2007.

Americans are increasingly being forced to prioritize their bill payments by creating a “delinquency budget,” ranking which bills they would be most likely to pay if they had to choose.

It should come as no surprise that the mortgage bill tends to be the one that most households (98%) are most likely to pay.

Utilities Hit by Spiking Delinquencies
With consumers prioritizing their bills, utility companies are seeing an increased risk of delinquencies. Our survey showed that approximately nine percent of households are at least 30 days delinquent on their utility bill. That number is up significantly from October 2007. Just this week, the National Energy Assistance Directors' Association reported that utilities across the country are seeing record numbers of shutoffs.

The “perfect storm” of colliding financial pressures on consumers’ budgets hits a utility company particularly hard during the spring and summer months. As winter moratoriums end and warm-weather energy bills hit their peak, utilities face significantly increased costs. These encompass having to send severely delinquent accounts to collections and hire additional crews to physically shut off service -- which, these days, means ever higher fuel costs for those crews to do the job.

Add to that the additional cost burden of having to collect deposits for households now classified as high-risk when service is restored and having to, again, dispatch crews to physically turn on service.

And, sadly, these high-risk households may be cyclically delinquent at various times of the year, requiring repeats of this costly exception handling. Unlike other service companies, such mortgage lenders, wireless telecommunications or credit card issuers, utilities cannot just charge off debt and walk away from high-risk accounts. They must provide service universally to every household in their region.

It is no wonder that the words “delinquency” and “collections” typically generates stress and challenges for utilities.

Advent of “Virtual Collections”
Traditionally, managing delinquent accounts has meant an increase in staff with the accompanying challenges related to hiring, training and compliance, or an increase in dollars spent outsourcing debt collection to first-party collection agencies. Both of these are a significant burden for most utilities

Online payments for accounts that are current have been around since the late 1990s. Web technology specifically created for the collection of delinquent payments is a relatively new concept that only a few billers in recurring industries, such as utilities, have deployed, thus far.

When consumers are faced with the consequences of collections, our research strongly suggests that delinquent account holders are much more willing to resolve the situation via the privacy and convenience of the web, through what we refer to as “virtual collections.” In fact, 28 percent of consumers said they would be more likely to pay a past due bill if they had the ability to settle the debt via a web site, whereas only about half that number was likely to respond to a phone call or letter from a collection agent.

Web-based collections has proven to be a cost-efficient and effective tool in improving delinquency roll rates for early stage delinquent accounts, and increasing payments from later-stage delinquent accounts. It has also helped eliminate or soften many of the negative aspects related to managing these situations with consumers and has given account holders more convenience to resolve their delinquent status.

This is of particular importance, I believe, for utilities, because they must provide universal service and have, in effect, customers for life. Providing as positive an experience as possible, as consumers cycle all the way from delinquency and collections and back into good standing, just might give utilities an edge in competing effectively for those consumers’ on-time payments during good times and bad.

Adoption of web-based collections by delinquent account holders is increasing as users become more comfortable remitting payments online.

Account holders who make a promise-to-pay during a web session keep their promises—the average payment commitment experienced a 94% keep rate.

A key benefit to web-based collections is convenience—22% of logins occurred on Saturday or Sunday, or during off-hours when regulations or hours of operation prevent contact by billers, creditors and traditional collection agencies.

Overcoming Skepticism about New Collection Technology
From January to May 2005, we set up a pilot study with a large bank to test whether people would pay their delinquent bills at a web site offering them multiple ways to “self-cure” or resolve their debt online without assistance from a live agent. The bank was initially skeptical.

First, it questioned whether delinquent customers would even come to a web site. Second, management doubted that delinquent account holders, whom the bank had been unable to reach by phone, mail or an 800 number, could be convinced to pay their overdue payments simply because they could go to a web site to do so.

The study was a “champion-challenger” test where the bank randomly selected 10% of its delinquent accounts and changed how they were treated. The only variable in how these accounts were treated was the promotion and notification of the financial advisory nature of the “virtual collector” web site for those customers to make payments, learn about potential payment programs or perhaps settle out their accounts.

The bank realized a loss reduction of 310 basis points, which would translate to an annualized savings of $3.1 million for an organization with $50 million in delinquent balances.

Other studies by our company have shown that companies who implement specialized web sites for resolving delinquent accounts have seen positive results.

About 20% of the users who self-cure online do so during hours that companies’ collection operations, whether in-house or outsourced, are not traditionally open.

Almost half the users have not been successfully contacted by the company in the prior 6 months, if ever, and two-thirds of them are late-stage delinquent accounts.

Web users have higher rates and amounts of payment against higher average balances.
Consumers’ choice of the web increases over time: the web has about twice the activity today that it did a year ago.

Web site visitors paid a dollar amount three times more than the portfolio average and paid four times more often than the portfolio average.

Utilities, other Billers Out of Sync with Consumer Preferences
Only 8% of billers -- including utilities -- offer a web site that goes beyond accepting payments to allow consumers to cure their delinquency. This means that they are missing out on a significant opportunity to improve how they meet consumer preferences for making delinquent payments, while saving money at the same time.

As more consumers find themselves in unfamiliar territory, being delinquent on bills they have always paid on time, utilities should embrace the opportunity to adopt new collections practices that minimize credit losses and ease the pain for consumers.

Innovative technology cannot prevent people from facing tough economic choices between which bills to pay this month. But its effective use can limit the repercussions and costs for the companies that serve them.

Monday, July 28, 2008

Unisys Confronts Signs Of The Times

Posted by Mark Brousseau

Interesting article on Unisys in today's Philadelphia Inquirer:

By Mike Armstrong

It’s a sign of the times when furor over a sign can cause a company to rethink whether it wants to do business in Philadelphia.

Unisys Corp. said in December it would move its corporate headquarters from Blue Bell into Center City. It agreed to lease 90,000 square feet in Two Liberty Place and relocate 225 employees there.

Some scoff that that’s not a lot of jobs, but it is for the city that’s been bleeding jobs for decades.

Symbolically, the city could do worse than attract another Fortune 500 company into its core.

Who could foresee that Unisys’ plans would not be well-received by some well-heeled tenants in the million-dollar condos on the top floors of Two Liberty. Nothing against information technology; they have a problem with the red corporate logo Unisys wants to affix to the building outside the 38th and 39th floors.

That red sign has thrust Unisys into a federal lawsuit with those tenants. Plus, opponents will vent about it at a zoning hearing board meeting in September. That would be the second hearing on the sign after one last week.

Nothing of this surprises me. But to hear a Unisys spokesman say the company would have to reevaluate its plans if it isn’t able to stick its name on Two Liberty?

Does anyone really think that if Unisys loses in this sign whine that that would be the reason it doesn’t move into the city?

Come on, this company is beset by challenges.

Unisys has been the incredible shrinking computer company since it was formed in 1986 by Burrough Corp.’s acquisition of Sperry Corp. At $5.7 billion, it generates $4 billion in revenue less than it did 20 years ago. Over the same period, the company shed 62,500 jobs to bring its current global workforce to about 30,000.

And if you read the transcript of Wednesday’s conference call with analysts, the company is likely to get smaller.

“We recognize that to succeed in today’s market, we need to either be very big and highly diversified or else smaller and highly focused,” said Unisys CEO Joseph W. McGrath. “We believe the best path forward is the latter one, to build on the work we have done and further focus and refine our business model.”

If getting smaller and more focused makes Unisys more profitable, that’s great. But after 20 years, it hasn’t figured out what it’s really good at? Given some of the comments by McGrath on that call, it still sounds like it’s trying to come up with the right strategy.

I can understand brand-building, and that’s part of why Unisys wants to be in Center City. (How many times can management entertain clients at Alison at Blue Bell, right?) But lots of opponents of the Unisys sign see Philadelphia’s “brand” trumping this corporate one.

I think some of the opposition has blinders on to have missed all of the corporate logos that have been affixed to buildings around the city.

But whatever the zoning board decides, it’s going to be fascinating to see what Unisys does. If it loses, will it quietly press ahead with the move into the city? Or will it move to Radnor next to Lincoln National Corp., which moved its headquarters and 400 jobs out of Center City in 2007?

If it wins, will its branding effort be seen as innovative or annoying to the other corporate elite around town? If it wins, does it really lose?

Wednesday, July 23, 2008

Remote Remittance Capture Grows

By Mark Brousseau

While some lockbox providers have been disappointed by what they see as sluggish demand for their remote remittance capture solutions, Chris Rohner (, national remittance sales at Jacksonville, Florida-based Fidelity National Information Services (FIS), says the demand and volume has met her company’s expectations. FIS has about 20 financial institutions doing some form of remote remittance capture, Rohner told me.

The thing to keep in mind, Rohner notes, is that distributed capture isn’t for every lockbox client. “It works well when the customer has remote locations with walk-in payments, and they don’t want to be bothered completing the transaction,” Rohner said. “A good example of this is tax processing, where a municipality might have a lockbox, but also accepts walk in payments. At the end of the day, they want to receive one file and one set of reports. This is ideal for distributed capture.” In addition to municipalities, Rohner said FIS is seeing strong demand for its distributed capture solution from utilities and property management firms.

And she expects interest to pick up as FIS rolls out flatbed scanning capabilities for supplemental remittance documents. Today, the company only captures checks and coupons, with MICR and OCR read technology. It also offers a remote deposit capture solution to automate check deposits to a bank, and a consumer capture solution, as well. “We do a lot of due diligence before recommending a distributed capture solution,” Rohner told me.

How would you describe demand for remote remittance capture?

Post your comment below.

Data Capture Drives Marketing

By Mark Brousseau

Desperate to build stronger, longer lasting relationships with their customers, companies are turning to one-to-one marketing, a customer relationship management (CRM) strategy that emphasizes personalized interactions with customers over mass marketing. And automated data capture can play a key role in ensuring the success of one-to-one marketing initiatives, says Bill Welling, an account director for CDS Global (

While the term itself is fairly new, Welling said one-to-one marketing is really a throwback to the days of the neighborhood store, where the owner made it a point to know your name, your likes and dislikes, your shopping habits and a few other things that made the relationship special, lasting and, yes, profitable. Welling said that as people’s lives become increasingly busy, the cookie cutter, ‘one size fits all’ sales model has quickly become outdated and ineffective.”

“What we are talking about here is Relationships 101,” Welling said. “And data capture helps organizations get at valuable customer information faster and cheaper. Using data capture, a company can know the return address on a customer’s check, who signs the checks – meaning, who likely makes the buying decisions – and the customer’s buying habits.” This type of information can then be used to tailor product offers to customers, he said.

“Data capture is a fact-finding tool that helps ensure that companies are providing the best customer service, in terms of the products they offer,” Welling said. “By capturing key data from customer remittances, companies can position themselves in the best possible light.” And with the move to one-to-one marketing, Welling said this is critical, as companies will increasingly focus on the quality of customer data, rather than the quantity of it.

How is data capture driving your marketing?

Post your comment below.

ECP Implementation Tips

By Mark Brousseau

Electronic check presentment (ECP) is becoming an increasingly important part of the lockbox services mix. With electronic clearing, billers can achieve significant benefits when processing their receivables through a lockbox, including reduced deposit fees, faster funds availability, improved collections, later deposit windows, and streamlined returns handling.

But like any other business process change, electronic clearing requires billers to consider the potential operations and customer service impact of implementing the technology, or they might find its benefits to be elusive. That’s according to Lesa Brooks, general manager, Data Capture Services, Western Region for CDS Global ( An early adopter of ECP, CDS Global electronically deposits checks to four major financial institutions on behalf of several dozen lockbox clients, Brooks recently told me.

The first consideration, Brooks said, is ensuring that the biller has the right banking partner. “Billers need to make sure that their bank is experienced with the process,” Brooks said. “Most of the larger banks have teams dedicated to implementing ECP projects. They have the process down pat, and their fees are usually much lower. But we have seen cases where clients have worked with a local bank that is unfamiliar with ECP and it has made the process more confusing. Local banks might also have higher fees since they are working a vacuum.”

And deposit fees are a key consideration, Brooks said. Billers should expect banks to pass along some of the internal cost savings they achieve from electronic clearing. “But fees for ACH conversion, on-us items, check image exchange, and substitute check printing are all over the board, so it’s a good idea to shop around. In general, ECP fees are coming down.”

Billers should also make sure that their lockbox provider is experienced with ECP, Brooks said. Billers need to determine whether their provider allows for the use of multiple banking partners; whether the lockbox provider can handle opt-outs for ACH conversion; and whether the lockbox provider can customize X9 files to allow the deposit record to be marked based on the type of deposit (Check 21, ARC, BOC). “If your lockbox provider isn’t experienced with ECP, and it doesn’t offer flexibility for managing the process, it can add a significant amount of time to development and testing, as well as higher upfront costs,” Brooks said.

Another consideration for billers is whether to use ACH conversion or just Check 21. Depending on the biller’s business, it can be a no-brainer (utilities) or more complicated (non-profits), Brooks said. Once the biller determines it will use ACH conversion, it must consider how to handle customer notification for ARC conversion. Billers must think through what to say (and get the necessary approvals), where to put it, and whether to include a toll-free number for opt-outs. They must also leave time for printing. “Finding the space in customer mailings to put ARC notifications has been the biggest implementation delay, hands down,” Brooks said. Since this notification needs to be made 30 days prior to going live, Brooks said this task should be near the top of a biller’s implementation project list.

Similarly, billers must plan to educate their customer support staff on ECP. “Consumers still have questions about whether their check was cashed,” Brooks said, noting that checks presented via ACH look different on a consumer’s bank statement. “This is an especially big issue for non-profits and direct mail companies.” Customer service reps must understand that converted items might appear in a different location on a consumer’s statement. “We’ve chased our tails researching whether an item was processed, only to discover that the consumer was not looking in the right place on their statement,” she said. As part of their customer service planning, billers should also think through returned item handling.

Have any tips for implementing ECP at the lockbox?

Post your tips below.

Thrivent Plans Online Bill Pay

Posted by Mark Brousseau

If you’re among the nearly 75 percent of Thrivent Financial members who mail in account payments, a new payment features may change the way you pay your premiums.

According to the most recent issue of Thrivent magazine, Thrivent Financial is introducing a feature that allows members to make online payments for their traditional, universal and variable universal life contracts; fixed and variable annuities; and disability income, long-term care and Medicare supplement contracts. Members also can make a purchase into their existing mutual fund accounts.

As an added benefit, the system allows members to quickly submit a payment in a “just in time” situation to avoid the potential lapse of a contract due to nonpayment.

The online payment feature will be available this summer and can be accessed through

Tuesday, July 22, 2008

School Data System Flunking Out

Posted by Mark Brousseau

An interesting article from The New York Times:

Crucial Data on Graduates Is Elusive


The Class of 2008 has already tossed aside caps and gowns for swimsuits and tank tops. The Class of 2009 has begun dreaming of proms, diplomas and exit strategies. But the public has yet to learn what percentage of New York State’s Class of 2007 actually graduated from high school.

Blame the state’s new data system, which is expected to cost $39.4 million over six years. Tom Dunn, a spokesman for the state’s Education Department, acknowledged that the system had been “not completely successful” in uploading and processing information from New York’s 695 school districts. He said the move to a single data repository had “caused a number of problems.”

“Those problems are being corrected now,” Mr. Dunn said, adding that the state was in the process of verifying numbers with school districts and expected to release 2007 graduation rates by the end of the month. (Rates for 2008, he said, would be released in February.)

Of all the statistics that increasingly figure into public debate about schools, graduation rates are widely considered among the most crucial indicators of whether a system is working. They are watched with particular urgency in New York City, where the low but slowly climbing graduation rate was a contentious topic during the 2005 re-election campaign of Mayor Michael R. Bloomberg.

For years, the city and state have used different criteria to calculate the graduation rate, and the discrepancy has caused tension among city and state officials and confusion among parents. In 2006, the state said that 50 percent of the city’s seniors had graduated, while the city said 59 percent.

(The state announced 2006 graduation rates in April 2007 — just as the Class of 2007 was suffering late-stage senioritis.)

The new data system was supposed to resolve those differences, with officials in Albany and New York City agreeing to release a single number. Or, as it has turned out, to not release it for a long time.

“Asking the public to be patient here is simply not an answer,” said Merryl H. Tisch, a member of the State Board of Regents, who described the delay as “frustrating and intolerable.”

“I think the public should frankly demand more timely testing results and more timely graduation data,” she said, “because, after all, they’re being asked to invest an enormous amount of money in the system.”

Ms. Tisch said she faulted the state’s Education Department, some local school districts that failed to properly report their data, and McGraw-Hill, whose Grow Network subsidiary is responsible for part of the new data system and is expected to receive $13.3 million over six years for that work.

Kelley Carpenter, a McGraw-Hill spokeswoman, said in a statement that the Grow Network was primarily responsible for the “reporting part of this system” but was “not involved in data entry and collection.”

“We will continue to work with the state to generate reports as data is made available,” she said.

David Cantor, a spokesman for the city’s Department of Education, said the city had given the state the required information in a timely fashion. “Obviously, we’d have liked the numbers sooner,” he said of the graduation rates, adding, “It’s very tough to run a data system of this size smoothly the first time.”

New York, which began creating the new data system several years ago, is among a number of states that have invested millions recently to computerize school information, to meet the requirements of the No Child Left Behind law and, more broadly, as part of an increased focus on educational accountability.

New York’s new system assigns every student in the state an identification number so they can be tracked throughout their educational careers, even if they switch schools or districts. The system keeps track of test scores and attendance as well as graduation numbers.

Mr. Dunn, the State Education Department spokesman, said that the problems leading to the late release of the graduation rates were not specific to McGraw-Hill’s Grow Network, but that the company had “a share” of responsibility.

“There’s just an enormous amount of new information that’s moving through here at all areas,” Mr. Dunn said. “The new volume has created challenges, from people having to fill out different forms to different verifications and all of the multiple steps involved.”

In an e-mail message to school superintendents this month, Jean C. Stevens, an associate state education commissioner, pointed a finger at school districts, saying that while calculating graduation rates, the state had identified many districts with possible data-reporting problems.

“Many districts may have misreported graduates,” she wrote. “In some cases no graduates were reported.”

Betsy Gotbaum, the New York City public advocate, noted that the city Department of Education’s own $80 million data system, developed by I.B.M. and called ARIS, has been criticized by principals and teachers as cumbersome and difficult to use, even as parents have questioned its hefty price tag.

“We have already seen with ARIS here in the city how expensive and flashy computer systems are turning out to be clunky and flawed,” Ms. Gotbaum said in a statement. “The longer we have to wait for these data systems to produce results, the more skeptical people become.”

Mr. Cantor said the city was improving ARIS. “While it did not come out of the box perfect,” he said, “we got an awful lot of information to a large number of people.”

Jane Hirschmann, the founder and a co-chairwoman of Time Out From Testing, an antitesting group, said the information delay was “just typical” of how the city and state education departments “are spending our taxpayer money with absolutely no results.”

“It would be much better to put money in the classroom and keep track of what’s really important,” Ms. Hirschmann said. “This is the administration of testing and data collection. As far as parents are concerned, we don’t buy it. We don’t think our children are better because of it.”

Cybercrooks Target Online Banking

Posted by Mark Brousseau

An interesting article from USA Today on the latest wave of cybercrime:

Russian cybercrooks target high bank balances online
By Byron Acohido, USA TODAY

Call them the Coreflood Gang. A ring of cyber bank robbers from southern Russia has quietly perfected a way to get a beachhead inside company networks.

Once inside, it infects every PC within reach with a custom-made data-stealing program called Coreflood. The goal: go rip off bank accounts online.

Over the past 16 months, the Coreflood Gang has infected swaths of PCs inside thousands of companies, hospitals, universities and government agencies, says SecureWorks researcher Joe Stewart, who has tracked and documented the spread of Coreflood over that period.

"It's spying on you, capturing your log-ons, user names, passwords, bank balances, contents of your e-mail," Stewart says. "It can capture anything."

Coreflood is part of a class of malicious software, called banking trojans, designed primarily to help crooks break into bank accounts online. The number of banking trojans detected on the Internet this month topped 24,800, up from 3,342 at the start of 2006, security firm F-Secure says.

An infection usually starts when you visit a Web page implanted with a snippet of malicious coding. By simply navigating to the tainted page, your browser gets redirected, unseen, to a hub server that downloads the data-stealing program onto your hard drive.

Dozens of gangs specialize in banking trojans. They have it much easier than phishing scammers, who must lure victims into typing sensitive data on spoofed Web pages, says F-Secure researcher Patrik Runald.

"This is very organized crime," Runald says. "These gangs are hiring people and making tons of money."

The Coreflood Gang is among the most sophisticated. Stewart recently analyzed 500 gigabytes of stolen data stored on a rented hub server. He pinpointed 378,758 Coreflood infections inside thousands of organizations, small and large.

A workplace PC can get a new infection each time someone logs on. The most infections: a county school district with 31,425, a hotel chain with 14,093 and a health care company with 6,744. About 230 networks turned up with 50 or more Coreflood infections, while 35 networks each had 500 or more.

Gang members cull the stolen data for log-ons and account statements, especially bank accounts online with high balances. Next, they log into the accounts and make online cash transfers into "drop" accounts they control.

After having two hub servers shut down by the tech security community in May, the Coreflood Gang rented two new hubs and picked up where they left off. Today, they continue operations unimpeded, says Stewart.

Companies infiltrated by the Coreflood Gang need to rethink how they do network security. Employees surfing the Internet on work PCs ought to take pause. "If you don't understand the threats that are out there, then you probably should not be banking online," Stewart says.

Monday, July 21, 2008

Address Quality Is Critical

By Mark Brousseau

For direct mail marketers, soaring postage costs are putting an even greater emphasis on the quality of mailing address information. That’s according to CDS Global (, a leading provider of outsourced services to publishers, retailers, non-profits, financial institutions and other organizations.

USPS statistics state that approximately 8 percent of direct mail is classified as undeliverable due to the inaccuracy of data found in direct mail files, CDS noted. Complicating matters: there are over 41 million individual and family change of address (COA) filings every year – 2 ½ times the number of annual visitors to Walt Disney World’s Magic Kingdom. In addition, 2.3 million businesses file a COA each year. With this in mind, it’s not surprising that mailing lists deteriorate by more than 1 percent per month.

The effects of poor address quality are staggering: Undeliverable as addressed (UAA) mail costs marketers more than $6 billion annually, according to CDS Global. With an eye toward solving this, effective November 23, 2008, all pieces of standard mail will be required to utilize a move update service to ensure that mailing addresses are up-to-date and deliverable. In addition, CDS Global is offering several services to help direct mail marketers ensure the quality of their mailing lists.

How big a challenge is mailing address quality to your organization? Post your comment below.

Friday, July 18, 2008

ARC Demand Remains Strong

By Mark Brousseau

If you think soaring check-image exchange volumes have tempered interest in Accounts Receivable Check (ARC) Conversion, think again. ARC remains one of the most popular payment methods, registering steady volume increases every quarter, says US Dataworks, Inc. President and COO Mario Villarreal ( Industry statistics from NACHA back Villarreal up.

“Organizations with historically high volumes of B2B transactions – such as insurers and BPO providers – are showing the most interest in ARC,” Villarreal told me, noting that ARC remains the most cost-effective and operationally efficient way to handle payments.

Strong demand for ARC also is being driven by the number of low-volume B2C processors that are outsourcing their in-house operations to third-party providers who use ARC as part of their clearing.

But ARC’s growth isn’t coming at the expense of image exchange, or vice versa. In fact, users are recognizing the benefits of combining ARC and Check 21 in their operations.

“Image exchange has been used to enhance ARC because it completes electronic deposits that aren’t eligible for ACH conversion,” Villarreal told me. “The complementary relationship between image exchange and ARC commoditizes deposits, leading to a need for least cost routing/best fit clearing.”

And it’s this least cost routing/best fit clearing approach that really has Villarreal excited.

He said that most organizations recognize the immediate financial benefits of leveraging both ARC and check image exchange for clearing. But he thinks more education needs to occur on the additional benefits that can be realized when organizations break down their silos and eliminate disparate payment channels and hubs, to combine transactions and process them electronically.

“It’s not just about being able to process an ARC transaction,” Villarreal said. “It’s about what else your system can do to optimize payments processing. For example, an enterprise payments solution allows organizations to consolidate business processes and gain operational efficiencies.”

Despite the strong growth of ARC, Villarreal notes there are holdouts: “They tend to be processors who have high volumes of B2B transactions that aren’t eligible for ACH conversion. But as these processors take on more consumer work, they inevitably have to search for ARC solutions.”

What is happening to your organization’s ARC volumes? Post your comment below.

Monday, July 7, 2008

ATM Hack Reveals Security Woes

Posted by Mark Brousseau

An interesting article from the Associated Press about ATM security challenges:

Citibank ATM breach reveals PIN security problems
The Associated PressTuesday, July 1, 2008; 4:39 PM

SAN JOSE, Calif. -- Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.

The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs -- the numeric passwords that theoretically are among the most closely guarded elements of banking transactions -- by attacking the back-end computers responsible for approving the cash withdrawals.

The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.

Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption -- which means encoding them to cloak them to outsiders -- some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.

"PINs were supposed be sacrosanct _ what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with the Gartner research firm. "The banks need much better fraud detection systems and much better authentication."

It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news Web site The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the U.S., but it doesn't own or operate any of them.

That responsibility falls on two companies: Houston-based Cardtronics Inc., which owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv Inc., which operates the others.

A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly.

All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.

They could have gained administrative access to the machines -- which means they had carte blanche to grab information -- through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.

What that means for consumers is that their PINs were stolen from machines that showed no signs of tampering they could detect. In previous PIN thefts, thieves generally took steps that might draw notice -- sending "phishing" e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs.

Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.

Don Jackson, director of threat intelligence for SecureWorks Inc., said he has seen an "alarming" spike in the number of attacks on back-end computers for ATM networks over the past year.

"This was fairly large, but I don't think it's anything out of the ordinary -- these kinds of scams go on every day," Jackson said. "What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren't reported."

The alleged plot is outlined in court papers supporting the prosecution of three people _ Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva. They were indicted in March on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits.

Defense lawyers for all three people did not return calls for comment, and it was not clear where they had been living. The main defendant, Rakushchynets, was described as having Michigan and Florida's driver licenses in a February FBI affidavit for an arrest warrant.

Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards.

"We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts," the bank said in a statement.

Cardtronics said it is cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn't happen on Fiserv's servers.

"Fiserv," she said, "is confident in the integrity and security of our system."

Social Security Goes Electronic

Posted by Mark Brousseau

An interesting article from The Philadelphia Inquirer:

Social Security offering a debit-card option
By Harold Brubaker
Inquirer Staff Writer

Social Security recipients who receive paper checks because they do not use banks have a new way to get their money.

The U.S. Treasury Department said yesterday that it would begin pitching its new Direct Express debit card to 2.4 million beneficiaries from Maine to Virginia. Information about the card will come with this month's checks.

These recipients include nearly 250,000 people in Philadelphia and surrounding counties in Pennsylvania and about the same number in New Jersey.

"You can easily use this card to manage your money every month with no fees," said Judith R. Tillman, the commissioner of the department's Financial Management Service.

The card is designed to prevent lost checks, thwart check thieves, and save cashing fees that average $6 per check, she said.

Most Social Security recipients receive benefits by direct deposit into their bank accounts. Those without bank accounts typically use check-cashing firms.

The debit cards, issued by Comerica Bank of Dallas, allow users to track their spending at no charge on a Web site or through an automated telephone line. It costs 75 cents a month to get a paper statement. The system will not allow a card user to withdraw more than the available balance. That means there are no overdraft fees, which bedevil many elderly bank customers.

"It seems like a pretty good product," said Leslie Parrish, a senior researcher in the Washington office of the nonprofit Center for Responsible Lending.

"It eliminates the need to go to a check casher, but it also has a leg up on regular bank accounts if people are worried about overdrafting through a debit transaction," she said.

Tillman said her agency sends 489,000 Social Security and Supplemental Security Income checks to Pennsylvania every month, including 241,000 to Philadelphia and the surrounding area. In New Jersey, the figure is 263,000. She did not have a breakout for South Jersey.

If all four million people nationwide who receive Social Security or disability benefits but do not have bank accounts were to sign up for the debit card, taxpayers would save $42 million a year, said Tillman, a graduate of Glassboro State College, now called Rowan University.

The Treasury sent 59.1 million Social Security and disability payments in May. All but 10.5 million of them were deposited directly into bank accounts. The debit card is available to anyone who receives those benefits.

Social Security and Supplemental Security Income recipients may sign up for the card by calling toll-free 1-877-212-9991 or visiting

Wednesday, July 2, 2008

IRS Wants Payment Information

Posted by Mark Brousseau

An interesting article from the Washington Business Journal:

IRS may get reports on credit card payments
Kent Hoover, Washington Bureau Chief

Congress is on the verge of requiring payment card processors to tell the Internal Revenue Service how much money merchants receive through credit card and debit card transactions.

The Bush administration thinks this kind of third-party reporting of revenue would encourage more businesses to report their income accurately.

This could help close the tax gap -- the difference between what the government is owed in taxes and what it actually collects.

Congress views the requirement as an easy way of raising revenue to pay for other tax cuts or additional government spending. It estimates the proposal could raise nearly $10 billion over 10 years.

Under pending legislation:

... Financial institutions that reimburse merchants for credit card or debit card purchases would report annual payments for each merchant to the IRS

... These payment processors would be required to validate the Taxpayer Identification Number (TIN) for each merchant

... If the TIN couldn't be validated, the payment processors would be required to withhold taxes from the merchant

... These requirements also would apply to third-party organizations, such as PayPal, that serve as intermediaries for purchases. In this case, reports would not have to filed for merchants who have $10,000 or less in transactions or 200 or fewer transactions.

Both the House and the Senate included the reporting requirement as a revenue raiser in separate bills that appear headed for passage: House legislation to shield 21 million taxpayers from the alternative minimum tax (H.R. 6275) and Senate legislation to help homeowners and the housing industry (H.R. 3221).

The new requirement, however, couldn't help fund both bills, so the House and Senate would have to resolve this issue before the reporting rule could become law.

This gives small business groups and credit card processors more time to fight the requirement. They contend the proposal would be costly to implement and lead to unfair audits of small businesses that report their income accurately.

It may be too late to stop the requirement, however.

"This becomes very difficult to defeat because of the fact it's become an item that's accepted as a valid revenue raiser that can be used," said Giovanni Coratolo, director of small business policy for the U.S. Chamber of Commerce.

The appeal of the reporting requirement was summed up by Sen. Max Baucus, D-Mont.

"This proposal does not raise taxes on anyone," said Baucus, who chairs the Senate Finance Committee. "These information reports would just cause people to file more accurate returns."

Proposal costly for businesses
Opponents of the proposal doubt it would raise much revenue, however. Credit card receipts already show up on a merchant's bank statement, so tax cheats aren't likely to underreport this income, said Kristie Darien, executive director of the National Association of the Self-Employed.

The legislation, however, would require credit card processors to withhold taxes on payments to a merchant whose taxpayer identification number (TIN) couldn't be verified. But there are bound to be errors in the TIN verification process, Darien said, meaning some small businesses could have 28 percent of their credit card reimbursements withheld until the errors are corrected.

That could "put a severe strain on millions of American families counting on a self-employed breadwinner," she said.

Credit card processors said the proposal would cost them millions of dollars as well.

"Our systems do not currently track merchant payment transaction to TINs, and it will be extremely expensive and time-consuming to reprogram our systems to comply with the new mandates," said Kim Stubna, director of public policy for First Data Corp., a Denver-based processor of electronic payment transactions.

Small businesses fear these costs would be passed on to them through higher fees.

Donald Boeding, general manager of merchant services for Fifth Third Processing Services in Cincinnati, said the requirement "will likely strain the relationship between payment processors and merchant customers." Some merchants might decide that accepting credit cards is no longer worth the hassle. A move to cash would make it "less likely that the IRS will be able to track taxable income," he said.

IRS to profile businesses?
Small business lobbyists fear the IRS would use the reports to create industry profiles and audit small businesses whose credit card usage deviated from the norm.

That is "enormously concerning to us" because of "the great diversity" among small businesses, said Todd McCracken, president of the National Small Business Association. A difference in credit card usage "doesn't mean anything funny is going on," he said.

Plus, a company's actual revenue from credit card transactions would differ from what is reported because of chargebacks, returns, refunds, deposits and cash back on debit card purchases.

Yet small businesses could be audited "for no good reason" on the basis of these reports, McCracken said.

Coratolo said Congress would reject this type of profiling if individuals, not businesses, were being targeted.

"This is the camel's nose under the tent," he said.

Treasury Department spokesman Andrew DeSouza said he "wouldn't speculate" on what the IRS would do with this credit card data. But he said businesses also would get a copy of the reports, which would help them file accurate tax returns.

Data Breaches Rising

Posted by Mark Brousseau

An interesting article from the Washington Post on the rising number of data breaches:

Data Breach Reports Up 69 Percent in 2008
By Brian Krebs

Businesses, governments and universities reported a record number of data breaches in the first half of this year, a 69 percent increase over the same period in 2007 driven by a spike in data thefts attributed to employees and contractors, according to an analysis by identity theft experts.

The San Diego-based Identity Theft Resource Center tracked 342 data breach reports from Jan. 1 to June 27. Nearly 37 percent of reports came from businesses -- an increase from almost 29 percent last year.

Data breach reports from health care providers (14.9 percent of the total) and banks (10 percent) continued to rise, while the share of breaches from educational institutions (21.3 percent of the total) government entities and the military (17 percent) declined for the third year in a row, the ITRC found.

Hacking was the least-cited cause of data breaches in the first six months of 2008 (11.7 percent of the total). Instead, lost or stolen laptops and other digital storage media remain the most frequently cited cause of data breaches, accounting for more than 20 percent of all reported cases, the ITRC found. The inadvertent posting of personal and financial data online prompted roughly 15 percent of the data breach disclosures.

While the share of breaches due to data on the move fell nearly eight percent from last year, that slack was picked up by insider theft. Data breaches due to information stolen by someone inside the company increased from just six percent of the total in 2007 to nearly 16 percent so far this year. Another 13.5 percent of breaches came from subcontractors who lost or stole their clients' customer data.

The 342 breaches the ITRC studied from this year involved almost 17 million consumer records. But ITRC founder Linda Foley said the true number of records jeopardized by those breaches is likely far higher, because in nearly 40 percent of the breaches the affected entity has not yet disclosed how many consumer records were lost or stolen.

Some 44 states and the District of Columbia now have laws requiring entities that suffer a data loss or breach to alert affected consumers (according to the ITRC, the states without data breach notification laws are Alaska, Alabama, Iowa, Kentucky, Mississippi and South Dakota). But Foley said only three states -- Maryland, New Hampshire and Wisconsin - require reporting to state officials and routinely publish that information online.

Breach notices filed with those three states have in many cases amounted to the first public disclosure of data breaches, but they also expose the gaps in those disclosure laws, Foley said.

On June 9, for example, the United Transportation Union Insurance Association notified the Maryland Attorney General that the loss of an undisclosed number of laptops jeopardized the names and Social Security numbers of 394 Maryland residents. However, the association has not yet said how many consumer records from all states were included on the missing laptops.

On May 8, Saks Inc. notified Maryland that the theft of four laptops had resulted in the loss of the name, address and Saks Fifth Avenue credit card numbers belonging to 2,391 Maryland residents. Saks similarly told the New Hampshire Attorney General's office that the breach affected 163 of that state's residents. Saks has not yet said how many customers nationwide may have been impacted by the lost laptops.

While a data breach may be reported as a single incident, it often masks the true number of institutions affected by the incident. This is most often the case with contractor breaches, such as one first publicly reported to the Maryland Attorney General's office on June 13. That notification was sent by attorneys for technology news media outlet CNET Networks, who said they were told that computer equipment stolen from Colt Express Outsourcing Services Inc., a California company that administers benefit plans to businesses across the country, resulted in the loss of records bearing the names, dates of birth and Social Security numbers of 6,500 CNET current and former employees and dependents.

Colt officials have declined to say how many total consumer records may have been affected, but several other businesses have reported receiving notifications from Colt over the past few weeks.

"It's a little like if you see a major pileup on the freeway, there's that one car that caused the whole accident, and then there are bunch of other innocent third parties that are affected due to the domino effect," Foley said.