I was reading this on MSNBC.com a short while ago:

A commuter in Richland, Wash., who thought he was overcharged — by $81 billion — for a tank of gas instead may have been confused by an e-mail about the transaction, his debit card company suggests.

Juan Zamora told the Tri-City Herald newspaper this week that an e-mail he received from PayPal showed a debit card transaction of $81,400,836,908, instead of the $26 worth that he said he pumped.

But a spokeswoman for PayPal, Sara Gorman, said Friday that Zamora may have been confused by a merchant identification number that appeared along with details about the transaction in the e-mail. “I can assure you that we did not charge him $81 billion,” Gorman said.

Thats a lot of gas !

My colleague Andy Orrock writes an excellent post, "Methodology for watching PIN Pad Switches" which discusses a detective control that we put in place in OLS.Switch to detect when a PIN Pad has been changed at the point of sale, along with real time alerting of the event.

Digital Transaction has an article here, that discuses this type of attack, another summary is here and quoted below:

Investigators say the men would enter supermarkets late at night, distract the cashier and swap a PIN pad with an alternate machine that recorded each customer’s financial data. They could swap the equipment in as little as 12 seconds, prosecutors said.

After a while, the men would return, retrieve the machines and harvest the credit and debit card information. At least six supermarkets in Rhode Island and Massachusetts were targeted, and 238 people lost money.

Another consideration to make, is the physical security of payment terminals and pin pads, such as bolting them down or using locking stands and regular inspections.  See Verifones PIN Pad Security Best Practices for more.

Bank Info Security has a list of Issuing Banks that were impacted by the Heartland Breach. As of this post there were 220 financial institutions impacted: See the full list here.

The Merchant Account Blog has a great post and great diagrams on what is called Common Point of Purchase or Point of Compromise (POC), this is one method of how a merchant or processor can be identified as the breach point in a payment card fraud / compromise scenario:

(from Merchant Account Blog )

Visa also has a presentation on this here:

I was reading ISO&Agent this morning and read a short article about another iPhone front-end to the Authorize.net Payment Gateway. It is called Process Away – I wrote about the first one here (Credit Card Terminal by Innerfence). This one appears to have a few more features at first glance, and offers a free Lite Version (limited tran amounts) and full version at the Apple App Store for $19.99. The pricing of the app and that of the Merchant account that they offer appears to be a better deal then Credit Card Terminal.  (But you need to see and compare apples to apples with merchant account agreements pricing, which is an art in itself.)

Who will be the first to PA-DSS compliance ?

The Merchant Account Blog posts about a new Visa Security Alert on its blog – These are typically posted at: http://usa.visa.com/merchants/risk_management/cisp_alerts.html, but this one does not appear to be posted yet.  I also received this alert early today via email as well.

This is one of the more detailed security alerts that I have seem, it includes a list of IP address to block, a list of malicious software and hashes to detect and a list of 5 mitigation strategies:

1. Configure firewalls to scan for – and block — the attached IPs
2. Utilize a Network-based Intrusion Detection System
3. Utilize a Host-based Intrusion Detection System
4. Properly Segment Network
5. SQL injection

Check it out here.