GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Growth by acquisition

News

Industry Update

Visa says Durbin impact 'manageable'

TCF appeal denied

$100 million for Square means change for low-end payments

Cyber security update

Features

An interview with Paul Martaus

Ken Musante
Eureka Payments LLC

Research Rundown

Meet The Expert: Adam Atlas

The accidental advertisement

Selling Prepaid

Prepaid in brief

Law center faults UC card programs

A primer on prepaid's basics

Views

The unbanked: Banks are ceding billions in potential revenues

Patti Murphy
ProScribes Inc.

Mobile payments follow many new paths

Brandes Elitch
CrossCheck Inc.

Education

Street SmartsSM:
Networking groups and referral marketing - Part II

Bill Pirtle
MPCT Publishing Co.

The adaptability of POS terminals

Dale S. Laszig
Castles Technology Co. Ltd.

HIPAA compliance fundamentals for ISOs

Mark Brady and Ross Federgreen
CSRSI, The Payment Advisors

Michaels breach reveals gray areas

Nicholas Cucci
Network Merchants Inc.

Company Profile

Creative Vision Studio LLC

Network Merchants Inc.

New Products

A processor-agnostic payment gateway

PayCommerce gateway platform
PayCommerce Inc.

Inspiration

Breaking up is hard to do

Departments

10 Years ago in
The Green Sheet

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

July 25, 2011  •  Issue 11:07:02

previous next

Michaels breach reveals gray areas

By Nicholas Cucci

When Michaels Stores Inc. reported a tampering scheme involving POS pads used to key in customer personal identification numbers, it was initially thought to be isolated to select stores in the Chicago vicinity. However, upon further investigation it was discovered that nearly 90 stores in 20 states from Rhode Island to Washington were ultimately impacted by the data breach.

Michaels learned of the breach in May 2011, when it was notified about possible debit card fraud related to several of its stores in the Chicago area. It was later confirmed that Payment Application Data Security Standard certified PIN pads deployed in Michaels' stores were swapped out for pads equipped to skim card data. Cards may have been skimmed as far back as December 2010. As a precautionary measure, Michaels removed about 7,200 PIN pads from 964 of its U.S. stores and replaced them two weeks later.

Several Chicago area banks responded by freezing customer bank accounts potentially exposed in the breach. Marquette Bank, which operates 24 branch locations in the Chicago region, told the Chicago Tribune about 1,900 bank customers were potential victims of the fraud scheme. Chicago Credit Union also posted a website notice instructing members to report any fraudulent ATM activity related to their accounts and originating in California, where illegal card activity had been reported.

In the aftermath of the Michaels breach, police in Beaverton, Ore., enlisted the public's help in identifying four suspects who were caught on camera using fake, or white, cards created from card data skimmed at Michaels' stores. The suspects are believed to be from a larger crime organization, involving multiple crews working in numerous geographical regions and moving quickly. No arrests have been made in the case, which is under investigation by the U.S. Secret Service.

Patchwork of state laws problematic

With the recent surge in data breach incidents, inconsistencies in state laws pose a challenge for retailers seeking to implement a universal plan for their operations. Curious about the variations that exist in state laws governing breaches, I set out to answer the following questions:

What are some of the state laws governing merchant data breaches? What is an acceptable time frame for breach notification? What penalties, if any, exist for failure to disclose breaches? What types of incidents are exempt from notification requirements? Below is a summary of current data breach laws in the four states I researched:

PCI DSS only a partial solution

Protecting personal data has long been a concern of credit card companies, which have combined resources to form the PCI Security Standards Council, which is concerned with making sure merchants of all stripes are responsible for meeting certain data protection standards.

The standards set forth by the council cover six large principles, and a total of 12 requirements to meet those principles as part of an effective security plan. The six principles are as follows:

  1. Build and maintain a secure network: First, a properly secure network should have a firewall that protects cardholder data, and any default passwords included by the network security vendor must be changed.

  2. Protect cardholder data: Any stored customer data must be protected, along with encrypting said data when it is transmitted across public networks.

  3. Maintain a vulnerability management program: Anti-virus software must be used and kept up-to-date, and secure systems and applications must be developed.

  4. Implement strong access control measures: Not all customer data is available to everyone in the business; instead, access should be controlled on a need-to-know basis. Also, everyone with access to sensitive data must be identified with a unique ID, and physical access to cardholder data must be controlled.

  5. Regularly monitor and test networks: Networks must be properly tested on a regular basis for security and access, and cardholder data access must also be monitored.

  6. Maintain an information security policy: A policy that addresses information security must be maintained at all times.

Time for a national policy

Breach notification laws remain a gray area for the payments industry. Forty-six states have breach notification laws, but the laws across states lack uniformity as well as enforcement.

In 2009, Missouri enacted some of the nation's most stringent data protection measures to date. According to Missouri law, the customer's last name and full first name or first initial, in combination with the Social Security number, driver's license number or any other identifying number (such as credit card, bank account, routing code) and passwords or access codes, must be protected.

If this data is breached, notification must be made in the event that identity theft is deemed a possibility, or violators face a $150,000 fine per incident.

In Illinois, where Michaels' stores were hit hardest by the PIN pad scheme, state notification laws require companies to notify consumers whose personal information has been compromised within a reasonable period. Similarly, in Texas, where Michaels is headquartered, state law requires companies to notify consumers as quickly as possible.

Earlier this year the Obama administration proposed the adoption of a data breach notification policy that would supersede state laws. The federal proposal stated, "The FTC would be responsible for enforcement, along with state attorneys general, who could take civil action against violators. Civil penalties would total up to $1,000 a day per individual affected by a breach, up to a maximum of $1 million a violation, unless such conduct is found to be intentional."

In light of the 20 different sets of state laws the nationwide retailer is obliged to follow, is the Michaels' case one that requires customer notification? Will the actions taken by Michaels be enough to satisfy growing public concern over personal identity and data protection issues?

Finally, should there be a national data breach policy? Have we reached a tipping point where a national policy may be necessary to defend against an increasingly pervasive criminal element? What do you think?

Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at ncucci@nmi.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

USAePay | Impact Paysystems | Electronic Merchant Systems | Inovio