The Green Sheet Online Edition
August 27, 2007 • Issue 07:08:02
Knock fraudsters down with knowledge
If information is knowledge and knowledge is power, fraudsters who steal card account information must consider themselves pretty powerful.
"Data can be monetized and the bad guys know it," said Larry Ponemon, Chairman and founder of the Ponemon Institute, a data security think tank.
Some corporate victims of card data theft, meanwhile, must be feeling rather impotent as they struggle to come to grips with the sheer enormity of the problem.
Firms like TJX Companies Inc., the national retailer that's been making headlines for what authorities say is the largest data heist to date: information on nearly 46 million credit and debit card accounts pilfered over a 17-month period.
The company (which runs national chains like TJ Maxx and Marshalls) was forced to post an after-tax charge of $118 million for its second fiscal quarter, or about $0.25 a share on net sales of $4.3 billion.
The charges come on top of $25 million in after-tax losses reported by TJX for the previous two fiscal quarters. In a statement released in August, the retailer said it expects to take a $21 million hit against earnings during its next fiscal year as a consequence of its well-publicized breach.
If that doesn't grab you, maybe this story will. In February 2007, the owners of Spanky's Marshside, a restaurant in Brunswick, Ga., discovered, to their chagrin, that cyber-thieves had been pilfering customer card data from their POS system for six months or more.
They had no idea they possessed the data. It was stored in an unused portion of a PC hard drive.
The cost: $10,000 for a forensic audit to determine the extent of the breach, according to Carla Yarborough, co-owner of the 30-year-old eatery. That was just the start.
What unfolded at Spanky's was not atypical.
The onerous toll of breaches
AmbironTrustWave, a Chicago firm that provides data security and compliance management services to businesses, estimates that 60% of data compromises involving merchants can be traced to reliance on an outdated version of third-party software.
TJX and Spanky's Marshside are not alone. Nor is the problem of data theft something retail businesses, alone, need to be concerned about.
The Privacy Rights Clearinghouse (www.privacyrights.org.), a nonprofit group that tracks data breaches, lists scores of breaches that have occurred since 2005 -- breaches affecting more than 159 million U.S. residents' records.
Plenty of banks are on the list. Government agencies, too, like the Federal Deposit Insurance Corp., the Federal Trade Commission and the Justice Department.
TowerGroup, the MasterCard Worldwide-owned re-search firm, estimates that the number of personal data records lost in breaches grew 50% during the first seven months of this year.
The financial costs of such breaches are high. In addition to audits and the cost of legal counsel, fines assessed by the card Associations work out to $20 to $30 for each compromised account, according to analyst estimates.
And, of course, as any merchant who has been hit with excessive chargebacks can attest, the acquirer can freeze funds in a merchant's account to cover losses (actual and anticipated) in these situations.
The costs associated with the loss of customer and public trust also can be substantial. A recent survey of businesses by the Ponemon Institute revealed that at least 85% had suffered data breaches.
Here's a breakdown of the costs those companies were said to have incurred: 74% lost customers; 59% faced potential litigation; 33% faced potential fines; and 32% saw a decline in share value.
Perhaps even more troubling, the survey found 46% of companies that experienced data breaches had not implemented encryption technologies on portable devices, which are arguably the weakest links in most network configurations.
"Encryption is the single most effective way to avoid the negative business impact of data breaches," said Robert Scott, Managing Partner, Scott & Scott LLP, a Cambridge, Mass., firm specializing in IT compliance, which commissioned the study.
An important job to tackle
So, why all the foot dragging on data security? It should be in the best interests of all parties -- merchants, acquirers, issuers, card companies, and you, as ISOs, and merchant level salespeople (MLSs) -- to ensure across-the-board compliance. Unfortunately, way too few people truly understand what's at stake: Nothing short of the crown jewels of this industry -- that's what's at stake!
Trust and data are the value acquiring businesses bring to the payments arena; the two cannot be separated. And they cannot be left to happenstance. Fortunately, individuals and organizations are waking up to the situation and developing tools that can help educate merchants and other businesses. The card Associations have resources available through their Web sties.
Also, Retail Solutions Providers Association, an association of retail technology and services providers, is distributing a 12-minute video on the Payment Card Industry (PCI) Data Security Standard compliance that features interviews with experts and victims.
Yarborough, who is featured on the video, voiced this warning: "You don't have a choice. You can take the risk if you want to, but I'm sitting here as a witness to tell you it can happen and damages could far outweigh the cost of your point-of-sale system."
The video "Are You at Risk" can be ordered on DVD from the RSPA's Web site at www.gorspa.org. It would be a valuable addition to any MLS toolkit. The RSPA is selling copies at cost, making it worthwhile to order extra copies to give to clients and prospects.
Consider it an investment in your business, and in the future of the payments industry. It's been said numerous times before, but it merits repeating: Your job is far more than sales.
To excel, you need to be a consultant of sorts, helping clients make money by providing them with solutions that enable them to safely and efficiently access payment systems. Data security awareness is integral to this process.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.