The Green Sheet Online Edition
April 23, 2007 • Issue 07:04:02
TJX turbulence: Time to board the PCI ship
Payment fraud is big business. But even more troubling is the notion that unless and until everyone in the transaction chain accepts this fact and takes action to remediate the problem, it only can worsen. And that's certain to erode confidence, especially consumer confidence, in retail payment systems.
Details of a data breach involving The TJX Companies Inc. drive home this point. The retailer - which operates about 2,500 stores, including T.J. Maxx and Marshalls - revealed a data breach disclosed in January resulted in hackers stealing information on 45.7 million credit and debit cards.
Worse, the company noted in press interviews that it knows very little else about the breach.
What is known is this: Scores of stolen numbers were used to purchase at least $1 million in gift cards and make other purchases at stores in Florida.
Now, I don't know about you, but I'm happy to say I don't shop at these stores. Because, regardless of the liability protections accorded under federal consumer protection laws for unauthorized transactions, I don't like the notion of fraudsters having easy access to my personal financial information.
If this were the first such breach of data that isn't even supposed to be stored on merchant systems, it might be excusable. But it isn't.
This is just the latest outcome from a seeming lack of regard for required financial data security among merchants.
According to Visa U.S.A., only about one-third of the largest merchants in the United States were in compliance with uniform standards for safeguarding card data set forth in the Payment Card Industry (PCI) Data Security Standard.
PCI is common-sense data security. The most salient requirement: Don't store sensitive transaction information at merchant or processor sites. Yet, most of the breaches to date have resulted from improper storage of card and transaction data.
"More than ever before, consumers are demanding that the businesses with which they transact will deliver on their expectations of iron-clad security," said Visa President and Chief Executive Officer John Philip Coghlan in remarks at a March 8 security summit. "Every time the criminals succeed, the most valuable asset they steal isn't money _ it is trust."
Inducing compliance through interchange
Coghlan used the summit, which was co-sponsored by Visa and Harvard Business School Publishing, to push payment security as a strategic corporate priority.
"Data security must move out of the back office and into the boardroom," the Visa chief insisted. "Corporate officers must apply the same rigor to data security as they do to their financial controls."
Visa also has a carrot it hopes will further encourage compliance: the best available interchange rates through acquirers to merchants who demonstrate PCI compliance by Sept. 30, 2007.
Coghlan estimated the financial impact of this for individual merchants would vary from $250,000 to more than $20 million, depending on each merchant's qualifying transaction volume.
If that's not enticement enough for merchants to get on board with PCI compliance, maybe this is: Consumers are weary of companies they perceive to be lax with credit and debit card numbers.
Data reported in February by Javelin Strategy and Research, a firm commissioned by Visa, found that consumers believe retailers share equal responsibility with banks and other parties to payment transactions for protecting data related to those transactions.
Consumers also believe retailers are dragging their feet on the payment fraud front. Sixty-three percent said retailers are not as good as banks at protecting consumer card data; 16% pointed to processing companies as the least prepared; 5% blamed Visa and MasterCard Worldwide.
Only 20% of consumers polled by Javelin said they would continue shopping at a store if they learned the store had a data breach that may have compromised their card account information; 78% said they'd be unlikely to shop there.
Eighty-five percent of consumers said they'd likely shop more at a store that was known to devote resources and technology to protect customer card data. And 95% of cardholders surveyed said it was important that their banks tell them which retailers are responsible for known customer data breaches.
"Clearly, companies with poor data security practices are placing their reputations with their customers at risk," said James Van Dyke, President of Javelin."Consumers hold businesses accountable for securing credit and debit information in their care and will take their business elsewhere if they perceive that responsibility is not being upheld."
Skimming and outright data thefts
The TJX data breach is but the latest in a string of high-profile breaches of computers containing payment card data. And a lot of folks are taking notice.
In a filing with the Securities Exchange Commission in March, TJX revealed that computer security breaches over the course of the last two years resulted in the theft of information from 45.7 million customer credit and debit cards.
The company said its computers were first compromised in July 2005 by hackers who were able to snag information from customer transactions dating back to 2003. But TJX said it did not discover the breach until a few months ago.
During an investor call earlier this month, Sherry Lang, TJX Senior Vice President for Public and Investor Relations, said the company did not yet have "enough information to reasonably estimate losses we may incur arising from the intrusion."
But indications are that losses could be steep. In an April 12 report in the Boston Globe, technology analysts said the tab ultimately could exceed $1 billion.
The Associated Press newswire service reported in late March that police in Florida had apprehended six people who had used card numbers stolen from TJX to buy about $1 million in gift cards. The cards were then used to purchase electronic equipment and jewelry at area Wal-Mart and Sam's Club stores.
Security experts explain that thieves often purchase gift cards with stolen card data in order to extend the duration of their frauds.
Common gift card scams include swapping cards at the POS, skimming, and using stolen or counterfeit credit cards to purchase stored value cards.
The University of Florida, which tracks retail fraud, estimated that 13% of gift card fraud in 2005 was tied to stolen credit or debit card numbers. Another 13% is from counterfeit or skimmed cards, while 62% is tied to dishonest employees.
The University, through its National Retail Security Survey, found that gift card losses in 2005 (the most recent survey year) were higher among the 60% of surveyed retailers offering reloadable cards ($99,238.66 versus $25,245.81).
Debit data in Canada
In another equally troubling case of data theft, three of the largest banks in Canada were forced to freeze thousands of checking accounts. This was after police arrested a group suspected of skimming data from debit cards and using that information on fraudulent shopping sprees.
When the six were apprehended they possessed more than $100,000 in cash and over 100 fraudulent credit and debit cards.
Cards are skimmed using rogue surveillance or card-swiping technologies. Fraudsters use captured account, cardholder and PIN information to create bogus cards or to place card not present purchases (e.g., telephone and Internet purchases).
So, better sail with PCI.
Patti Murphy is Senior Editor of The Green Sheet and President of The Takoma Group. E-mail her at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.