Data SecurityCostly but necessaryOne after another since February 2005, the stories of massive breaches in data security at various businesses and organizations have rolled in several times a month. Privacy Rights Clearinghouse, a nonprofit organization in San Diego, has received 71 separate verifiable reports of financial data breaches between February 15 and August 30. Bank of America and CitiFinancial lost backup tapes that stored unencrypted credit card account numbers. CardSystem Solutions, a bankcard processor, revealed that 40 million account numbers were compromised. Large retailers such as DSW Shoe Warehouse and B.J. Wholesale Club admitted their own security breaches. Media coverage has focused on the consumer’s point of view. Much less publicized are the risks and costs of credit card fraud to business, especially retailers who face the challenge preventing use of the stolen data for purchases at their stores.
The Federal Trade Commission estimates that about 10 million Americans have their personal information pilfered and misused in one way or another every year, costing consumers $5 billion. The cost to businesses: $48 billion annually. The sheer volume of data that’s available by hacking a computer system or stealing backup tapes makes it obvious why the problem is now being fought on all fronts. Congress is considering legislation to hold businesses accountable for lax data security practices. Visa and the other credit card associations are enforcing data security standards like never before; and the data security and “vulnerability management” service industry has seen exponential growth. All of these are likely to hurt a retailer’s bottom line. But the cost of data security is less than the cost of a severely damaged brand or bankruptcy due to lax data security practices. Re-evaluating value “There’s a benefit to having information, but there’s also a cost. For most businesses, the value of that information isn’t worth the security risks of keeping it around,” explained John Mayleben, MRA’s vice president of sales and marketing. It is especially risky to keep large volumes of unencrypted account information, as many businesses have discovered. After Michigan State University’s Wharton Center for the Performing Arts in East Lansing suffered a breach of security last spring, the most important change it made was to encrypt the data, according to Kent Love, the Wharton Center’s public relations director. Love considers the Center’s reason for keeping the numbers on file legitimate. “We sometimes need to process large volumes of refunds when a show is cancelled or rescheduled,” Love explained. “It’s one thing to call a few customers for their account numbers. It’s another thing when 2,400 refunds must be made for a single night’s performance.” It remains unclear whether large retailers who suffered breaches were in compliance with the payment card industry’s data security standards (PCI). Digital gold With full magnetic stripe data, crooks can produce large numbers of counterfeit credit cards—authentic-looking cards on which the information encoded into the magnetic strip has been changed to that of a stolen account.
“A counterfeit card may have one number on its face and another stored on its magnetic stripe. So it can be especially hard for retailers to track the transaction later if the clerk did not catch the problem at the time,” explained Mayleben. Increasingly, thieves can make fraudulent online or telephone purchases with nothing more than the account number, especially with smaller merchants who might be less vigilant about verifying information. The more complete and detailed the information, the better for fraudsters. If the account number has a name and address associated with it, fraudsters can change the address on the account, delaying recognition of the fraud for months. The card owner never receives the bill that shows fraudulent purchases, and the false address can be used as a shipping address. The fallout from the recent large data thefts is not yet apparent. But most experts believe that in time, many more stolen numbers will show up in fraudulent transactions or attempts. Congress gets involved The business community has staunchly opposed consumer notification laws due to the expense and the negative publicity. However, several of this year’s high-profile breaches were made public only because of California’s law. Just before a late-August recess, three different congressional committees—the Senate Commerce and Judiciary committees and the House Commerce and Trade Committee—considered legislation aimed at data security. All the proposed bills share common threads: requiring prompt notification to affected consumers when security breaches occur, awarding more regulatory power to the federal government and setting minimum standards for data security. The Personal Data Privacy and Security Act, introduced by Sen. Arlen Specter (R-Pennsylvania) and Sen. Patrick Leahy (D-Vermont) even sets criminal penalties, imposing up to five years in prison for those who intentionally conceal information related to a security breach. Legislation focuses on protecting consumers, but retailers may benefit as well if laws do, in fact, force the payment industry to be more rigorous in the efforts to secure data. PCI compliance The PCI Data Security Standard is a set of 12 guidelines designed to protect data, covering areas such as building a secure network, encrypting cardholder data and controlling internal access to data—and then maintaining these security measures. Many of these steps require a sizable investment for mid-sized to large retailers. Penalties for noncompliance include stiff fines and even terminating the relationship with a particular card association, a step with serious implications. For the first time, Visa dropped its relationship with a company, CardSystem Solutions, which has admitted it was not PCI-compliant. Michigan Retailers Association, in sharp contrast to CardSystem Solutions, houses no account number data at all. It works with various vendors who do, and they are all PCI-compliant. “MRA can look up various bits of transaction data for members, but the information is so segmented that it would be useless to any hackers,” explained Mayleben. “That’s the key to data security—keeping various pieces of valuable information separate and blocking all means of re-connecting it..” In addition, bankcard processors are responsible for ensuring that all of their merchants comply with PCI. Depending on how they rank, merchants are required or encouraged to perform some form of compliance validation. For small merchants, the card association recommends but does not require an annual self-assessment questionnaire. Businesses with high transaction volumes (20,000 Visa transactions per year) or exposure must perform quarterly compliance audits. Mid-sized retailers could be most “squeezed” by the new regulations. They are less likely than large chains to have staff and technology already dedicated to data security, but more likely than small businesses to use systems that interface with the Internet, making them potentially more vulnerable to hacker attacks. The new compliance requirement is one more area where some retailers have a new cost of doing business. Many technology companies are jumping in with “compliance management” services, targeting retailers of all sizes as clients. “Before buying such services, look into PCI compliance yourself to determine your real needs,” advised Mayleben. Both Visa and MasterCard provide the full PCI Data Security Standards document on their websites. Online retailers should ask whether their web hosts or online partners already offer such services as part of a package before agreeing to additional services from a separate vendor. Spotting fakes All the advice retailers already know for inspecting cards is still valid, but a few steps are particularly important to detect counterfeit cards: • Make sure the account number printed on the receipt, which was read from the card’s magnetic stripe, matches the account number embossed on the card. • When a card won’t swipe and you enter the account number by hand, the card may be counterfeit. (Note that most cards that won’t swipe are simply demagnetized.) Key the number in by hand but also get a manual imprint of the card and ask the customer to sign it. This signed and imprinted sales draft is your defense in the case of a chargeback. • If you suspect fraud, make a Code 10 call (see sidebar). Catching fraudulent use of credit card numbers in online transactions is perhaps more critical, since merchants are responsible for 100 percent of the chargeback, even with authorization. An article in October’s Michigan Retailer will offer practical tips for minimizing credit card fraud in online transactions. High-tech solutions They each offer enhanced security for online transactions as well. “Verified by Visa” and “MasterCard SecureCode” are programs that allow consumers to assign a password to each credit card, making it more difficult for a stolen number to be used with retailers whose websites add the program to their checkouts. Retailers can invite shoppers to register for one of the programs from their shopping website. If hackers figure out a way around these extra steps, several other more complex systems are in the works that should increase both the consumer’s and the retailer’s security. Before too long, PINs, “smart cards” and even fingerprints may be an everyday part of fraud prevention. “Smart cards,” already in heavy use in Europe, store data in an encrypted form that requires an embedded chip to decipher. They cannot be affordably duplicated with current technologies. Eventually, fingerprints or other biometric systems may join other forms of verification. Those favoring biometric verification believe it is the most foolproof way of linking a card number with its authorized users. How much will it cost to install the new hardware that such systems will require? It’s still too soon to say, but be prepared—through new services or equipment upgrades to detect fraud, retailers will help pay the price of deterring this increasingly sophisticated crime. This article was written by Amy Buttery, Michigan Retailer staff writer. |
I.D. theft or Identity theft has become a household phrase. Usually identity theft is defined very broadly to include credit card fraud. The Federal Trade Commission defines identity theft this way. Those in the payment industry and law enforcement, however, make a distinction between credit card fraud and “true identity theft,” where stolen information is used in ways unforeseen by the original owner, to create new bank or credit card accounts or even completely new identities. In most cases, a stolen Social Security number or driver’s license is involved. “True” identity theft is costly and frustrating for victims, who often spend years and thousands of dollars recovering their good name and credit history. It’s also still fairly rare—estimates range from 150,000 to 500,000 cases per year. Both kinds of fraud are serious, but protections in place for credit card fraud are usually sufficient to protect consumers. Retailers, however, usually have to foot the bill in the form of chargebacks. |
|
Code 10: If you’re suspicious of a card or cardholder at any time during a transaction authorization process, make a Code 10 authorization request. The Code 10 authorization request alerts the card issuer to the suspicious activity—without alerting the customer. During a Code 10 call, you will speak to the card issuer’s special operator, who will provide instructions on any necessary action. Code 10 steps |
When
scammers use stolen credit card numbers to buy merchandise, merchants
end up absorbing the hit when customers charge back the fraudulent purchases.
“This
is why retailers should never store transaction information that contains
full magnetic stripe data,” said Mayleben. It’s also why retail
clerks should always compare the last four account-number digits printed
on the receipt, which was read from the card’s magnetic strip, to
the account number embossed on the card, he added.