custom ad
NewsJune 15, 2009

Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for thieves. And while you may take steps to protect yourself against identity theft, an Associated Press investigation has found the banks and other companies that handle your information are not being nearly as cautious as they could...

By JORDAN ROBERTSON ~ The Associated Press
Pamela LaMotte holds disputed credit card bills Feb. 25 for a closed account, left, and an open one in Colchester, Vt. More than 4 million card numbers were stolen from Hannaford Bros. Co., an East Coast supermarket chain. (Toby Talbot ~ Associated Press)
Pamela LaMotte holds disputed credit card bills Feb. 25 for a closed account, left, and an open one in Colchester, Vt. More than 4 million card numbers were stolen from Hannaford Bros. Co., an East Coast supermarket chain. (Toby Talbot ~ Associated Press)

Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for thieves.

And while you may take steps to protect yourself against identity theft, an Associated Press investigation has found the banks and other companies that handle your information are not being nearly as cautious as they could.

The government leaves it to card companies to design security rules that protect the nation's 50 billion annual transactions. Yet an examination of those industry requirements explains why so many breaches occur: The rules are cursory at best and all but meaningless at worst, according to the AP's analysis of data breaches dating to 2005.

It means every time you pay with plastic, companies are gambling with your personal data. If hackers intercept your numbers, you'll spend weeks straightening your mangled credit, though you can't be held liable for unauthorized charges. Even if your transaction isn't hacked, you still lose: Merchants pass to all their customers the costs they incur from fraud.

More than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers, according to the Privacy Rights Clearinghouse. Meanwhile, many others likely have been breached and didn't detect it. Even the companies that had the payment industry's top rating for computer security, a seal of approval known as PCI compliance, have fallen victim to huge heists.

Companies that are not compliant with the PCI standards -- including one in 10 of the medium-sized and large retailers in the United States -- face fines but are left free to process credit and debit card payments. Most retailers don't have to endure security audits, but can evaluate themselves.

Credit card providers don't appear to be in a rush to tighten the rules. They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost.

That is of little consolation to consumers who bet on the industry's payment security and lost.

It took four months for Pamela LaMotte, 46, of Colchester, Vt., to fix the damage after two of her credit card accounts were tapped by thieves in a breach traced to a Hannaford Bros. grocery store.

LaMotte, who was unemployed at the time, says she had to borrow money from her mother and boyfriend to pay $500 in overdraft and late fees -- which were eventually refunded -- while the banks investigated.

"Maybe somebody who doesn't live paycheck to paycheck, it wouldn't matter to them too much, but for me it screwed me up in a major way," she said. LaMotte says she pays more by cash and check now.

It all happened at a supermarket chain that met the PCI standards. Someone installed malicious software on Hannaford's servers that snatched customer data while it was being sent to the banks for approval.

In the past, each credit card company had its own security rules, a system that was chaotic for stores.

In 2006, the big card brands -- Visa, MasterCard, American Express, Discover and JCB International -- formed the Payment Card Industry Security Standards Council and created uniform security rules for merchants.

But computer security experts say the PCI guidelines are superficial, including requirements that stores run antivirus software and install computer firewalls. Those steps are designed to keep hackers out and customer data in. Yet tests that simulate hacker attacks are required just once a year, and businesses can run the tests themselves.

"It's like going to a doctor and getting your blood pressure read, and if your blood pressure's good you get a clean bill of health," said Tom Kellermann, vice president of security awareness for Core Security Technologies.

Merchants that decide to hire an outside auditor to check for compliance with the PCI rules need not spend much. Though some firms generally charge about $60,000 and take months to complete their inspections, others are far cheaper and faster.

"PCI compliance can cost just a couple hundred bucks," said Jeremiah Grossman, founder of WhiteHat Security Inc., a Web security firm. "If that's the case, all the incentives are in the wrong direction. The merchants are inclined to go with the cheapest certification they need."

For some inspectors, the certification course takes just one weekend and ends in an open-book exam. Applicants must have five years of computer security experience, but once they are let loose, there's little oversight of their work. Larger stores take it on themselves to provide evidence to auditors that they comply with the rules, leaving the door open for mistakes or fraud.

And retailers with fewer than 6 million annual card transactions -- a group comprising more than 99 percent of all retailers -- do not even need auditors. They can test and evaluate themselves.

At the same time, the card companies themselves are increasingly hands-off.

Two years ago, Visa scaled back its review of inspection records for the payment processors it works with. It now examines records only for payment processors with computer networks directly connected to Visa's.

Receive Daily Headlines FREESign up today!

In the U.S., that means fewer than 100 payment processors out of the 700 that Visa works with are PCI-compliant.

Visa's head of global data security, Eduardo Perez, said the company scaled back its records review because it took too much work and because the PCI standards have improved the industry's security "considerably."

"I think we've made a lot of progress," he said. "While there have been a few large compromises, there are many more compromises we feel we've helped prevent by driving these minimum requirements."

Representatives for MasterCard, American Express, Discover and JCB -- which, along with Visa, steer PCI policy -- either didn't return messages from the AP or directed questions to the PCI security council.

PCI's general manager, Bob Russo, said inspector certification is "rigorous." Yet he also acknowledged that inconsistent audits are a problem -- and that merchants and payment processors who suffered data breaches possibly shouldn't have been PCI-certified. Those companies also might have easily fallen out of compliance after their inspection, by not installing the proper security updates, and nobody noticed.

The council is trying to crack down on shoddy work by requiring annual audits for the dozen companies that do the bulk of the PCI inspections. Smaller firms will be examined once every three years.

Those reviews merely scratch the surface, though. Only three full-time staffers are assigned to the task, and they can't visit retailers themselves. They are left to review the paperwork from the examinations.

The AP contacted eight of the biggest "acquiring banks" -- the banks that retailers use as middlemen between the stores and consumers' banks. Those banks are responsible for ensuring that retailers are PCI compliant. Most didn't return calls or wouldn't comment for this story.

Mike Herman, compliance managing director for Chase Paymentech, a division of JPMorgan Chase, said his bank has five workers reviewing compliance reports from retailers. Most of the work is done by phone or e-mail.

"We have faith in the certification process, and we really haven't doubted the assessors' work," Herman said. "It's really the merchants that don't engage assessors; those get a little more scrutiny."

He defended the system: "Can you imagine how many breaches we'd have and how severe they'd be if we didn't have PCI?"

Supporters of PCI point out nearly all big and medium-sized retailers governed by the standard now say they no longer store sensitive cardholder data. Just a few years ago they did -- leaving credit card numbers in databases that were vulnerable to hackers.

So why are breaches still happening? Because criminals have sharpened their attacks and are now capturing more data as it makes its way from store to bank, when breaches are harder to stop.

Security experts say there are several steps the payment industry could take to make sure customer information doesn't leak out of networks.

Banks could scramble the data that travels over payment networks, so it would be meaningless to anyone not authorized to see it.

For example, TJX Cos., the chain that owns T.J. Maxx and Marshalls and was victimized by a breach that exposed as many as 100 million accounts, the most on record, has tightened its security but says many banks won't accept data in encrypted form.

PCI requires data transmitted across "open, public networks" to be encrypted, but that means hackers with access to a company's internal network still can get at it. Requiring encryption all the time would be expensive and slow transactions.

Another possibility: Some security professionals think the banks and credit card companies should start their own PCI inspection arms to make sure the audits are done properly. Banks say they have stepped up oversight of the inspections, doing their own checks of questionable PCI assessment jobs. But taking control of the whole process is far-fetched: nobody wants the liability.

PCI could also be optional. In its place, some experts suggest setting fines for each piece of sensitive data a retailer loses.

The U.S. might also try a system like Europe's, where shoppers need a secret PIN code and card with a chip inside to complete purchases. The system, called Chip and PIN, has cut down on fraud there (because it's harder to use counterfeit cards), but transferred it elsewhere -- to places like the U.S. that don't have as many safeguards.

A key reason PCI exists is that the banks and card brands don't want the government regulating credit card security. These companies also want to be sure transactions keep humming through the system -- which is why banks and card companies are willing to put up with some fraud.

"If they did mind, they have immense resources and could really change things," said Ed Skoudis, co-founder of security consultancy InGuardians Inc. and an instructor with the SANS Institute, a computer-security training organization. Skoudis investigates retail breaches in support of government investigations. "But they don't want to strangle the goose that laid the golden egg by making it too hard to accept credit cards, because that's bad for everybody."

Story Tags
Advertisement

Connect with the Southeast Missourian Newsroom:

For corrections to this story or other insights for the editor, click here. To submit a letter to the editor, click here. To learn about the Southeast Missourian’s AI Policy, click here.

Advertisement
Receive Daily Headlines FREESign up today!