The Obscene State of Retail Data Protection
By Larry Collins
The biggest card heist ever,” the Boston Globe article read, regarding the 45.7 million credit and debit card numbers lifted from the TJX Cos. computer systems at its Framingham headquarters and from its facility in Watford, England. Rustling the newspaper’s front page, an exasperated T rider, perhaps a customer of T.J. Maxx, was heard to exclaim: “How obscene is this?”
In this latest revelation, which since January has been coming in inexplicable dribs and drabs, TJX for the first time disclosed, according to The Globe, that even those files the company had attempted to protect were protected poorly and may have been compromised.
In January, TJX announced that it had been “victimized,” inducted into the ever-expanding legion of companies whose computerized credit and debit card data have been tapped into by unauthorized users. TJX now has the dubious distinction of being responsible for the biggest card hacking ever.
It didn’t take long for the hackers and their accessories – downstream criminals who purchase “hot card numbers” from the Internet – to put the information to use. Soon after the initial January disclosure of the TJX breach, scores of Massachusetts banks began reporting they had been contacted by Visa and MasterCard and had been notified that they had huge batches of exposed cards. Moreover, fraud was soon detected by Massachusetts banks due to the breach – across this country and as far away as Sweden and Hong Kong. (The fraud was occurring from “card-not-present” transactions, as well as from bogus or counterfeit plastic.)
In late March, law enforcement authorities in Florida announced the arrest of a gang of thieves who had allegedly used stolen TJX credit card numbers on fake credit cards to purchase more than $8 million worth of gift cards, which were then used to buy expensive electronic equipment and other merchandise.
The disclosure that its customer data base had been hacked should have been embarrassing enough for TJX to come forward and adequately discuss the problem and try to put consumers at ease. But it has not, leading to speculation that perhaps it has never known the full extent of the problem or perhaps that the facts are just too embarrassing to discuss. In the meantime, consumers continue to worry.
What is clear is that the giant retailer, which operates in this country and abroad, has been lax in protecting or encrypting data. In addition, as subsequent events amply demonstrated, it really should not have been storing much of this data in the first place.
But what really caught the attention of the media and the public at large is that TJX had known about the breach for nearly a month before it went public with the information; it said it was following the instructions of law enforcement by not announcing the breach earlier. (It only went public that day in mid-January because Dow Jones and the Wall Street Journal pegged TJX as the source.) Meanwhile, millions of the company’s customers were left unaware that their critical personal financial information might have been compromised by malicious computer hackers while they were doing their Christmas shopping at TJX stores.
Then, to compound the problem, in subsequent statements, TJX said that after reviewing the company’s systems it had determined that some customer data, including driver license numbers – which in some states are often Social Security numbers – had been compromised by hackers as far back as 2003.
Some Bay State banks reported hundreds of thousands of problem cards due to the TJX breach. Scores of Bay State banks, and many others across the country, were hit by the TJX breach, and each of them has a tale of how they reacted to it, usually with calm and efficiency.
As Sue McKinnon, vice president of Dedham Institution for Savings, put it, “Unfortunately, we’ve had to become very efficient in these matters,” adding that the bank’s third-party processor has been providing lists of compromised cards on a regular basis.
“In early January, we were notified by our processor that they were notified by MasterCard about a problem,” said McKinnon. “The list included over 4,000 of our accounts. But after we did our research, a lot of the cards listed had already expired, so we had to reissue about 2,400 cards, which is still quite a lot. It’s costing us about $6 a card.” (Card reissuing costs can vary from institution to institution, generally from $5 to $25 each.)
At Dedham Institution for Savings there were also some overtime costs. “We had an evening and a weekend shift and we also hired our processor to do some of the work for us,” said McKinnon, “so that we could turn those cards around fairly quickly for our customers.” When the group came back in on Monday morning after working around the clock that first weekend, hundreds of new hot card numbers arrived again from MasterCard.
McKinnon said that while the bank has become efficient with the process of dealing with compromised cards, the real problem is dealing with nervous customers. “Customers are very concerned about their accounts and there’s the inconvenience to the customers – having to wait for new cards ... It takes about 10 days.”
TJX stores include 826 T.J. Maxx locations, 751 Marshall’s, 271 HomeGoods, 162 A.J. Wright units and 36 Bob’s Stores in this country. In addition, the company operates 184 Winners stores and 68 Home Sense stores in Canada, and 212 T.K. Maxx stores in Europe. Understandably, there is widespread regulatory and government interest in its activities.
The TJX data breach is under investigation by the Federal Bureau of Investigation, the U.S. Secret Service and the Federal Trade Commission. State Attorney General Martha Coakley has also announced that her department’s Consumer Protection Division, in concert with the attorneys general in several other states, has also launched a probe into the TJX breach.
Can Law Enforcement Help?
While not commenting specifically on the TJX data breach, Steven Ricciardi, special agent in charge of the Boston office of the U.S. Secret Service (which is charged with the investigation of cyber-crime), explained how high-tech crime has taken up an increasing amount of time and effort by an agency that most people think is restricted to protecting presidents, visiting foreign dignitaries and tracking down counterfeiters.
“When I first came into the Secret Service about 20 years ago, we’d be doing investigations in our district, meaning the Boston area, Massachusetts or New England,” he said. “Now it’s a global situation, sometimes in countries that pay little attention to the issue of cyber-crime. We’ve had considerable success in tracking down criminal Web sites, where they’re selling credit card data and that sort of thing, but the lack of co-operation in some foreign countries is definitely a major problem.”
The Secret Service’s new mandate – to combat electronic crimes – was mandated by the 2001 USA PATRIOT Act.
“As a result of this mandate, the Secret Service has created electronic crime task forces throughout the country,” Ricciardi explained. “We have partnerships with other federal agencies and state and local police departments. The job of the task forces is to go after cyber-criminals who are hacking into computer networks. We have agents and local officers that we’ve trained and who are very good at computer forensics, as well as network intrusion.”
The credit card industry itself – notably Visa and MasterCard – years ago established rules for merchants that are designed to protect the personal information of cardholders. In response to increasing levels of card fraud, all the major card companies formed the Payment Card Industry (PCI) data security standard.
Retail analysts have estimated that only about 30 percent to 40 percent of the so-called Tier 1 retailers – major retail establishments like the big chain stores – are PCI compliant. (Visa reported that as of June 30, only about 30 percent of retailers were PCI-compliant.)
The PCI data security standard is a list of requirements aimed at securing computer networks, protecting cardholder information, and regularly checking and certifying the status of security systems and processes. Among its key provisions are the protection of properly stored data, encryption of all cardholder data, the use of regularly updated anti-virus software, and the tracking and monitoring of all access to cardholder data.
While the PCI data security standards were developed to make it easier for retailers to ensure their security systems were adequate, the retail industry’s response has been lackluster at best. In fact, when compared to the banking industry’s approach to data security, the retail industry’s record has been dismal.
As already noted, TJX is not alone in its dilemma. For the average consumer, these stories inevitably stoke the fears of identity theft, what has grown into a near public panic, spurring some 35 states to adopt legislation requiring prompt notification of cardholders in the event of a data breach, but not much else. (The Massachusetts Bankers Association has been discussing with the media and the public the fact that card theft is not ID theft, but it can lead to it, particularly if consumers are not careful about giving up additional information.)
For the most part, consumers are left with the responsibility of monitoring their cards and securing their credit records from one of the three major credit reporting agencies – TransUnion, Experion and Equifax – to determine if their debit or credit cards have been fraudulently used.
Massachusetts currently has no law that requires prompt identification of the company that caused a breach and the notification of impacted consumers. However, legislation that would impose even more stringent consumer protection provisions is currently pending on Beacon Hill. Sponsored by state Rep. Michael Costello, D-Newburyport, and strongly supported by the MBA, if passed, the proposed measure H. 213 would constitute the nation’s most rigorous law aimed at protecting consumers from fraud committed by cyber-criminals.
Central to the legislation are provisions requiring offending retailers to identify themselves, which Visa and MasterCard currently do not require and, in fact, prohibit banks from doing so. Moreover, retailers would be required to notify customers in a timely fashion if their credit or debit card information may have been compromised by a data breach. Notice may be made via mail, telephone, e-mail or posting on the company Web site, depending on the scope of the data breach and, inevitably, it would involve the card associations, since individual retailers do not have a way to directly communicate with cardholders. In addition, the measure imposes financial liability on any company whose lax computer security invited a data breach.
Such liability would mean that the offending retailer would assume financial responsibility for costs incurred by financial institutions for reissuing cards and to cover any losses from fraud. Banks presently absorb all of these costs.
“Thirty-five states already have laws that give consumers notification protection, so it will be a victory if we pass any identity theft bill,” said Costello. “But our bill would be much stronger. It would encourage more vendors to enhance their security systems, whether they’re retailers, banks or any other entity that collects and uses personal consumer identification. If retailers are held responsible for the damages that occur from a data breach due to their negligence, then they’re going to invest more time and effort in ensuring that the consumer information that they hold is safe and secure. This is our primary purpose.
“The secondary purpose,” Costello added, “is the liability and reimbursement provision because a) it will encourage merchants to set tougher standards for themselves and b) small banks in particular are more vulnerable when these data breaches occur, because it costs them more to close accounts and reissue new cards.”
Costello also pointed out that smaller retailers have similar financial issues when it comes to credit card security. “We recognize that for smaller retailers, our legislation could be a burden, but we’re prepared to sit down with retailers and try to find a compromise that would protect smaller retailers. But we want to ensure that the larger retailers that have the means to employ better security systems also have the will to do it. This legislation will motivate them to do it.”
Daniel J. Forte, president and CEO of the Massachusetts Bankers Association, which represents all 205 banks in Massachusetts – most of them community banks – emphasizes that the MBA position is motivated by a desire to strengthen the overall data security, not only of retailers, but for the system as a whole.
“Look, this was never intended to become a battle of retailers versus the banking industry, because we’re really in this together and need to work together on this. But clearly, the TJX issue demonstrates the need for a more comprehensive approach than what’s been applied in the past to data breach security in general. It means a number of things: There has to be a closer working relationship with both MasterCard and Visa. I think that’s something we’ve made some good strides toward with the New England Debit Card Task Force, which the MBA’s Kevin Kiley and Peter Blanchard have worked hard to develop.
“Clearly, there needs to be some form of tighter regulatory scrutiny of the PCI standards,” Forte added. “When you have 70 percent of retailers not complying with their own rules, that’s a major problem. “As for storing unnecessary data, it’s wrong for the big box retailers to have this type of information: Track 2, driver’s licenses and other inappropriate data, that’s stored for too long a period of time – and it’s not encrypted. Some form of carrot-and-stick approach needs to be applied to ensure that there’s compliance to these rules going forward.”
Why this apparent indifference to regulations that are designed to protect retailers’ customers? Smaller retailers have complained that the regulations are overly stringent, subjecting them to the same standards set for giant companies that have the technological know-how to easily adapt to PCI. (But they haven’t.) There is also the significant cost factor that much of the PCI technology requires. Then there is the reality that most retailers probably thought they would not get caught ignoring the PCI standards – until now.
The Retailers’ Response
Jon B. Hurst, president of the Retailers Association of Massachusetts, asserts that the current PCI standards have not been in effect long enough for most retailers to set up the necessary conditions to comply.
“The PCI standards were written by the banks, that’s who owns the credit card companies,” says Hurst, although the MBA says that’s not the case. “And the standards were released only last September; all this is pretty new.” (Again, the MBA points out that the standards were well-known long beforehand; September was the date that compliance was to begin.) Hurst continues, “You have thousands and thousands of companies out there that have yet to be educated on this ... I have 3,000 members, which are primarily tier 4 companies [smaller retailers] and they don’t have a clue about these requirements, and it’s going to be costing them thousands of dollars to comply.”
“At the risk of stating the obvious,” says the MBA’s Director of Communications Bruce Spitzer, “perhaps their association could have done a better job of helping them prepare for it – they had the time. It was the desire that appears to have been lacking.”
A big reason for retailers to ignore the PCI protocols is that if a data breach that results in debit or credit card fraud does occur, retailers generally are not liable for the cost of such fraudulent activity. In the event that the credit card companies determine that a retailer using their cards is not adhering to PCI, the credit card firms and acquirers/processors can impose a fine, depending on the size of the retailer, of up to $500,000, but this too has failed to stimulate more widespread compliance.
As it stands today, it is the responsibility of the banking industry to pick up the tab for fraudulent purchases, as well as the costs related to new card issuance. Nationally, these costs last year amounted to more than $2 billion. Smaller banks, like the bulk of the MBA membership, have found these costs especially onerous, which is why the MBA is in the forefront of an effort to achieve what PCI has failed to achieve: retailer compliance to adequate data security standards.
In addition to the potential new standards represented in Costello’s bill, there may be federal legislation to follow soon. Rep. Barney Frank, chairman of the House Financial Services Committee, has indicated he is considering such a measure on the federal level. In a recent statement, Congressman Frank stated that the TJX breach is “further evidence of the need for a provision ... Specifically, this means that retailers or wholesalers must take responsibility for data breaches.”
“There’s no question that data breaches are now very clearly on the radar screen, both on Beacon Hill and in Washington,” Forte observed. “We intend to push hard for an effective and fair paradigm for computer data security. It’s way overdue.”
“The TJX debacle was a wake-up call,” said Costello. “There have been other data breaches – BJ’s, Stop & Shop, for example – but this one seems to have resonated with the public. And isn’t it about time that companies like TJX were held accountable? They hold on to customer information literally for years, information that’s largely unprotected from malicious hackers. If they don’t even bother to adhere to the security guidelines of the major credit cards – the Visas and the MasterCards – why should banks be left holding the bag for the costs that such breaches incur?”
As Forte has continually stated, once retailers have verified customers have sufficient money in their accounts to cover a purchase, credit card rules stipulate that such information should not be retained. TJX has only vaguely discussed the specific customer information it has retained but, given the fraud we’ve been seeing, it is highly likely that it includes account numbers, expiration dates, personal identification numbers and other similar verification data. If the recent gift card caper in Florida is definitely connected with the TJX episode, as law enforcement authorities have suggested, then it would seem to reinforce TJX’s culpability for the data breach.
Meanwhile, federal class-action motions and other lawsuits are being filed against the company. One of those emanates from Alabama. In its lawsuit, AmeriFirst Bank is seeking to recover the costs of replacing compromised credit cards for its customers. (The bank has also named as a defendant the Ohio-based Fifth Third Bank, the acquiring institution that processes debit and credit transactions for TJX.) The Arkansas Carpenters Pension Fund, which owns 4,500 shares of TJX stock, recently filed suit against the company after TJX refused to supply it with documents outlining the company’s computer security system. Other individual customer suits have been filed and are pending. (As far as its legal options are concerned, the MBA and the New England Debit Card Task Force have said all options remain on the table.)
“It’s doubly irresponsible for a retailer to hold onto such sensitive material for such a long time and then not even bother to ensure that the information is sufficiently protected. Just imagine if banks took such an approach to protecting their customers’ financial data,” said Forte.
Thomas E. Connelly, COO of Netwatch Inc., an Easton-based security consulting firm, says his firm conducts regular security audits, including so-called “ethical hacking,” on its bank clients to ensure their security posture will meet the standards of the FDIC and other relevant regulatory authorities.
“We’re very stringent in our approach,” says Connelly. “Our methodology is to impose impartial and very strict protocols on all our clients. Obviously, financial institutions in particular have a strong incentive to invite such audits. Given the profound ramifications of the TJX incident, one can only imagine that any data breach at a financial institution could arguably be far more invasive to not only a bank’s customers, but to the reputation and stability of the bank itself.”
Work of the Task Force
While recent data breaches among retailers have significantly raised the profile of the controversial issue, the MBA has been on high alert for the past two years, after a similar but smaller-scale data breach occurred at BJ’s Wholesale Club. At that time, the MBA established the New England Debit Card Task Force cited above by Forte. The task force membership includes banking trade associations from throughout New England, individual community banks, representatives of the American Bankers Association, America’s Community Bankers, the Independent Community Bankers of America and the California Bankers Association. (Five years ago, California became the first state to adopt a law requiring immediate notification of cardholders in the event of a computer data breach.) Working closely with Visa and MasterCard, the task force meets regularly to devise more effective security protocols to protect consumers and to seek ways to reduce the costs that banks incur from data breaches.
Kevin F. Kiley, MBA chief operating officer and executive vice president, recently gave an overview of the task force’s activities at the third annual conference of the New England Debit Card Conference. The conference covered a broad range of data breach topics, including efforts to secure a comprehensive national approach to the issue. But in an interview, Kiley stressed that while a national security system is critical, the MBA represents Massachusetts banks and that its first priority is to pursue a statewide remedy.
“We represent banks here in Massachusetts, banks that primarily do business in Massachusetts, and that’s why we’re focusing on Rep. Costello’s legislation. However, that being said, we’re also working with Congressman Frank and some of the national trade organizations to try to push the idea at the national level.”
As for the PCI standards, Kiley says, “Look, retailers are required to update their systems to comply with PCI standards. The PCI Standards Council is in charge of making sure that retailers bring their systems up to speed. But the system hasn’t been working.
“In our opinion, the only way that we’re going to get moving in the right direction on this issue is to hold people accountable and placing the liability squarely on the retailers is the way to do it. Rather than trying to get these people to adhere to strict data security rules on a voluntary or administrative basis, let’s utilize state law to shift the responsibility for these data breaches to the people it rightfully belongs to: the retailers who caused the breach. Our interest is advancing the overall security of the system for the benefit of consumers. That’s why we’re in this.”
At one point in Kiley’s presentation during the recent meeting of the New England Debit Card Task Force, he was addressing Visa and MasterCard when, borrowing a line from Paddy Chayefsky’s screenplay for the movie “Network,” he exclaimed, “We’re mad as hell and we’re not going to take this anymore!” He received thunderous applause from the more than 200 assembled bankers from all six New England states.
Thanks to the work of the task force and others, Visa and MasterCard are acknowledging that they have much work to do: 1) to get retailers to become compliant with PCI standards and 2) to find a way to reimburse banks adequately when cards must be reissued and fraud takes place through no fault of their own. (It is likely they will be the key players that make this happen if the Costello bill passes or not.) Currently the claims process is so onerous and returns only pennies on the dollar, so most banks know the policy and the process are not worth the paper they are written on.
If more and more upper-tier retailers finally do come around to become PCI compliant, the card companies are concerned there will be an increased risk of compromises migrating to smaller retailers. However, small retailers are less of a risk. They do not retain the extreme amount of data that major retailers have demonstrated they are holding onto for marketing purposes.
Kiley, the MBA’s principal lobbyist on Beacon Hill, isn’t expecting a cakewalk as the Costello bill wends its way through the legislative process.
“Clearly, there’s going to be significant opposition from retailers and other businesses that also maintain important data that could be compromised,” said Kiley. “But the basic thrust of what we’re trying to do is clearly directed at large retail establishments. The bill no doubt will be subject to some further refinement as it is being considered, but hopefully we’ll be able to make some progress on it. It’s going to be an uphill fight, I wouldn’t suggest otherwise. The retailers are a significant lobbying force.”
The Bottom Line
Hurst, the retailer group president, insists that any state law requiring fraud reimbursement by retailers would be a classic case of overkill.
“I find it a redundant cost recovery mechanism,” says Hurst. “It’s already covered by contract, the whole triangle between Visa and MasterCard, the issuing bank, the acquiring bank and their customers. The contract already allows for cost recovery ... Under the banks’ written contract with VISA and MasterCard, if a retailer or restaurant or other commercial establishment is out of compliance with the [credit card company] rules, the banks can come back and collect up to 100 percent of the actual cost of ID theft. It’s right there in the contract.
“They have that recovery process and, in addition, they have skyrocketing interchange fees, and they have the PCI Standards Council out there starting to educate firms how to comply and, by the way, if you don’t comply, they can up your interchange fee or they can fine you. They have multiple layers of cost recovery and penalties and now they want an additional layer in state law? We don’t buy it!”
Needless to say, Bruce Spitzer of the MBA isn’t buying the retailers’ arguments, either.
“First of all, he is incorrect about what is recoverable. Visa and MasterCard acknowledge their claims process does not work for the vast majority of all banks and only returns pennies on the dollar and, in most cases, nothing at all. Moreover, the interchange fees that banks receive were adopted years ago in another age and were never meant to cover the enormous costs we’re seeing from all of these major data breaches.
“The retailers need to protect the data – then they wouldn’t have to worry about who pays for a breach downstream, because there won’t be any more data breaches. Is their primary objective to protect consumers or not?
“Their response to this issue can be accurately described as obfuscation. They claim banks can do more on our end, like invest in smart cards or chip and pin technology to protect customers. This, too, is a bogus argument. Our industry would have done so long ago but the retailers themselves did not want to adopt and pay for the new equipment at the checkout counter. It’s as though they are saying, “Well, we’re going to keep right on drinking and driving, so why don’t you guys build safer cars?’
“They’re also claiming that banks make 3 percent to 4 percent on all card transactions. Well, maybe large acquiring or processing banks make a negotiated percentage of that on some merchant transactions – more like 1.7 percent to 1.8 percent. But the majority of the banks caught up in these retail data breaches are small banks that have no such income and must absorb the costs to reissue cards and cover the cost of fraud for customers.”
Simply put, the retailers are trying to change the subject, the MBA asserts.
“If TJX and all of these other problematic retailers had invested in good encryption,” Spitzer adds, “or if they had not stored data that they shouldn’t be holding on to, or if they were not sending information wirelessly, then this situation would never have happened. If they can’t follow their own rules, we maintain that it’s time for the Legislature to step in and establish adequate consumer protections by law. The current rules are not working because, with banks paying for the mistakes, the retailers have no incentive to invest in good systems. And apparently, they don’t care enough about their own customers to do it without this push. If there was another way for lawmakers to get retailers to be compliant, the lawmakers might try it.
“The bottom line is this: in this high-tech society in which we live and do business, we all have a responsibility to protect sensitive consumer information. That’s what this whole brouhaha is all about, protecting consumers.”
Fully two months after Visa and MasterCard first started to notify banks about the compromised cards from the TJX breach, Spitzer asked for a show of hands from bankers at the meeting of the New England Debit Card Task Force. The question: How many of the more than 200 bankers in the room are still receiving new batches of hot card numbers from the card companies? Eighty percent to 90 percent of the bankers in the room raised their hands.
When is it going to end?