A Matter of Responsibility

  Card security from the point of sale to settlement remains a balancing act between ideal security practices and calculated risk in the face of limited budgets, industry experts say. Merchants decide which security upgrades to make now or try to delay, card networks and acquirers decide how much slack to allow retailers in meeting security deadlines and, when data breaches do occur, card issuers decide how many compromised cards to reissue or monitor closely for fraud.
  The data breach TJX Cos. announced in January has renewed the debate about the proper balance of ideal security and reasonable risk. The key questions the industry is looking to resolve are, who decides the proper balance and who should pay when breaches cost others money?
  Indeed, as consumer and issuer concerns mount, debate will continue on whether legislation is needed or whether merchant fines for noncompliance with data-security standards should be enforced more strictly. Ironically, observers say some merchants would like to see more pressure placed on retailers to help coax senior management to make funds available for security improvements.
  TJX, owner of more than 2,300 stores in the United States, Canada and Europe under names that include TJ Maxx, Marshalls and HomeSense, announced the breach of its consumer data on Jan. 17, about a month after it was discovered. TJX representatives did not return calls requesting an interview.
  But the Framingham, Mass.-based company said in a statement that investigators believe intruders accessed payment data between May and December last year and on various dates in 2005. Transactions from as far back as 2003 were compromised, and industry experts estimate that millions of credit and debit card numbers were exposed in the breach.
  A MasterCard spokesperson says TJX's acquirer reported to the network that TJX was not compliant with the Payment Card Industry data-security standard at the time the breaches occurred.
  The standard, introduced in 2004 to replace separate, sometimes conflicting requirements of major card networks, now includes 221 security requirements organized into 12 categories. They range from common-sense use of Internet firewalls to more-complex software and equipment rules that have changed as payment stakeholders negotiate tweaks and as new vulnerabilities are discovered.
  A spokesperson for Fifth Third Bank Processing Solutions, which acquires TJX's card transactions in the United States, would not comment on the breach. Unnamed acquirers serve TJX stores in Canada, the United Kingdom and Puerto Rico.
  Fifth Third Bank was among many credit and debit card issuers that had to decide whether to reissue or just closely monitor compromised cards. Citigroup and Bank of America reissued an undisclosed number of cards compromised in the breach, and JP Morgan Chase was reissuing cards as customers requested them.
  Issuers whose cards are compromised often are frustrated by sketchy or late breach information from card networks, Rich Detura, senior vice president and director of fraud policy at Citi Cards North America, said at a recent conference. He said his bank has sometimes learned of merchant breaches from news reports before it has received notification from card networks.
  Other times, card networks inform Citi of card numbers compromised by unpublicized breaches, but they do not disclose which merchant or other entity was the point of compromise. "When customers call us and ask us about a breach, invariably it's, 'Where was the breach? Where should I not shop?'" Detura said. "We can't answer because we're not privy to the first-hand information on the breach."
  Many of the largest issuers of credit and debit cards also are acquirers, which puts them on both sides of the debate over the cost to enforce merchant payment data security measures and the cost to reissue cards when security efforts fail. But many issuers without acquiring operations have firm opinions about the breach.
  America's Community Bankers, which represents small banks across the U.S., reported in February that 70% of respondents to a survey of its members said their banks had reissued cards in the past two years because of data breaches. And 39% said that data breaches had caused them to reissue cards more than five times in the past two years.
  "If you have to reissue cards six times, you're annoying your customers," says Steven Kenneally, director of payments and technology policy for America's Community Bankers. "You're the one delivering the bad news."
  REISSUANCE COSTS
  One issuer delivering bad news was Bank Mutual in Milwaukee, which reissued about 5,000 of its customer's 100,000 debit MasterCards that were compromised at TJX. Michael Crowley, Bank Mutual president and CEO, says he finds MasterCard's policies about compensation for debit card reissuance vague and is not hopeful that the bank will be reimbursed, at a cost of about $12.50 per card, for reissuing TJX-breached cards.
  The bank's reissuance cost from the Card Systems Solutions breach in 2005 was in the $20,000 range, Crowley says. "We put a claim in to MasterCard, and we never heard boo," he says. "Somebody's figured out that for $20,000, you're not going to sue anybody. If it is a common occurrence, that number starts to add up around the country."
  Crowley says he considers Visa's reissuance reimbursement policies clearer, which is why he is considering switching Bank Mutual's debit portfolio to Visa.
  A MasterCard spokesperson would not discuss specific cases but says MasterCard has established processes in place that are designed to handle cost recovery for affected parties. The systems "are designed to provide a fair and efficient means for its customer banks to recover operating and fraud costs resulting from a compromise incident."
  Critics also charge that TJX should have announced the breach when it discovered it in mid-December instead of a month later. "If our bank had breached security and we had waited over a month after we knew it, we would have regulators down our throat," says Ken Redding, president and CEO of UniBank Savings, a mutual savings bank in Whitinsville, Mass., with $600 million in assets.
  Banks are held to higher standards than are retailers, Redding contends. "Anybody, whether it be a bank or retailer, that's responsible for a breach should pay the cost of the breach," he says.
  America's Community Bankers is among those lobbying for legislation that would require the party at fault in a breach to pay issuers all breach-related costs not already covered by card networks (See sidebar page 38).
  But Dave Hogan, senior vice president of the National Retail Federation, says many smaller issuers reissue so many cards because they do not want to pay for services that large issuers use to monitor compromised cards.
  "What the small banks essentially want is special treatment," Hogan says. "[They] panic and close their accounts rather than monitor them."
  The number of cards breached is a big part of issuers' decisions to reissue or just monitor cards, says Mike Urban, director of operations for CardAlert Services, a fraud-monitoring service offered by Fair Isaac Co. "If it's 80 cards, the issuer may just block those cards right away," he says. "If it's several thousand cards, it may monitor them."
  Issuers or their processors also can set stricter rules for allowing transactions on compromised cards through monitoring services, such as Fair Isaac's Falcon products, that watch customers' cards for suspicious activity, Urban says. "You can write rules to say, 'I won't allow any international transactions for this [compromised] card,'" he says.
  TOUGH ENOUGH?
  Many privacy advocates and small banks complain that card networks have not been tough enough in pushing PCI compliance and in fining acquirers when their merchants do not comply with security standards. A spokesperson for Bank of America, a leading acquirer, says, "We have a plan in place for PCI compliance and are pleased with our progress and the increased adoption of PCI compliance by our merchants," but she would not elaborate.
  But Visa USA president and CEO John Philip Coghlan says he agrees that PCI compliance is inadequate. "We've made progress on that, but, I would submit, inadequate progress on working with merchants to ensure PCI security," he said in a speech at a recent Visa conference.
  Coghlan says slower-than-expected PCI compliance was why Visa announced in December it will offer up to $20 million for acquiring banks to reward their largest U.S. merchants who validate PCI compliance by Aug. 31, as long as those merchants have not been involved in any data compromises. And Visa will link tiered interchange rates to PCI compliance and slap acquirers with stiffer fines when their merchants are not showing reasonable progress toward meeting PCI rules.
  Visa reports that in 2006 it levied $4.6 million in fines against acquirers for non-compliance with PCI, up 35% from $3.4 million fined in 2005.
  MasterCard does not disclose its PCI-related fines, but a spokesperson writes in an e-mail message: "Our goal is to encourage industry-wide compliance, not to levy fines. Understanding the complexity and challenges many merchants face in achieving PCI compliance, if we have evidence that the entity is making every effort to achieve compliance, we will continue to work with them towards that goal."
  Hogan says the retailers he represents want their payment systems to be secure, but while PCI standards keep changing to meet new security threats or industry negotiations, deadlines do not. Hogan adds that many retailers have told the federation they have had to wait several months for acquirers to answer questions about compliance. "It's not unusual to wait six to nine months to get an answer back, if you get an answer back," Hogan says.
  Some merchant security executives would like to see card networks and acquirers get tougher, but only on other merchants, says Julie Ferguson, vice president of Debix, a consumer identity-theft protection company. Debix also is co-founder of the Merchant Risk Council, which has 7,800 members from entities such as merchants, card issuers, security vendors and law enforcement.
  "A few of the merchants I've spoken with are waiting for someone to be made an example of," Ferguson says. "They want that so they can go to their executives and tie financial dollars to it."
  Jennifer Mack, director of compliance management at Cybertrust, agrees that acquirers have not pressured merchants enough until recently. And many large merchants have let the Level 1 and Level 2 PCI compliance deadlines pass without becoming compliant.
  But Mack has seen more progress since Visa ratcheted up the threat of fines and added financial carrots. "We've seen a two-fold increase in calls and on-site visits in the last month and a half since that program went into place," she says.
  Michael Petitti, Ambiron TrustWave senior vice president of marketing, agrees that more progress is needed but adds, "We are way ahead of where we were as far as [PCI] compliance and awareness."
  Petitti says merchants are working toward compliance but at times it can take months to complete. He says many retail security managers have told him they are happy that PCI deadlines mandate security measures so their companies must invest time and money to comply with what they consider common-sense protections.
  Kurt Schaeffer, Global Payments senior vice president of operations, is most concerned about security at the smaller merchants the processor and independent sales organization serves. He says Global can certify PCI compliance of its own products, but many merchants use third-party vendors for equipment and software, some of which may have security vulnerabilities. In those cases, Global tries to alert them to known problems, such as outdated software that does not include the latest security patches. The company also explains how merchants can reduce the likelihood of network hacks through the Internet.
  Global works to educate smaller merchants through sales agents, billing statements, Web-based and printed materials, and Web seminars. But it is especially tough for small merchants to justify spending big bucks on compliance upgrades, Schaeffer says.
  He says Global addresses security on a case-by-case basis, balancing the size of a merchant against vulnerability to a breach. "If we are really worried about it, we'll take action to force the merchant's hand," he says. "If they don't take action, we don't want them as a merchant."
  Neither Petitti nor Mack would discuss any specific breach or client of their PCI-compliance consulting or forensic breach investigation services. But both offered some general observations about merchant security.
  Implementing PCI standards can be difficult for large organizations with sprawling data networks, according to Mack. "They think they know where their data is, but we end up identifying significant numbers of other servers in other parts of the network that they didn't realize this credit card data was flowing through," she says.
  Mack says that is why even merchants who are only required to perform self assessments of their networks should bring in a third party to double check their data security.
  Petitti agrees. "A lot of [noncompliance] situations haven't been the direct fault of the merchant," he says. "They're more reliant on third-party services and may have used a point-of-sale software that is not [compliant] or that was not installed correctly."
  Fraud likely never will be eliminated, but perhaps lingering questions about the proper balance between payment security and acceptable risk will be answered, either by industry agreements or by law.
  (c) 2007 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
  http://www.cardforum.com http://www.sourcemedia.com