Retailers just can’t seem to put the scandal over safeguarding customer data behind them.
The issue hit the headlines last January when TJX Cos. Inc., the parent company of TJ Maxx and Marshalls, revealed an intrusion into its computer systems that ultimately affected an estimated 45.7 million accounts for customers in the U.S., Canada, Puerto Rico, the United Kingdom and Ireland. Other retailers, such as Polo Ralph Lauren, Victoria’s Secret and DSW Shoe Warehouse, have also suffered security breaches in recent years. Polo customers’ credit card information stolen in 2005 was found in the hands of European cyber thieves as recently as this past summer.
While retailers that had breaches have fixed the problem, the issue continues to bubble up. Most recently, “60 Minutes” late last month aired a segment that claimed retailers aren’t doing enough to safeguard customer data — which ran just in time for the key holiday shopping season.
Industry observers said the show was fair and accurate in its main points, but one example might have led the public to think the problem is actually worse than it is. Specifically, the program might have caused the typical viewer to confuse credit card theft with identity theft and left viewers with the impression they are more vulnerable than they actually are when using a credit card in a brick-and-mortar store. A segment showing how criminals auction stolen information online used an example of data that was most likely stolen from a bank rather than a retailer. In reality, it would be impossible for data thieves attacking only a retailer to get their hands on a customer’s Social Security number, mother’s maiden name and ATM card and pin numbers. Typically, they would get only credit card numbers, addresses and cardholder names because that is all retailers collect.
Nonetheless, security lapses, both in retail stores and elsewhere, are on the rise and becoming a major public concern. Since September, Home Depot, Gap, Blockbuster and Art.com have reported hacking or other incidents that put personal data at risk.
Recent lapses at government agencies have added to the sense the data security problem is out of control. In the United Kingdom, personal data on 25 million people — nearly half the population — was put at risk for fraud when two government disks containing unencrypted data on recipients of child benefits went missing in the mail. Also last month, Social Security numbers for 185,000 U.S. military veterans were put at risk by the U.S. Department of Veterans Affairs. This incident followed the 2006 debacle when personal information on 26.5 million veterans was compromised.
This story first appeared in the December 11, 2007 issue of WWD. Subscribe Today.
In the retail world, executives said there is plenty of blame to go around. Many retailers are not yet compliant with security standards established by the credit card companies, known as PCI, said Dave Hogan, chief information officer for the National Retail Federation. As of October, 65 percent of the largest merchants are compliant, up from 36 percent in December 2006. Among medium-size retailers, compliance grew from 15 percent in December 2006 to 43 percent as of the end of September this year, according to the most recent report from Visa.
“Right now this standard is the best defense against having credit card data stolen,” said Bob Russo, the general manager of the PCI Security Standards Council, which manages and promotes adoption of the standards. “If you look at the major breaches we’ve read about in the last four or five years — and there have been some pretty big ones — if those merchants had been compliant with the standards we have now, you would not have been reading about it in the paper.” (PCI standards have been available for just two years.)
In October, as reported, the NRF sent a proposal to the PCI Council, suggesting retailers jettison customer data so there is nothing for thieves to steal. In theory, merchants could keep only an authorization code and a physical receipt with the truncated credit card number, date, store location, dollar amount and customer signature. In the event of a disputed charge, the bank that issued the credit card would provide the card number and customer name. Hogan championed the idea on “60 Minutes,” and said credit card companies are to blame for requiring retailers to keep unnecessary information. He also speculated that card companies back PCI security standards instead of the NRF proposal so they can earn revenue from fining retailers that don’t comply.
Russo of PCI wholeheartedly agreed retailers should retain as little customer information as possible. Credit card member associations and the PCI Council do not require retailers to retain customer data, but some issuing banks might, he acknowledged.
A handful of retailers are already disposing of customer data, and a handful more plan to, according to Hogan, even if it means they may have to eat the cost of the transaction in the case of a disputed charge, he said.
Meanwhile, PCI compliance is not an ironclad guarantee of security. Criminals discover new loopholes to exploit, and PCI does not address every type of vulnerability.
Some retailers said the credit card industry could bolster security by investing in biometrics technology to authenticate a consumer’s identity, but Visa and MasterCard have resisted that path. Biometrics, which use a shopper’s fingerprint to verify identity linked to a credit card account, is more secure than traditional signature- and PIN-based transactions because the unique pattern on a finger is more difficult to steal and forge than signatures and PIN numbers.
“Visa and MasterCard still have not done enough to protect consumers,” said one chief information officer, who requested anonymity, but whose multibillion-dollar chain has been PCI-compliant two years, long before many companies.
“For example,” he said, “why are Visa and MasterCard encouraging retailers to use signature-based debit versus PIN-based debit? A PIN-based transaction is more secure…but they make more money on a signature-based transaction” by charging retailers a higher fee for that type of transaction. In some cases, consumers pay a fee if they opt for PIN-based payment instead of signing their names.
However, many retailers operating on thin margins might resist measures that would require them to install additional equipment at every register because it would be too costly, said Russo.
One upside of the widely viewed “60 Minutes” program is increased awareness among executives holding the purse strings to fund security upgrades, said Cathy Hotka, principal of Cathy Hotka & Assoc. of Washington. “It’s not like the story is new. It’s getting a little long in the tooth but increased awareness is a good thing.”
Another retail chief information officer who requested anonymity said, “A smart cio who has a difficult time convincing his chief executive to [invest in security] can take this segment, show it to him and that makes the ceo legally responsible. When the cio says, ‘Look, we have an exposure,’ it becomes a completely different issue.”
Zeke Duge, a former retail chief information officer, said, “You can’t get the bean counters to spend to do the right thing until the risk is insurmountable.” He suggested that if any technology executive at TJX raised concerns about the vulnerability prior to the breach, that person is probably taking some heat now, because, if the risk exposure is documented, TJX can’t claim ignorance, only that it took a calculated risk.
Meanwhile, the fallout from the TJX breach continues to reverberate. Banks suing the chain to recover card replacement and other costs allege the number of records compromised could be double what TJX claims, or about 94 million. TJX, which sticks by its original estimate of 45.7 million customer records, reached a settlement with Visa and Fifth Third Bancorp late last month for up to $40.9 million.
But even more serious than fines and legal liability is the risk of losing customers. “It’s not good for business,” said Russo. “You have no tangible way of knowing how many of your customers will not shop with you anymore. What [a break-in] does to your brand is immeasurable. Now you have to plan for security in this business. If you don’t, you could literally go out of business.”