NEW YORK — Retailers are double-checking their point-of-sale systems for vulnerabilities after recent disclosures that customers’ credit card information may have been compromised at Polo Ralph Lauren and DSW Shoe Warehouse.
The two incidents have kicked off a major dispute about who is liable when credit card data is stolen: the credit card companies, the banks, the retailer or the software provider.
DSW Shoe Warehouse revealed that 1.4 million customer credit card numbers were stolen, according to findings of an investigation launched in March. In addition, transaction information involving 96,000 checks, including account numbers and driver’s license numbers, was stolen, according to a customer alert posted on its Web site. DSW is working to contact those customers at risk for fraud.
Polo discovered that it had improperly retained certain credit card information in its POS software. The company launched an internal investigation after being notified last fall that some of its customer data might have been stolen, Polo said in a written statement last week. Credit card companies contacted Polo, according to published reports.
Polo acknowledged that its POS system may have been storing customer credit information from June 2002 until December 2004, a capability that came with the software “unbeknownst to us,” a spokeswoman said in an interview. The information was purged last fall, and steps were taken to prevent information from being retained, she said.
Polo said the POS issue affected all Polo Ralph Lauren stores, including factory outlets, in the U.S. The problem did not affect polo.com, Club Monaco or any stores abroad, a spokeswoman said. She verified that Polo is not contacting customers directly about the possible credit card information problem and is instead instructing stores and its call center how to handle concerns as they arise.
“We believe it is the responsibility of the issuing bank to notify customers,” a Polo Ralph Lauren spokeswoman said on Wednesday. HSBC North America last week began notifying 180,000 customers holding General Motors-branded MasterCards that they may be at risk for credit card fraud and should destroy and replace their cards.
“We are clarifying this is not ‘identity theft.’ It is ‘credit card fraud,’” she said when asked what employees are telling customers. “It is also important to note that the potential exists but there is no evidence that a [security] breach has been made.”
Polo uses Tradewind POS software from Datavantage Corp. of Cleveland, according to a press release the software company issued in January last year.
Tradewind product manager Tom MacDonald and a Datavantage spokeswoman declined to comment on whether the problem at Polo could affect other retailers that use Tradewind and referred the matter to another Datavantage spokesman. He also declined to comment and referred the matter to Datavantage’s parent company, Micros Systems Inc. A call was not returned by press time.
Two retail chief information officers, whose companies also use Datavantage POS software and who requested anonymity, said the Polo news prompted them to examine their systems, but they found that they were not improperly storing credit card data. Neither believes the POS system itself was the source of the problem at Polo.
A third cio, who also wished to remain anonymous, said he did not wish to venture an opinion on who was to blame in the Polo case, but said the latest version of Datavantage’s software does not improperly retain credit card information.
All three cio’s attended the Datavantage user conference in Las Vegas this week, where the Polo incident was much discussed, according to the third cio. In particular, the issue of who is liable in such situations — the credit card companies, banks, retailers or software vendors — was hotly debated.
While Polo did not specify what information it was improperly retaining, security standards issued by credit card companies spell out what information retailers can retain and how it must be stored. Visa USA’s guidelines, known as CISP, or Cardholder Information Security Program, have been in place since June 2001. Retailers are allowed to keep records of customer names, account numbers and expiration dates, but cannot store them together. They also must dispose of CVV2 data, the three-digit security number on the back of the card, immediately after using it.
Polo did not apparently violate any laws by retaining the information, but the penalties from the credit card companies can be severe, said Greg Buzek, an expert on point-of-sale systems and president of IHL Consulting Group.
“The advice I give clients is only collect the data you really need. Why have extra data you don’t need?” said Lisa Sotto, partner of New York-based Hunton & Williams and head of the legal firm’s Regulatory Privacy and Information Management Practice. “What I would like to know is how often does this happen [elsewhere]? My guess is it happens far more frequently than we know.”
The third cio said that retailers’ security issues go beyond retaining CVV2 data, and that all retailers are vulnerable in other ways. For example, many retailers, especially multichannel merchants, have half a dozen different systems that take in credit card information and send it to other systems, sometimes in an insecure fashion, and the interactions between the systems create vulnerabilities.