National Retail Federation: Credit Card Companies Don't Care About Data Security

Last Sunday’s 60 minutes had a report by Lesley Stahl about the now-infamous TJX data breach.

The most interesting conversation was between Stahl and a representative from the National Retail Federation, who placed the blame for lax store security on the credit card companies:

“Is there growing tension between the two sides now?” Stahl asks Dave Hogan, who handles computer technology at the National Retail Federation.

“Lesley, absolutely, there’s growing tension between the two sides,” he replies.

Hogan says credit card companies should change how they do business. “If we could just force Visa and MasterCard to not require retailers to store credit card data, this issue would disappear overnight,” he argues.

Hogan says card companies force retailers to store customer data in case there are charge disputes. He thinks the card companies should hold the data, not the stores.

“Honestly, we can eliminate this problem within a few days,” Hogan says.

“If it’s that easy, why hasn’t it been done?” Stahl asks.

“I’m not too sure how vested the credit companies are as far as securing customers’ data,” Hogan says.

“And you’re saying that the credit card companies are the one’s who are not security conscious?” Stahl asks.

“In my humble opinion, no,” Hogan replies.

He accuses the card companies of using this issue as a way to make money. Visa, for example, has started fining large chains that do not have up-to-date security $25,000 a month.

“If you do the math on it, this could be a windfall of $200 million annually for the credit card companies as far as a revenue stream,” Hogan says.

Visa chose not to respond.

Hmmmmm.

The report also had some interesting emails from inside TJX, proving that they did, in fact, know that their wireless encryption was out-of-date and easy to crack. If you’re the paranoid-about-credit-type you might want to avoid watching this report. Those who enjoy watching Lesley Stahl learn about WEP and WPA while driving around in a van with a lovable nerd should head on over. She’s so cute!

Hi-Tech Heist [60 Minutes]

Comments

Edit Your Comment

  1. tawker says:

    If .com’s are more secure on the processing and security – why am I paying double the fees for online processing?

    Why anyone is using WEP in the first place – it takes under 30s to crack.

  2. Dead Wrestlers Society says:

    Yeah, I actually flipped to this in the middle of the segment. Pretty scary and annoying to think stores are still today installing WEP even though it is so flawed.

    I tell ya, for a senior citizen, Leslie Stahl is still looking good.

  3. MickeyMoo says:

    Given the AARP+ aged audience of 60 minutes – they could have stressed that most wardrivers are just looking for a connection to check mail, not hack into databases, but overall it was a great insight into the whole TJX mess.

  4. timmus says:

    I am a mail order merchant and I am really jaded about the credit card industry. There have been a couple of times where I’ve received unusual and expensive orders from a Hotmail account shipping to places like Indonesia and Slovenia with a verified U.S. billing address. Neither Visa nor the security division of the issuing bank (Wells Fargo comes to mind) were interested in notifying the cardholder that the card might be stolen. They basically just said to not process the order if I didn’t want to. Apparently they either truly don’t care or see a stolen card as an opportunity to make money (the merchant always gets stuck with the chargeback & the bank keeps all the fees). Bunch of bastards… I start steaming when I see them all running ads suggesting that they’re security-conscious.

  5. Buran says:

    @tawker: People don’t know that WEP is insecure, don’t know how to switch, or are held back by equipment from switching. I had to run WEP for far longer than I wanted to because it took forever for Tivo to roll out a series 3 update that would allow it to support WPA. Once they did, I switched my network over the same day that I got the notification that the update had been installed.

  6. Buran says:

    @timmus: Hmm, if there’s a buyer phone number included (that has an area code that makes sense for the billing address), call them yourself and ask?

  7. Buran says:

    @public enemy #1: For home networks (see my experience), it’s not too surprising though at this point I think most anything out there will work with WPA (even my cell phone does!), so even most home users should be looking at WPA.

    For a business that handles peoples’ personal data, though, there’s just not an excuse. So the WPA gear might occasionally be harder to find or cost more, so what? It’s not worth the beating you’ll take in chargebacks, bad press, and lost customers.

  8. gorckat says:

    Hogan says card companies force retailers to store customer data in case there are charge disputes.

    Gotta break out my old CompUSA buzzsaw :P

    We actually had to keep an imprint of the card and whether that ‘had to’ came from corporate, the credit cards or our processor, I never got a straight answer on.

    If we got a chargeback and didn’t have the imprint, which in a few cases we didn’t (cashiers letting people tear it off the receipt, or a particular phone order ok’d by the GM), we lost regardless of whether or not we had the customer signature.

    We had boxes stacked so high with receipts and imprints in them, when I went looking for them I needed a ladder to get to the top.

    But what is getting stolen is the electronic stuff…what in the world could need to be kept? I know we had a way of looking back ~1 year to see if a card number had run through our system, but we never looked for info that way (for chargebacks, at least- we used it to find customers with a warranty if they lost the paperwork a few times). It was always the physical receipt.

    Guess a lot has changed in 5 years :P

  9. joeblevins says:

    At home, TiVo doesn’t work with anything other than WEP. So that is better than nothing. I just make sure to do my darnest to keep firewall strong.

  10. Chairman-Meow says:

    The 60 minutes piece was very well done. As a wireless engineer by trade, I am always fighting with customers over security vs accessibility.

    It is also amazing to note that in the early part of the segment while Leslie is driving around at the mall, she only looked at the WEP SSIDs. If you watch again, notice how many of the SSIDs say NO in the security column. That’s far more frightning than the WEPs!!

  11. Rando says:

    wtf? What does not storing transaction have ANYTHING to do with security? If this lady worked for any CC company she’d know that keeping transaction records on file doesn’t jepordize any security. They’re simply records, MINIMAL records at that. You can’t gain anything from them besides USELESS information that has nothing to do with data breaches.

    With visa transactions, visa account numbers aren’t even stored in the data. What a clueless idiot.

  12. Amelie says:

    I’m not too sure how vested the credit companies are as far as securing customers’ data,” Hogan says.

    Maybe I’ve been reading “The Consumerist” too long, but this comment is about as obvious as the old, “Is the Pope Catholic?” retort. Unfortunately, a good majority of their viewers will be shocked.

  13. Half Beast says:

    @randotheking: I was wondering the same thing. Unless they are storing entire transaction credentials in these “records” it would seem to not be: A) such a gargantuan task to keep them up and remain compliant with the CC system requirements, and B) not as grave a security hazard available to would-be identity thieves. Of course, this could be some elaborate strong-arm maneuver to wrest some capital in “fines”. Hustle and Cash-flow.

  14. dysthymia says:

    Im not surprised at all.

  15. ARP says:

    It seems so stupid to keep the actual numbers. Can’t you simply keep the last 4-5 digits and a transaction number? Wouldn’t that be enough to verify the transaction and deal with chargebacks? Or am I ignorant?

  16. Adam Hyland says:

    This isn’t about credit card companies not caring. This is about TJX not following protocol and exposing millions of consumers to potential theft. A representative of a group that is comprised of these retailers decides to put the blame on VISA, rather than the poor security practices of the companies in question.

    NONE of these companies (VISA included) has an incentive aside from negative publicity to keep data secure. they don’t pay the costs, and they certainly don’t pay the externalities.

    But why are we passing some PR bullshit like this off as some revelation about security practices. This is vintage CYA.

  17. parad0x360 says:

    @Buran: You didnt have to run WEP. Hell did you didnt have to run anything. Dont broadcast your SSID, that will keep your average joe out of your network.

    Then set your router up so it only allows certain MAC Address’s to connect. Cant hack into a router if the connection is denied. MAC Spoofing you say? Well if they have access to your pc to get a MAC to spoof you have already lost.

  18. Adam Hyland says:

    @parad0x360:

    physical access should be assumed. Presumably I could just overturn a wireless device known to be on the network and use that MAC.

  19. MaxRC says:

    Credit card companies focus on two things:

    1. Making it easy for people to use credit cards.
    2. Protecting themselves in event of fraud.

    This has led to the flawed system that we have today where there is no assured way of confirming card holder identity and the merchant bearing almost all risk of fraudulent transactions. If you think B&M shops have it hard, just ask someone running an internet store. It is shockingly easy for someone to call their credit card company, “swear” that their card number was stolen, and have that charge reversed. Not only is the merchant hit with the loss, but also an insulting $10 chargeback fee. If credit card companies wanted to reduce fraud, give merchants an assured method of authenticating the card holder’s identity.

  20. joemacd says:

    The comments are missing the point of this blog post, and that is the fact, and yes I say “FACT”, that credit card companies do not care about data security.

    In fact, if they did care, it would be regarding how they wish the current insecurities would remain as long as possible.

    As a merchant who accept credit cards, let me expand on how the system works…

    1) Somebody attempts to make a purchase which, for the purposes of this discussion, is fraudulent. Either the card is stolen, or the number has been stolen and grafted onto a seemingly valid card.

    Let’s also assume that the valid owner has not reported the card stolen yet.

    Either way, at this point there is absolutely no way for the merchant to know that this purchase was invalid.

    2) The transaction succeeds because the credit card company’s authorization system has either failed to spot the fraudulent use, or the system hasn’t been informed of the theft yet.

    Either way, the merchant has now allowed the perp to leave the store with the merchandise.

    3) Some days or weeks later, the merchant will receive notice that the credit card company is investigating the charges.

    Now, it goes two ways:

    a) if the purchase happened online, then the merchant gets hit with a chargeback. So not only did they lose and ship the merchandise, but now they are losing the money and possibly getting hit with fees as well., or

    b) If the purchase happened at a store, then the card owner will be notified that they took too long to notify the card company about the lost card, and so they are liable for the charges.

    Sure, there are some cards that supposedly protect you from fraudulent purchases, but the terms are so strict that it rarely completely protects the cardowner.

    In other words, heads I win, tails you lose.

    Other than a very small number of occasions does the credit card company actually suffer any kind of loss. And in virtually every case, there are fees and charges that do not get refunded, which means that the card company still gets it’s cut of the purchase – fraudulent or not.

    Not only that, but a large portion of fraudulent purchases go unnoticed, which means that the card companies collect their fees no matter what.

    The important thing to remember is that credit card companies only actually earn 2 or 3 percent of any given purchase. So as long as they can find a way to keep that minimal cut and push the rest of the charges back on the merchant or client, they are still getting paid while somebody else suffers the loss.

    As long as this system stays in place, the credit card companies actually PROFIT from every fraudulent purchase that happens.

    So where is the incentive for them to change?

  21. Adam Hyland says:

    @MaxRC:

    They DO have methods to verify identity and prevent fraud, but most stores don’t do them either out of a sense of convenience or cost. when was the last time you got carded OR EVEN HANDED your card to a B&M store? I’ve probably gone 5 months without being carded and probably 10-12 transactions since the card has left my person and been handed to a store employee.

    As for online stores, there are numerous methods in place to verify identity in such a manner that it makes a reversal easy to contest. How many online stores don’t ask for a billing address? How many online stores require a phone call or fax? These are options, they are distasteful because of convenience, but they are options. Also, how about stores that use Visa’s security program:

    [usa.visa.com]

    It’s a pain in the ass because it is another number to remember, but makes transactions unreputable for most cases.

  22. Buran says:

    @parad0x360: It was either no encryption at all or WEP, and I never said I didn’t employ other security measures as well, but there was curiosity about why people still use WPA.

    And you don’t have to actually connect to a router to eavesdrop on radio traffic.

  23. vastrightwing says:

    Headline: Credit card companies not only rip off consumers with high fees and interest rates, but stick it to vendors too. Sweet!

  24. vastrightwing says:

    Headline: Credit card companies not only hit consumers with high fees, charges and high interest rates, they stick it to their vendors too. Sweet!

  25. r4__ says:

    @parad0x360:
    As someone who has a wireless card that’s capable of entering monitor mode, I can tell you flat-out you’re wrong. I can observe the MAC of any computer participating in a wireless network, as it’s simply part of the protocol that isn’t encrypted at all. The point of a MAC is that it’s supposed to be unique to that network segment, but otherwise it can be whatever you desire.
    I hate analogies but it’s basically a hand-written nametag saying “I’m bill’s computer, talk to me”. What, you have a piece of paper and a pen too? I guess you’re bill’s computer as well. MAC filtering isn’t even security theater, it’s down there below not broadcasting the ESSID in terms of effectiveness. Anyone who would drive around in a van looking for wireless networks will have a card that can get around it.

    If you can’t use WPA security on your home network, you may as well think of everything you transmit being eavesdropped on (thank god for HTTPS, huh?). If you can’t use WPA in a business setting, you’ve got to make sure your data is encrypted endpoint-to-endpoint in another fashion. (VPN, only using encrypted protocols with authentication, etc)

    But even WPA isn’t invulnerable to attack… the arms race continues, I suppose.

  26. MaxRC says:

    @Hyland: Get carded? Visa, MC, and Amex all prohibit asking for additional forms of ID by merchants. Why don’t some merchants ask to see the credit card? Because it doesn’t provide any identity verification. What would seeing the card tell them? That there is a signature on the back? What identity verification does seeing a signature provide?

    For online stores, just getting a valid billing address is useless. Even if the card is processed to have a *FULL* address match, the transaction is still subject to chargebacks. And what does a phone call accomplish other than confirming that whoever placed the order has access to a phone? There are steps that online retailers can perform to improve their odds of winning a chargeback, but none of it is particularly effective.

    The current credit card system still works purely because most people still don’t realize how easy it is for them to file chargebacks. But once people catch on, the current credit card system will be about as trust worthy as the current paper checks system.

  27. Adam Hyland says:

    @MaxRC:

    I’d like a source on the no-id prohibition.

    This isn’t about eliminating chargebacks, this is about providing some means to repudiate transactions. If you file a chargeback for a product you received, then you are committing fraud, plain and simple. The more information that the company retains, the easier it will be for the to seek a civil judgement against you.

    Your check analogy provides some information, but it isn’t really the right one. The nature of check payments allows people to float bad or fraudulent checks, so the passage of those checks are connected to a drivers license or other form of ID. This is mostly because the means to check if sufficient funds are present don’t exist (by design) for checks.

  28. Rando says:

    @ARP: Companies do NOT keep entire numbers on file within transactions. It’s against PCI compliance. The biggest security breaches happen DURING the transaction. The account number absolutely has to be transmitted to the company so they can actually charge/credit the customer, etc.

  29. johnva says:

    @parad0x360:

    It’s trivially easy to defeat both SSID-broadcast disabled and MAC filtering. Readily available software will reveal the SSID within seconds if there is traffic passing over the network. And they don’t need access to your computer to figure out the MAC address. They can observe what MAC one of your authorized computers is using and just clone their computer to match that. It gets broadcast in the clear, so it’s not like it’s a secret key. The only thing these techniques are really useful for is to prevent people from accidently connecting to your network. They shouldn’t be thought of as security.

  30. Benstein says:

    Glad to see a mainstream news report on this. It was a good report too, wardriving, talking about WEP, WPA… definitely a good watch.

  31. Adam Hyland says:

    @randotheking:

    Thank you. Although I would say that the biggest breeches occur when PCI is ignored.

    I still want to know why consumerist is letting the NRF blow smoke up our asses.

  32. meballard says:

    I’m curious about the not asking for other ID too. I know the companies can’t record anything from your ID, swipe it, or do anything other a visual check, but I haven’t seen anything that says they can’t do a visual check of another ID, and have had it happen many times (although not since I got a BoA card with my picture on it, and when they do, I point out the picture).

    On the security front, anything short of good encryption can almost always be worked around (and good encryption can potentially be worked around, but it takes much much longer, and isn’t generally practical for a hacker).

  33. scoosdad says:

    I don’t get it.. these are stores. Why are they using wireless instead of a piece of CAT5?

  34. mac-phisto says:

    @scoosdad: b/c they’re too cheap to hire a technician to run wires. just like they’re too cheap to hire a technician to make their wifi secure. just like they’re too cheap to follow the proper protocols for data retention.

    of course nrf & tjx are going to play the blame game. where the hell do you find room on a balance sheet for $1.7 billion?

    & for the shills in the room – chargebacks are not easy peasy. in fact, it’s the exact opposite. all you need as a merchant to prevent a chargeback is 3 items -> an authorization (auth. number transmitted at completion of sale), proof that card is present (full mag read) & a signature. THAT IS IT!!! nothing else is required. if you can’t handle that bit of information, you obviously can’t handle accepting credit cards (one would also question your ability to correctly produce change from a dollar bill).

    visa doesn’t require merchants to digitize their data. merchants began doing that b/c data retention in digital space costs a fraction of retention in physical space. yet another example of merchants being cheapasses. what a surprise.

  35. Buran says:

    @mac-phisto: Or sometimes it’s just not feasible to have a cable drop. I have wifi installed on my tivo because it’s just not feasible to use cat5 where the TV is.

  36. Adam Hyland says:

    @mac-phisto:

    thanks, Mac. Also, lol@the final cost of that data breech.

    It’s really too bad that they won’t really bear the full cost of that.

    http://www.acsac.org/2001/papers/110.pdf

    Pretty good paper (PDF alert!) on why this business doesn’t have the incentives to protect cardholder information.

  37. Adam Hyland says:

    @Buran:

    A business has a little higher threshold for security than your Tivo. If it isn’t feasible to run cabling (and it maybe isn’t), then there should at least be physical and network separation between components that are in the data path for CC and components (like bar code scanners on the floor and information kiosks) that are not.

    And even those systems can be secured on the wireless front. To not do so is basically negligence.

  38. meballard says:

    Ideally the systems should be using good wireless encryption, and encrypting the data streams it sends over the network. Also ideally, some form of key identification should be used for any device to connect to the servers, dramatically decreasing the ability to attack the servers at the other end (with a firewall blocking all but the encrypted/key requiring port), but of course this all costs money and time…

  39. BenjaminWright says:

    National Retail Federation artfully suggests merchants achieve card data security by reducing their storage down to just the transaction authorization code. But — get this — storage by a merchant of that very code would have been forbidden under legislation passed by the California legislature in September (Assembly Bill 779)! The California governor wisely vetoed the bill. Judging from public statements, no one in the legislature understood how counterproductive AB 779 would have been. Legislators did not understand the words they were writing into their bill. Lesson: state legislatures are best advised to stay out of this dynamic topic and let the industry players work it out among themselves.

    –Benjamin Wright