When American Express and Diner's Club introduced the first credit cards in the 1950s, few people could have anticipated their presentday popularity. And even fewer could have anticipated the creative ways identity thieves would find to conduct credit card scams.
They install cameras in and around ATM machines, engage in sophisticated online phishing schemes, and hack into large databases to obtain Social Security numbers, credit card numbers and drivers licenses. Through the Internet, thieves buy and sell those numbers as well as scamming devices and blank credit cards that can be imprinted with stolen numbers. In today's technology-driven culture, identity theft has become a big business.
One out of three Americans has been affected by identity theft. Those affected know all too well how it can wreak havoc on credit ratings and the ability to obtain new credit. It can also affect their future job opportunities by tainting (albeit with false information) background and credit history checks. The consequences of identity theft can take years to correct.
While the average individual affected by identity theft loses about $8,000, credit card companies face the greatest financial losses. In most situations involving the use of stolen credit cards, the affected consumer is charged a $50 card-replacement fee-whereas the credit card companies pay the remaining fraudulent charges.
TJ Maxx incident
In one breach alone, credit card companies can incur millions of dollars in losses. For example, hackers sitting in the parking lot of a TJ Maxx store in Minnesota used a wireless card and an empty Pringles can to intercept consumer information transmitted via an improperly secured wireless connection to the company's database.
At the time, TJ Maxx collected and stored plenty of consumer information in its database: credit and debit card numbers, card expiration dates, security codes and other "tracking information" from the metallic strip on the back of each card, as well as the cardholder's name and zip code. The hacking reportedly continued for many months, and by the time it was identified and contained, the hackers had potentially accessed the identities and card information for over 45 million consumers. TJ Maxx settled with Visa and the bank that processed its credit cards for $40.9 million dollars.
Currently, credit card companies (who have banded together as the Payment Card Industry Security Standards Council) are attempting to enforce "PCI DSS" guidelines-the Payment Card Industry Data Security Standards. First issued in 2005, the guidelines now entail greatly increased enforcement efforts that started in December 2007. Many organizations are still skeptical about whether they actually have to comply because the PCI requirements are guidelines, not laws. Those taking the "wait and see approach" could be in for a rude awakening-particularly if they suffer a security breach involving credit card data.
As part of their new enforcement efforts, credit card companies have been scrutinizing identity-theft incidents, looking for any links to organizations that accept credit cards. If they identify anything even slightly suspicious-such as multiple victims of identity theft who happened to shop at the same retailer-they request that the organization complete a detailed questionnaire about their PCI compliance.
In addition, they sometimes also request permission to conduct a forensic audit of the organization's credit card security systems. For businesses that fail to cooperate or are otherwise found to be out of compliance with the PCI requirements, the credit card companies are imposing fines of $5,000 to $10,000 per day, and threatening to withdraw credit card privileges.
For those that suffer security breaches while out of compliance, the fine goes up to $500,000 per incident.
Compliance with the PCI guidelines can be a daunting task. The guidelines require merchants to fulfill 12 broad security standards, which is the easy part. The difficulty comes in the details, as each standard includes a whole set of compliance requirements. Certain requirements must also be incorporated into training and written policies. And, on an ongoing basis, the organization must fulfill the requirements for periodic auditing, which vary depending on the number of credit-card transactions processed annually.
However, when merchants compare the cost of compliance-about $10,000 to $150,000 depending on the baseline level of compliance and the complexity of the organization's credit card mapping-to the cost of a TJ Maxx situation, they realize the benefit of being proactive.
Companies that comply are able to avoid the steep fines imposed by credit card companies if a security breach occurs (although they must still comply with the state reporting obligations for certain types of security breaches). In addition, organizations that comply may also be able to negotiate a better rate with the credit card companies, offsetting some compliance costs.
To date, only one state has adopted some of the PCI DSS requirements into law. Not surprisingly, it's Minnesota-where the TJ Maxx breach occurred.
It remains to be seen whether other states will follow Minnesota's lead. It also remains to be seen whether the credit card companies-in their non-regulatory capacity-can actually enforce the PCI DSS guidelines to the extent that they are claiming. Let's hope that we don't have to go back to carrying around wads of cash.
Antokol is a partner with Indianapolis-based law firm Baker & Daniels LLP and chairs the firm's privacy and data management group.Views expressed here are the writer's.