Whether it was last year's TJX revelations about how bad security can get (TJX to the SEC: The bad guys were able to get a copy of our encryption key, but not to worry: they grabbed the data before we had a chance to encrypt it so the joke's on them) or this year's Hannaford details, where a PCI-compliant retailer lost data in transit while it was flowing through a secure private pipe, almost every assumption today is being challenged.
With that in mind, StorefrontBacktalk has been asking retailers, lawyers and other experts (and gadflies) for their favorite brain-teasers surrounding credit card security issues. How many can you figure out? (No, there are no right answers, other than accepting cash.)
An Africa-based cyberthief—who is an accomplished identity theft specialist—grabs a notebook full of personal information and zeros in on the particulars of a Pittsburgh man named Smith.
Using the tried-and-true Help Wanted trick to hire a dupe willing to ship him goods for a fee, he gets a rerouter from Pittsburgh. The thief then successfully applies for a credit card. He then takes the legitimately-issued credit card (the application was entirely fraudulent, but the card was issued through the bank in a proper fashion) and uses it on the E-Commerce site of a well-known e-tailer, which racks up a healthy $5,000 charge on a card-not-present transaction.
The items are shipped to a nearby location in Pittsburgh, where the thief tells the retailer that he recently moved. Given that the new location is in a neighboring Pittsburgh Zip Code, no alarms are triggered. The rerouter ships the goods to Africa.
Two weeks later, the bills arrive and Smith discovers and reports the fraud to his bank, which cancels the card. The consumer owes nothing.
The retailer, however, is told by the bank to eat the dollars for the merchandise in addition to the cost of the merchandise itself. Had that thief used that card in that retailer's brick-and-mortar storefront, the roles would be reversed and the banks would cover all costs.
Officially, it's the absence of the receipt that makes the difference. But the retailer did nothing wrong. Indeed, had that retailer refused the transaction, it could have been in serious trouble with the brand and the bank. What choice did that retailer have?
So why is the retailer penalized here, when it was the bank's team that improperly issued that card and didn't do sufficient investigation of the application?
"They do it because they can," said Dave Hogan, the CIO for the National Retail Federation. "If (the brand and the banks) can shift the risks somehow, they will."
A large retail chain with many franchisees discovers a major data breach involving payment cards. It turns out that the breach started because of the actions of a not-so-careful employee at one of the franchisees.
Who is legally responsible for the breach? (Note: This wonderful brain-teaser came from the overly-teased brain of Mark Rasch, the former head of the U.S. Justice Department's white-collar crime division and now in private practice specializing in retail issues.)
The retailer's executives could argue that it's clearly the franchisee's responsibility. After all, that store is fully owned by that particular franchisee, that franchisee hired and supervised the negligent employee and did we mention that the store is not even owned by the chain?
But the franchisee has some excellent arguments, too. The breached POS system was mandated by the retailer, the POS software was also mandated by corporate and corporate imposed many data requirements on that franchisee. In other words, the franchisee was ordered to collect and transmit a lot of content that he wouldn't gather on his own.
The payment data was also transmitted centrally to a location selected by the retailer and controlled by the retailer's chosen processing bank. Also, what is the chain's PCI classification? Is the level (Level 1, Level 2, Level 3, etc.) based on the transactions of that franchisee's locations or the entire chain's transactions?
Just about all of the data breach disclosure laws require the disclosure of a retail payment data breach when unencrypted data is stolen, Rasch points out.
Scenario: A Level 1 retailer discovers that a half-million credit card transactions have been stolen, but those transactions were encrypted. Is the retailer obligated to report it to law enforcement and to the public? To its shareholders?
What if it's really weak encryption? What if it's barely one step more complex than Pig Latin? The laws say nothing about the kind of encryption used.
Let's change it a little. What if the encryption was decent, but—like TJX—you discover that the encryption key was also taken? The law says the theft of encrypted data doesn't have to be reported. But is it fair and right to conclude that "encrypted data" plus "encryption key" equals "unencrypted data"? Or at least it will in a couple of hours.
Let's change the scenario again. What if the data was properly encrypted and no key was taken, but the IT team somehow learns two weeks after the breach that the bad guys had somehow cracked the encryption, whether through extensive computing, luck or some kind of encryption-cracking deep-freeze method.
The law's only requirement for disclosure kicked in when the data is stolen unencrypted. There's nothing in there about encrypted data that is later cracked.
The suggestion that state legislators don't think these things through is hardly worth saying, especially if you consider "thinking things through" something more than "copying whatever California comes up with."
But are the obligations of retailers to focus on the intent rather than the wording of the law?