Were Retailers Blamed For A Bank Breach?

Earlier this week, National Retail Federation CIO Dave Hogan was featured on the popular American news magazine 60 Minutes and made some controversial charges against Visa, namely that the world's largest credit card company preferred fining retailers to helping them fix their security.

Visa now happens to be in the middle of its $10 billion IPO, which places them in always-fun quiet period, which is making it almost impossible for them to defend against the charges.

Although one NRF official raised the question of whether Hogan's quotes had been taken out of context, Hogan himself this week stood by his comments and said that they had not been taken out of context, although he would have rather the show aired more of his comments. "It was part of a much longer conversation," he said.

The revenue that Visa is making from the fines from non-compliant retailers "is part of the equation," he said, adding "If Visa was serious, there are that would be taken today" including encouraging retailers to store much less sensitive credit card data.

But Hogan did raise a very interesting question about another part of the 60 Minutes piece.

In the report, Shawn Henry, an FBI agent specializing in high-tech crimes, showed an undercover agent making a buy of some credit-card information.

Correspondent Lesley Stahl narrates what then happened, as the video shows the stolen data, with identifying details hidden: "What popped up were complete files on four Americans, one of them 'Pam,' along with her address, her Social Security, credit card and ATM PIN. Even the answer to that security question 'What's your mother's maiden name?' was there."

Given that the piece is focused on retail data security problems, it's logical to infer that the data shown was grabbed from a retailer's database. But no retailer retains that level of detail, meaning the information would have almost certainly come from a bank, not a retailer, Hogan said. "It was from an issuing bank. This was an inside job," he said.

From the perspective of a consumer trying to safeguard his data and prevent being the victim of identity theft, I suppose it doesn't make much of a difference. But for retail IT execs, do they really need an unjustified dig? After all, retail IT today offers such a wide assortment of legitimate security screwups, one would one think it wouldn't be necessary.