Financial, retail industries keep cybersecurity mistakes and punishments secret

The private sector polices itself for poor performance or neglect, leaving customers in the dark about how their credit data was stolen.

By JENNIFER BJORHUS and JIM SPENCER, Star Tribune

February 23, 2014 — 4:10pm

Sometime around Christmas, Megan Ney learned from her bank that someone else had successfully applied for a debit card in her name.

A few days later, she heard from Target Corp. that her debit card information had been stolen in a data breach. Ney believes the two episodes are related, though her bank and Target say they can't tell her for sure.

Ney, a 29-year-old oil and gas company accountant from Tulsa, shops less at Target now and often only with cash because she's still nervous about the data breach. She wants to know if Target failed to meet payment security standards and how it will be sanctioned if it was at fault.

"If I'm going to continue to be shopping there," Ney said, "I want to know that my identity and my banking information are protected."

But even as cyberthreats grow in frequency and sophistication, the system for ensuring payment card security in the United States remains a closely guarded arrangement among the credit card networks who set it up, the banks who process payments for merchants and the merchants themselves.

No regulator ensures that companies meet minimum requirements for protecting data. No public database tells consumers which companies lost customer information through poor performance or neglect, or when and how much they were fined. Banks and credit card companies determine fault on a case-by-case basis through private contracts with individual merchants. Fines and the reasons for them remain sealed.

"It's this mafia monopoly. It really is," said Avivah Litan, a financial services security analyst at Connecticut-based Gartner Research. "It's a highly flawed process."

The Payment Card Industry (PCI) Security Standards Council, which sets the standards for protecting card information, was created by the world's five major card brands — Visa, Discover, MasterCard, American Express and JCB (Japan) — nearly eight years ago. Run by the card networks, the council doesn't collect information on compliance. It sets standards.

Enforcement lies with the individual card networks. Generally, when a merchant is out of compliance, the card companies fine the bank that processes the merchants' card transactions; the bank in turn fines the merchant. (American Express works directly with merchants, Litan said.) In the past, fines have ranged from $3,000-$5,000 a month per merchant, escalating to as much as $100,000 a month after six months of noncompliance, Litan said. In the event of a breach, there can be more fines.

Major retailers such as Target undergo private audits annually by one of hundreds of companies that perform them. Target's chief financial officer testified in a hearing earlier this month that Target was found PCI compliant on Sept. 20, about two months before thieves began hoovering up card data from its cash registers via malware.

A former Target employee with knowledge of the process told the Star Tribune that the company has a team of employees dedicated to PCI compliance, recently about five people, and that Target "is absolutely obsessed with achieving PCI compliance."

"The idea that Target would be found noncompliant … is literally mortifying to senior leaders," the person said. "This is precisely what keeps Target leaders awake at night."

The former employee said it is possible that Target was in compliance in September but that configuration changes were made afterward that might have unknowingly thrown it out of compliance. Configuration changes are constant, the person said.

Through a spokeswoman the company declined to comment on PCI matters, citing the ongoing investigations.

Target's vast breach has stoked questions about the effectiveness of the PCI system. By at least one measure, compliance is a problem.

Only one in 10 comply

Globally, just one in 10 organizations fully comply with the PCI standards, according to Verizon's latest PCI Compliance Report on Feb. 11. But Verizon can only report on its own clients, and it works mainly with large and international organizations. The 11 percent full compliance rate that Verizon documented likely would be even lower if it covered small and midsize organizations, said Rodolphe Simonetti, head of Verizon's PCI practice.

In an interview, Simonetti called the 11 percent full compliance a "huge improvement" from 2012 but said "it should be better than that." He blamed low compliance on the difficulty of some of the requirements, and the fact that the standards are young and still gaining acceptance.

Retailers face 12 core requirements, the first of which is to install and maintain a firewall to protect cardholder data. One of the most challenging rules for retailers is No. 10, Simonetti said, which requires merchants to track and monitor all access to network resources and cardholder data, typically with system activity logs.

Simonetti noted that while card networks such as Visa publish lists on their websites of PCI compliant payment service providers (card processing banks, for instance), no such lists exist for retailers. A public listing of PCI-compliant companies "would probably help," he said.

Simonetti said he thinks the security standards are reducing data security breaches, though not preventing them.

"All the companies that have been breached, even the ones who claimed to be compliant, were not compliant at the time of the breach," Simonetti said. "That's what we've seen over the last five years."

Jennifer Fischer, head of security operations, policies and standards for Visa Inc., took issue with Verizon's report. In an interview she said Visa's own research shows a high level of compliance among the 440 largest merchants with which it works — those who process more than 6 million Visa transactions a year. Of those, 96 percent were compliant at the their last audit, she said.

Visa does post generic compliance rates on its website, albeit in a very cryptic fashion. It doesn't list merchant results by name because that would impede their cooperation, Fischer said.

"We want to encourage merchants to be forthcoming about their security posture," she said. "We want to maintain that trust relationship so that we can be notified in the event that there is an issue."

Fischer said that the rate of fraud in the U.S. payment system is stable and near historic lows. At Visa, it's about 6 cents for every $100 spent on Visa cards, for a rate of about 0.06 percent.

Richard Sullivan, head of payments research at the Federal Reserve Bank of Kansas City, estimates the general fraud rate is 9 cents per $100.

Fischer attributes the relatively low rates to better fraud-fighting tools. The PCI standards, while not perfect, "have effectively raised the bar when it comes to security," she said.

John Kindervag, vice president and principal analyst at Cambridge, Mass.-based Forrester Research, agrees. As he sees it, the retailers brought the PCI standards on themselves by being sloppy with payment card security in the name of ringing up purchases fast. Merchant security practices are "horrific," Kindervag said. "PCI has done really a marvelous job of reducing the number of credit card breaches."

Supporters of greater federal oversight, such as Sen. Al Franken, D.-Minn., counter that the U.S. has less than a quarter of the world's card transactions, but roughly half the fraud, and that Target was hacked just two months after passing a private industry cybersecurity review.

An analysis by the FICO credit consultancy showed that incidents of fraud on U.S.-issued credit cards rose 17 percent from the beginning of 2011 to late 2012, although the average dollar loss per account fell.

All the while, consumers remain mostly in the dark about the companies to whom they entrust their credit and debit card data and personal information.

"I'm not aware of anything that requires industry to disclose punishment or fines to consumers," said Nessa Feddis, deputy chief counsel for consumer protection at the American Bankers Association.

Consumer advocates argue that this is why federal standards for reporting and explaining cybertheft are needed.

"Consumers are frustrated and disconcerted about what's going on," said Delara Derakhshani, policy counsel at Consumers Union. "We are always in favor of more disclosure."

Franken and fellow Democratic Sen. Amy Klobuchar of Minnesota back a bill by Sen. Patrick Leahy, D-Vt., that would allow the Federal Trade Commission to set national cybersecurity standards and assess civil penalties against companies that don't meet them.

"I believe consumers deserve to know when security standards have been violated," Klobuchar said.

Franken is prodding credit card companies, financial institutions and retailers to quickly adopt the more secure chip-based card technology used in Europe.

Meanwhile, he said, Leahy's bill provides that "anyone handling the business of over 10,000 Americans would have certain requirements to manage their data security risks, test their system, train their employees."

"There'd be greater transparency," he explained, "because the FTC would have the right to sue these companies, and they would do that publicly."

jennifer.bjorhus@startribune.com • 612-673-4683 jim.spencer@startribune.com • 202-383-6123

StarTribune

Financial, retail industries keep cybersecurity mistakes and punishments secret

Only one in 10 comply

US committee releases sealed Brazil court orders to Musk's X, shedding light on account suspensions

World Bank's Banga wants to make gains in tackling the effects of climate change, poverty and war

Biden administration moves to make conservation an equal to industry on US lands

San Francisco sues Oakland over new airport name that includes 'San Francisco'

Google fires 28 workers in aftermath of protests over big tech deal with Israeli government