Financial, retail industries keep cybersecurity mistakes and punishments secret

Sometime around Christmas, Megan Ney learned from her bank that someone else had successfully applied for a debit card in her name.

A few days later, she heard from Target Corp. that her debit card information had been stolen in a data breach. Ney believes the two ­episodes are related, though her bank and Target say they can't tell her for sure.

Ney, a 29-year-old oil and gas company accountant from Tulsa, shops less at Target now and often only with cash because she's still nervous about the data breach. She wants to know if Target failed to meet payment security standards and how it will be sanctioned if it was at fault.

"If I'm going to continue to be shopping there," Ney said, "I want to know that my identity and my banking information are protected."

But even as cyberthreats grow in frequency and sophistication, the system for ensuring payment card security in the United States remains a closely guarded arrangement among the credit card networks who set it up, the banks who process payments for merchants and the merchants themselves.

No regulator ensures that companies meet minimum requirements for protecting data. No public database tells consumers which companies lost customer information through poor performance or neglect, or when and how much they were fined. Banks and credit card companies determine fault on a case-by-case basis through private contracts with individual merchants. Fines and the reasons for them remain sealed.

"It's this mafia monopoly. It really is," said Avivah Litan, a financial services security analyst at Connecticut-based Gartner Research. "It's a highly flawed process."

Enforcement lies with the individual card networks. Generally, when a merchant is out of compliance, the card companies fine the bank that processes the merchants' card transactions; the bank in turn fines the merchant. (American Express works directly with merchants, Litan said.) In the past, fines have ranged from $3,000-$5,000 a month per merchant, escalating to as much as $100,000 a month after six months of noncompliance, Litan said. In the event of a breach, there can be more fines.

Major retailers such as Target undergo private audits annually by one of hundreds of companies that perform them. Target's chief financial officer testified in a hearing earlier this month that Target was found PCI compliant on Sept. 20, about two months before thieves began hoovering up card data from its cash registers via malware.

A former Target employee with knowledge of the process told the Star Tribune that the company has a team of employees dedicated to PCI compliance, recently about five people, and that Target "is absolutely obsessed with achieving PCI compliance."

"The idea that Target would be found noncompliant … is literally mortifying to senior leaders," the person said. "This is precisely what keeps Target leaders awake at night."

The former employee said it is possible that Target was in compliance in September but that configuration changes were made afterward that might have unknowingly thrown it out of compliance. Configuration changes are constant, the person said.

Target's vast breach has stoked questions about the effectiveness of the PCI system. By at least one measure, compliance is a problem.

Globally, just one in 10 organizations fully comply with the PCI standards, according to Verizon's latest PCI Compliance Report on Feb. 11. But Verizon can only report on its own clients, and it works mainly with large and international organizations. The 11 percent full compliance rate that Verizon documented likely would be even lower if it covered small and midsize organizations, said Rodolphe Simonetti, head of Verizon's PCI practice.

In an interview, Simonetti called the 11 percent full compliance a "huge improvement" from 2012 but said "it should be better than that." He blamed low compliance on the difficulty of some of the requirements, and the fact that the standards are young and still gaining acceptance.

Retailers face 12 core requirements, the first of which is to install and maintain a firewall to protect cardholder data. One of the most challenging rules for retailers is No. 10, Simonetti said, which requires merchants to track and monitor all access to network resources and cardholder data, typically with system activity logs.

Simonetti noted that while card networks such as Visa publish lists on their websites of PCI compliant payment service providers (card processing banks, for instance), no such lists exist for retailers. A public listing of PCI-compliant companies "would probably help," he said.

"All the companies that have been breached, even the ones who claimed to be compliant, were not compliant at the time of the breach," Simonetti said. "That's what we've seen over the last five years."

Jennifer Fischer, head of security operations, policies and standards for Visa Inc., took issue with Verizon's report. In an interview she said Visa's own research shows a high level of compliance among the 440 largest merchants with which it works — those who process more than 6 million Visa transactions a year. Of those, 96 percent were compliant at the their last audit, she said.

Visa does post generic compliance rates on its website, albeit in a very cryptic fashion. It doesn't list merchant results by name because that would impede their cooperation, Fischer said.

"We want to encourage merchants to be forthcoming about their security posture," she said. "We want to maintain that trust relationship so that we can be notified in the event that there is an issue."

Fischer said that the rate of fraud in the U.S. payment system is stable and near historic lows. At Visa, it's about 6 cents for every $100 spent on Visa cards, for a rate of about 0.06 percent.

Fischer attributes the relatively low rates to better fraud-fighting tools. The PCI standards, while not perfect, "have effectively raised the bar when it comes to security," she said.

John Kindervag, vice president and principal analyst at Cambridge, Mass.-based Forrester Research, agrees. As he sees it, the retailers brought the PCI standards on themselves by being sloppy with payment card security in the name of ringing up purchases fast. Merchant security practices are "horrific," Kindervag said. "PCI has done really a marvelous job of reducing the number of credit card breaches."

Supporters of greater federal oversight, such as Sen. Al Franken, D.-Minn., counter that the U.S. has less than a quarter of the world's card transactions, but roughly half the fraud, and that Target was hacked just two months after passing a private industry cybersecurity review.

An analysis by the FICO credit consultancy showed that incidents of fraud on U.S.-issued credit cards rose 17 percent from the beginning of 2011 to late 2012, although the average dollar loss per account fell.

All the while, consumers remain mostly in the dark about the companies to whom they entrust their credit and debit card data and personal information.

Consumer advocates argue that this is why federal standards for reporting and explaining cybertheft are needed.

"Consumers are frustrated and disconcerted about what's going on," said Delara Derakhshani, policy counsel at Consumers Union. "We are always in favor of more disclosure."

Franken and fellow Democratic Sen. Amy Klobuchar of Minnesota back a bill by Sen. Patrick Leahy, D-Vt., that would allow the Federal Trade Commission to set national cybersecurity standards and assess civil penalties against companies that don't meet them.

"I believe consumers deserve to know when security standards have been violated," Klobuchar said.

Franken is prodding credit card companies, financial institutions and retailers to quickly adopt the more secure chip-based card technology used in Europe.

"There'd be greater transparency," he explained, "because the FTC would have the right to sue these companies, and they would do that publicly."