Watch CBS News

Opinion

Credit Cards' Unintended Security Hole

/ CBS

This column was written by Evan Schuman, the editor of StorefrontBacktalk.com, a site that tracks retail technology, e-Commerce and security issues. Retail Realities will appear each Friday. Evan can be reached at e-mail and on Twitter.

In one of the most delicious ironies in retail today, the single most significant element that makes it easier for cyber thieves to steal consumer credit and debit card information from retailers is something the credit card companies themselves cooked up.

To be fair, this unintended consequence is a domino effect, where the innocuous-seeming program has set off a series of chain reactions that, today, makes credit and debit card breaches a lot more likely and more lucrative for the thieves. The program is called zero liability and it was initiated by some of the major credit card players many years ago to try and make consumers more comfortable making purchases online. The premise is that any fraudulent purchases will not have to be paid for by the consumer. Some banks have spoken of no liability beyond $50, but in operation, almost all banks cover all of the charges.

The program worked wonderfully and consumers quickly did become comfortable making E-Commerce purchases. But as identity theft and straight-out stealing from credit cards became much more common, large retailers became popular targets. The onus was on the retailers-not the banks-to pay millions of dollars to install and manage sophisticated security programs. But these costs were almost impossible to justify. After all, no chain was going to advertise: "We just installed state-of-the-art firewalls and encryption systems. Come shop with us." And the risk of being breached seemed too remote to make a compelling argument to a board of directors.

Then came the retail world's wakeup moment.

In January 2007, TJX-the $19 billion retail giant that sells discount clothes under several brand names including Marshall's, TJMaxx, HomeGoods, A.J. Wright and Winners-announced that cyber thieves had broken into its credit card database and stole information from what ended up being more than 100 million payment cards. The allegations of sloppy security procedures were extensive, with the bad guys apparently getting access to encryption keys (the took needed to unencode encrypted payment transmissions) but also having taken the information before it could even be encrypted. And they grabbed information for years, raising questions about how closely anyone at TJX had been watching their own network.

When that happened, lots of major retailers braced for the worst. With that huge a breach and accusations of such blatantly weak security practices, many execs thought TJX could be driven into bankruptcy. The industry was suddenly prepared to invest heavily in security because the TJX disaster would give them the proofpoints to justify large security expenditures. The only thing was: things didn't quite happen the way many expected.

Instead of the huge revenue drop that many feared, as panicked consumers abandoned TJX's stores, there was no revenue drop. There actually was a small increase in revenue in the months following the breach's disclosure. In case anyone thinks the TJX fallout was the exception, a major retail breach at the Hannaford supermarket chain two months later (which exposed 4.2 million credit and debit cards and led to 1,800 reported cases of fraud)showed the identical pattern: No drop in sales at all in the months following the breach's disclosure. Seems that consumers may tell surveyors that they care about data security, but that's not how they shop.

This actually made it much more difficult for retailers to invest in security, as the return on investment argument became much more difficult. Security in retail has never been a clean argument, in the sense that it's unlikely to boost profits or revenue. The only thing it can arguably do is risk-avoidance. In other words, the argument to make to the Chief Financial Officer to approve a $10 million investment in security improvements is that, if you don't, it could cost the company $500 million in data breach costs if someone breaks in.

Given that consumers stood behind TJX and Hannaford (and others), that meant that Wall Street did the same. And with Wall Street and consumers on their side, the retailers had nothing to fear other than class-action lawsuits from consumers and the banks. And the retailers have thus far been winning every case and just about every decision in every case. Why? That comes back to those zero-liability programs. (You thought I forgot about the point of this column, didn't you?)

There are virtually no criminal laws at the national, state, county or municipal level in the U.S. that makes it illegal to invite consumers to use credit and debit cards at a retail chain and to then recklessly handle that data. That means the only way to deal with this is through civil courts. And although criminal courts are about punishing those who engage in prohibited conduct, civil courts are about making businesses and consumers whole. Put another way, it's all about returning the plaintiff to the financial state that they would have been had the wrongdoing never happened.

In the consumer retail data breach cases, it means getting the consumers their money back. But the zero liability plans have already done that. Consumer defendant after defendant has argued about how poorly retailers have protected their data, but when they're asked the ultimate question by the retailer ("How much money did you personally lose as a result?"), their case falls apart. Earlier this month (May 12), a federal judge overseeing the Hannaford case echoed rulings that his TJX counterpart made.

"Maine law requires that there be a way to attach a monetary value to a claimed loss. These fail that requirement," U.S. District Court Judge D. Brock Hornby ruled. "The same is true for a consumer's temporary lack of access to funds or credit, the annoyance of a canceled hotel reservation, and the embarrassment or annoyance of obtaining a family loan. There is no way to value and recompense the time and effort that consumers spent in reconstituting their bill-paying arrangements or talking to bank representatives to explain what charges were fraudulent. Those are the ordinary frustrations and inconveniences that everyone confronts in daily life with or without fraud or negligence."

The retail industry has recently been struggling to come up with more secure ways of dealing with payments, with Visa encouraging McDonalds and Office Max to try and get creative as long as it doesn't cost Visa anything. One of the more prominent data breach victims, a payment card processor called Heartland Payment Systems, is pushing a plan that would allow the bad guys to get access to protected data, but in such small quantities as to make it useless to them.

But no matter how it's done, retail payment card security programs won't do much until the retailers have the incentives to fix the problems in a material way. Yes, that means that some pain must be felt. If consumers lost thousands of dollars when they were breached, you can bet they really would abandon retailers that burned them. And suddenly, major retailers would take this stuff seriously. Until then, though, zero liability programs are a wonderfully early holiday gift to cyber thieves everywhere.

By Evan Schuman
Special to CBSNews.com

First published on May 28, 2009 / 6:16 PM EDT

© 2009 CBS. All rights reserved.

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.