A Trio Of Credit Card Conundrums

Written by Evan Schuman
April 18th, 2008

If there’s one thing that the last year of credit card catastrophes has made undeniable is that mixing credit cards, retailers, banks and card brands is unpredictable and a lot more complex than anyone wants to believe.

Whether it was last year’s TJX revelations about how bad security can get (TJX to the SEC: The bad guys were able to get a copy of our encryption key, but not to worry: they grabbed the data before we had a chance to encrypt it so the joke’s on them) or this year’s Hannaford details, where a PCI-compliant retailer lost data in transit while it was flowing through a secure private pipe, almost every assumption today is being challenged.

With that in mind, StorefrontBacktalk has been asking retailers, lawyers and other experts (and gadflies) for their favorite brain-teasers surrounding credit card security issues. How many can you figure out? (No, there are no right answers, other than accepting cash.)

  • The Chargeback Challenge
    An Africa-based cyberthief—who is an accomplished identity theft specialist—grabs a notebook full of personal information and zeros in on the particulars of a Pittsburgh man named Smith.

    Using the tried-and-true Help Wanted trick to hire a dupe willing to ship him goods for a fee, he gets a rerouter from Pittsburgh. The thief then successfully applies for a credit card. He then takes the legitimately-issued credit card (the application was entirely fraudulent, but the card was issued through the bank in a proper fashion) and uses it on the E-Commerce site of a well-known e-tailer, which racks up a healthy $5,000 charge on a card-not-present transaction.

    The items are shipped to a nearby location in Pittsburgh, where the thief tells the retailer that he recently moved. Given that the new location is in a neighboring Pittsburgh Zip Code, no alarms are triggered. The rerouter ships the goods to Africa.

    Two weeks later, the bills arrive and Smith discovers and reports the fraud to his bank, which cancels the card. The consumer owes nothing.

    The retailer, however, is told by the bank to eat the dollars for the merchandise in addition to the cost of the merchandise itself. Had that thief used that card in that retailer’s brick-and-mortar storefront, the roles would be reversed and the banks would cover all costs.

    Officially, it’s the absence of the receipt that makes the difference. But the retailer did nothing wrong. Indeed, had that retailer refused the transaction, it could have been in serious trouble with the brand and the bank. What choice did that retailer have?

    So why is the retailer penalized here, when it was the bank’s team that improperly issued that card and didn’t do sufficient investigation of the application?

    "They do it because they can," said Dave Hogan, the CIO for the National Retail Federation. "If (the brand and the banks) can shift the risks somehow, they will."

  • Franchisee Folderol
    A large retail chain with many franchisees discovers a major data breach involving payment cards. It turns out that the breach started because of the actions of a not-so-careful employee at one of the franchisees.

    Who is legally responsible for the breach? (Note: This wonderful brain-teaser came from the overly-teased brain of Mark Rasch, the former head of the U.S. Justice Department’s white-collar crime division and now in private practice specializing in retail issues.)

    The retailer’s executives could argue that it’s clearly the franchisee’s responsibility. After all, that store is fully owned by that particular franchisee, that franchisee hired and supervised the negligent employee and did we mention that the store is not even owned by the chain?

    But the franchisee has some excellent arguments, too. The breached POS system was mandated by the retailer, the POS software was also mandated by corporate and corporate imposed many data requirements on that franchisee. In other words, the franchisee was ordered to collect and transmit a lot of content that he wouldn’t gather on his own.

    The payment data was also transmitted centrally to a location selected by the retailer and controlled by the retailer’s chosen processing bank. Also, what is the chain’s PCI classification? Is the level (Level 1, Level 2, Level 3, etc.) based on the transactions of that franchisee’s locations or the entire chain’s transactions?

  • Breach Disclosure Dynamics
    Just about all of the data breach disclosure laws require the disclosure of a retail payment data breach when unencrypted data is stolen, Rasch points out.

    Scenario: A Level 1 retailer discovers that a half-million credit card transactions have been stolen, but those transactions were encrypted. Is the retailer obligated to report it to law enforcement and to the public? To its shareholders?

    What if it’s really weak encryption? What if it’s barely one step more complex than Pig Latin? The laws say nothing about the kind of encryption used.

    Let’s change it a little. What if the encryption was decent, but—like TJX—you discover that the encryption key was also taken? The law says the theft of encrypted data doesn’t have to be reported. But is it fair and right to conclude that "encrypted data" plus "encryption key" equals "unencrypted data"? Or at least it will in a couple of hours.

    Let’s change the scenario again. What if the data was properly encrypted and no key was taken, but the IT team somehow learns two weeks after the breach that the bad guys had somehow cracked the encryption, whether through extensive computing, luck or some kind of encryption-cracking deep-freeze method.

    The law’s only requirement for disclosure kicked in when the data is stolen unencrypted. There’s nothing in there about encrypted data that is later cracked.

    The suggestion that state legislators don’t think these things through is hardly worth saying, especially if you consider "thinking things through" something more than "copying whatever California comes up with."

    But are the obligations of retailers to focus on the intent rather than the wording of the law?

  • advertisement

    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.