This is page 2 of:
The Fatally Flawed Assumptions In The Gonzalez Case
Here’s a comment from Assistant U.S. Attorney Stephen Heymann, in a letter to U.S. District Court Judge Douglas P. Woodlock: “Knowing that card holders will be concerned that their credit or debit information has been put at risk, if they know it, provides an incentive to companies to invest in the protections their customers want. Transparency makes the market work in this area.”
Beyond the fact that consumer apathy undermines the logical premise of Heymann’s comment, retailer cynicism now plays a very key role. Premise One: No system, regardless of how well-funded, is bulletproof. Premise Two: In this weak economic climate, the only things that matter are boosting profits, revenue and marketshare, in that order. Premise Three: Putting in more sophisticated encryption is not going to change Premises One or Two.
But is the threat of being revealed to a public who is more interested in American Idol rankings than in whether their local supermarket is selling their debit card data on the black market such a scary thing?
As a practical matter, retailers will do what PCI requires them to do and probably not a heck of a lot more than that. Show me a board that will insist their company do materially more and I’ll buy lunch for you and 100 of your closest friends.
Another valid argument is that there was never much reason for either JCPenney or Wet Seal to have fought the case. Given the laundry list of retail victims, this breach really doesn’t reflect especially poorly on any one. Yes, there is strength in numbers. Or, more appropriately here, there’s insecurity in numbers.
The CIO of one of the largest of the breached retailers—who asked that neither his name nor his chain be identified—said he was thrilled when JCPenney joined his merry band of victims. “My interest is to demonstrate that the problem was actually quite pervasive, that it wasn’t just TJX and 7-Eleven that screwed up and had poorly secured data,” the CIO said. “It was much more of an industry-wide circumstance. JCPenney legitimizes that argument. It’s much better to be part of a bigger crowd. If Wal-Mart could be on the list, even better.”
Two related notes: JCPenney did aggressively try and keep its name out of the public dockets, but it didn’t deny that it was the retailer, at least to the best of our ability to determine. Although others made such denials, we can’t trace any to the chain itself. No one can prove a negative, but it looks like JCPenney was shooting straight.
Speaking of shooting straight, when the federal filings were unsealed Monday (March 29), we here at StorefrontBacktalk were blushing. Two stories covering the case had been introduced as evidence: one from JCPenney and the other from the Justice Department. Both stories came from us.
As long as we’re blushing, let’s place this under the heading of “You Read It Here First And You Probably Will Always Read It Here First.” We’ve been pushing coverage of the Gonzalez case since the earliest reports of the TJX break-in. We were the first publication to report on the unidentified retailer in the Massachusetts indictment, back in August 2008.
We were also the first media outlet to report that Target was the unidentified retailer from Massachusetts and that JCPenney was the unidentified retailer from New Jersey back in August of last year, some five months before Target fessed up. And then last week, we reported the identity of Wet Seal and the court’s confirmation of JCPenney more than three before days anyone else could confirm it.
We don’t know what other surprises retail technology and E-Commerce will deliver next week and every week thereafter, but we’ll do everything we can to continue delivering it to you first. End of commercial.
-Marc
April 1st, 2010 at 10:34 am
Just a little nit, you say “absolutely no reason to believe that there will be any stock impact.” but there’s actually a much stronger statement that can be made: “there’s plenty of reason to believe that there will be absolutely no stock impact.”
April 7th, 2010 at 3:09 pm
This entire thing is beyond irritating. If consumers don’t care because of the credit card companies are covering them, and retailers don’t care because their stock prices remain intact and their insurance companies bear the burden of costs associated with breaches, then who exactly does care?
Here’s a wild idea: let’s make interchange variable depending on your level of IT security (not PCI compliance). Just like the interest rate you pay on a loan varies on how worthy your credit is, let’s make your credit card fees vary on how worthy your IT security is. Missing a firewall in a location? Rate just went up. Virus protection out of date? Rate just went up. Missing some obvious policies and procedures? Rate just went up. Then board members WILL get involved when they realize that potentially millions of dollars of fees are at risk. Retailers have incentive to increase security and the banking entities benefit due to reduced fraud.
April 7th, 2010 at 3:17 pm
Great idea, Todd, but what group is going to determine a retailer’s current IT Security Level? On what criteria?