Federal Trade Commission Misunderstands Card Data Privacy.
Rethink PCI Law.
The TJX credit card data break-in is reputed to be the largest in history. On the heels of the incident, many credit card issuers replaced cards believed to be compromised. To replace cards is expensive (not to mention disruptive to consumers), and many card issuers demanded, through lawsuits and otherwise, that TJX reimburse them. December 2007 TJX settled one class action lawsuit with issuers of affected VISA cards, agreeing to pay $41 million. Dow Jones Newswires, "TJX Gets Over 95% Acceptance Of VISA Settlement Agreement," December 20, 2007. May 2008 TJX said it had support for settlement with Mastercard issuers for $24 million.
The Federal Trade Commission concluded that TJX had maintained inadequate controls to protect credit card data and had therefore committed unfair trade practices. Consequently, the Commission has punished TJX by requiring it to adopt new controls (in the vein of the PCI - Payment Card Industry Data Security Standard) and file extensive paperwork with the government for years to show that the controls are in place.
That's the background. Now think about this . . . August 2008 federal authorities announced indictments of the ring of criminals at the heart of the TJX heist. The ring had stolen data from both TJX and many other retailers. According to authorities, the criminals used stolen data to withdraw tens of thousands of dollars at a time from automated teller machines. Their ATM withdrawals added up to hundreds of thousands of dollars.
Further, last year six people were convicted in Florida for using data, apparently stolen from TJX, to buy gift cards and goods worth AT LEAST ONE MILLION DOLLARS. Jon Swartz, "11 Charged in TJX Identity Theft," USA Today, August 6, 2008.
Do you see an imbalance here? TJX settles with VISA & Mastercard issuers for $65 million, whereas the actual reported fraud is only a tiny fraction of that amount. Further, when card issuers canceled all those cards, they alarmed and inconvienced millions of cardholders to excess.
To be sure, a final accounting for the TJX fraud has not been made, at least to the public. However, public information suggests the costs incurred to cancel cards far exceeded the true magnitude of the TJX break-in.
In other words, the credit card issuer industry over-reacted. After being notified about TJX, the industry erupted in a spasm of card cancellations on the assumption that unauthorized access to data at a retailer is, per se, a catastrophic event. [The industry's total costs probably far exceeded $65 million, as TJX's settlements with the banks were perceived as "low" and a "bargain" for TJX. Regarding the VISA settlement, one industry expert said, "$40 million doesn't begin to cover the true exposure" to losses caused by card cancellations. Further, one lawsuit against TJX, led by Amerifirst Bank, continues because the bank contends the losses caused by card cancellations are much more than what TJX has agreed to pay.]
The Federal Trade Commission also over-reacted. The FTC marched to the notions that data security at a merchant is, in and of itself, paramount to protecting consumers and that a merchant perceived to have fallen short is a bad guy (a privacy infringer) who warrants government-sponsored punishment.
The knee-jerk reactions by card issuers and FTC failed to appreciate how robust the credit card system actually is. The multiform layers of controls in the system make it very hard and dangerous for criminals to capitalize on data stolen from a merchant.
The credit card industry needs new methods to make the reaction to a cyber attack balance with the magnitude of the actual risk. Card issuers could, for example, react to a hacker break-in with tighter software controls on suspect accounts, emphasizing fraud detection, foreign transaction blocks and enforcement of transaction limits.
The FTC, albeit well-meaning, has been particularly unhelpful. It has fixated on castigating one segment of the payment card system – i.e., merchant data security – in a manner that is out of proportion to the segment's role in managing card security risk. The FTC should be more thoughtful and less emotional in its leadership here. The Commission should be much less quick to conclude that the merchant victim of a sophisticated criminal gang is itself a bad guy who engaged in unfair trade practices.
[Update: According to USA Today October 23, 2008, the indictment for alleged hacker Albert Gonzales claims he amassed $1.6 million booty. Gonzales was allegedly central to a hacker ring that stole card data from many merchants, TJX being only one.]
–Benjamin Wright
Mr. Wright is senior legal issues instructor at the SANS Institute, where he stresses good public communications in response to data security incidents.
[My videos allude to the memorable Dr. Evil, in the movie Austin Powers: International Man of Mystery. In the movie the melodramatic Dr. Evil (played by comedian Mike Myers) speaks this way to say he will hold the entire world ransom for a mere "one m-i-l-l-i-o-n dollars".] Another article I posted on TJX appears here.
FWIW, the DoJ press release said that the accused withdrew tens of thousands of dollars at a time, not total. The latest number I saw for the first credit card ring is $8 million, and the DoJ indictment wants $20 million in forfeitures from Yastremskiy.
I talk about this a bit more on my blog.
Posted by: Jim Graves | August 12, 2008 at 02:05 PM
Jim: Thank you! You are absolutely correct about the tens of thousands of dollars at a time. I was mistaken. My original thinking came from USAToday, which did not say "at a time". I cited the US DoJ press release, but failed to read it carefully.
Thus, regarding the ATM withdrawals, it seems the hundreds of thousands of dollars figure is better.
I'm going to look into the other figures you cite. --Ben
Posted by: Ben Wright | August 12, 2008 at 03:08 PM
Jim: Regarding the ring of thieves in Florida: The original criminal charges (circa March 2007) filed against the ring used the $8 million figure. However, later press reports like this one in the St. Petersburg Times, speak in terms of a lower figure, i.e., "more than $1-million". I appreciate your contribution to this discussion!
Posted by: Ben Wright | August 13, 2008 at 10:00 AM
Jim: Yastremskiy’s indictment, page 10 seeks forfeiture of $11,509,647.
Tracing particular dollars to a break-in at a particular merchant is a forensic nightmare. Yastremskiy et al. are tied to data thefts at many merchants, TJX being just one. Dollar figures tied to Yastremskiy mix TJX with other heists.
Criminal indictments like Yastremskiy’s are not conservative, CPA-audited financial statements. They are negotiation documents, written by prosecutors, i.e., advocates of the government’s position.
The forfeiture sought from Yastremskiy could easily count any given dollar more than once. He was a money launderer; he moved money around. The indictment (apparently) seeks all the money transferred in connection with him during certain periods of time.
Again, thank you for your thoughtful contribution Jim.
Posted by: Ben Wright | August 13, 2008 at 07:30 PM
Mr. Wright;
Although you've made some good points here, I think you've missed some important ones too.
I'm a merchant advocate but I have no problem pointing the finger directly at TJX and the others. They were not PCI compliant and some areas of their security, wireless in particular, were shoddy at best. To make matter worse, there's ample evidence that they knew it and made the conscious decision to save money by not tightening up. Saved a bundle, didn't they!
I represent close to 3800 e-commerce merchants and I don't think that there was an over reaction at all. What you haven't taken into account is that this credit card information - which is now believed to be in the neighborhood of 90 million accounts - will be floating around for years in the carder chat rooms and bulletin boards that have been created to sell them one by one or in blocks of thousands. And every time one of them is successfully used on line for a purchase, the e-commerce merchant will suffer. He'll loose his money, his merchandise, his shipping fees and a chargeback fee. Chargeback fee, I assume you know, is the payment industry's term for a fine for being a victim of a crime.
The arrests and indictments that we know about so far may well be a drop in the bucket against those 90 million accounts. As you pointed out yourself, tracing particular dollars to a break-in at a particular merchant is a forensic nightmare. The fact is that we'll never know how many dollars were lost, how many of those accounts were used, or how many will be used in the future. From an e-commerce merchant's point of view, every one of those accounts should be closed and new ones issued. And if TJX, et. al. have to pick up the tab, so be it.
Over reaction? Not from where I stand.
Tom Mahoney
Director, Merchant911.org
Developer, Preventing e-Commerce Chargbacks
Posted by: Tom Mahoney | August 16, 2008 at 09:21 PM
When you know a criminal organization is in possession of your card data, it is safer to cancel the card immediately. Waiting for fraudulent charges to actually appear is not less expensive in the long run.
Posted by: Rick Aster | September 23, 2008 at 01:33 PM