U.S. payment-card industry grapples with security
By Ross Kerber
BOSTON (Reuters) – Fresh details of large-scale cyber attacks against data processor Heartland Payment Systems Inc and supermarket chain Hannaford Brothers show the challenges facing the efforts of the U.S. credit-card industry to upgrade security measures.
While both companies say their computer networks met the tough new standards meant to prevent data breaches, Visa Inc said Heartland at least may have let its guard down.
The positions reflect broader disagreements in the industry, as squabbling between merchants and financial firms over technology and the cost of systems upgrades continues to impede progress, said Robert Vamosi, an analyst for California consulting firm Javelin Strategy & Research.
“They both need to fight fraud and they are fighting each other,” he said.
The financial stakes are getting higher. Fraud involving credit and debit cards reached $22 billion last year, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research.
The security of consumer information came under renewed scrutiny on August 17 when a 28-year-old Florida man, Albert Gonzalez, was indicted along with two other unnamed hackers for breaching the computer networks of Heartland and Hannaford, both of which said they were in compliance with security requirements.
Those standards were set by a council that includes the world’s two largest credit card networks, Visa and MasterCard Inc; fast-food leader McDonald’s Corp; oil major Exxon Mobil Corp; and big banks Bank of America Corp and Royal Bank of Scotland Plc.
All these companies face rising costs linked to fraud and its prevention. Of the 275,284 complaints received last year by the government’s Internet Crime Complaint Center, 24,775 were tied to credit or debit card fraud, up from 13,033 in 2007 and 9,960 in 2006.
Yet some 5 percent of the largest retailers and restaurants still have not met compliance deadlines set in 2007, according to Visa.
Even companies that meet the standards could be vulnerable should they lower their guard, Visa security executive Ellen Richey said last spring in a speech critical of Heartland.
“It was the lack of ongoing vigilance in maintaining compliance that left the company vulnerable to attack,” she said in March.
Merchants, for their part, complain via trade groups like the National Retail Federation that Visa and MasterCard are asking them to pay more than their fair share for security upgrades.
Some retail executives also say Visa and MasterCard have been slow to adopt better encryption technology and cards with high-security computer chips because of the associated costs.
“I can’t even tell you how many sour, disgruntled calls I get from retailers,” said Gartner Inc technology consultant Avivah Litan, who also works with banks.
At Heartland, Gonzalez was charged with stealing more than 130 million payment card numbers, a record. Previously the biggest such hacking case was at TJX Cos Inc, where federal prosecutors last year accused Gonzalez and others of conducting an electronic break-in starting in 2005 that companies said compromised as many as 100 million card numbers.
Gonzalez, who is awaiting trial, has pleaded not guilty to the charges related to TJX, which had not met security standards at the time of the data breach.
This time, prosecutors say Gonzalez and his co-conspirators penetrated Hannaford and Heartland’s systems in late 2007 with code known as “structured query language,” which the security standards require companies to protect themselves against.
They also charged the ring breached systems at convenience store operator 7-Eleven Inc, roughly in August 2007. The company said the breach only affected transactions at automated teller machines owned by a third party at some of its stores, and wouldn’t comment further.
A spokesman for Hannaford, a unit of Belgium’s Delhaize Group, said an audit unit of Verizon Communications Inc showed it met the security standards.
Heartland said through a spokesman that its systems had been checked by audit firm Trustwave of Chicago as recently as April 2008 — about four months after prosecutors say the hackers began their theft.
The security standards represent “the lowest common denominator and the bad guys have figured out how to get around some of the weaknesses,” the spokesman said.
A Verizon spokesman confirmed it had audited Hannaford and found it to meet the standards, but declined to elaborate. A Trustwave spokeswoman said the firm wouldn’t comment.
Security is critical to Heartland because it processes card payments for merchants, and its stock dropped sharply in the two months after the attack was discovered.
In response, Chief Executive Robert Carr has tried to reassure customers and stepped up calls for better data encryption.
Ultimately, should the payment card industry fail to get its act together, it could face more government regulation, said Cynthia Larose, an attorney at Mintz Levin in Boston.
“If the stakeholders cooperate, we would see much better security,” she said.
(Editing by Matthew Bigg and Gerald E. McCormick)