U.S. payment-card industry grapples with security
By Ross Kerber
BOSTON (Reuters) – Fresh details of large-scale cyber attacks against data processor Heartland Payment Systems Inc and supermarket chain Hannaford Brothers show the challenges facing the efforts of the U.S. credit-card industry to upgrade security measures.
While both companies say their computer networks met the tough new standards meant to prevent data breaches, Visa Inc said Heartland at least may have let its guard down.
The positions reflect broader disagreements in the industry, as squabbling between merchants and financial firms over technology and the cost of systems upgrades continues to impede progress, said Robert Vamosi, an analyst for California consulting firm Javelin Strategy & Research.
“They both need to fight fraud and they are fighting each other,” he said.
The financial stakes are getting higher. Fraud involving credit and debit cards reached $22 billion last year, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research.
The security of consumer information came under renewed scrutiny on August 17 when a 28-year-old Florida man, Albert Gonzalez, was indicted along with two other unnamed hackers for breaching the computer networks of Heartland and Hannaford, both of which said they were in compliance with security requirements.
Those standards were set by a council that includes the world’s two largest credit card networks, Visa and MasterCard Inc; fast-food leader McDonald’s Corp; oil major Exxon Mobil Corp; and big banks Bank of America Corp and Royal Bank of Scotland Plc.
All these companies face rising costs linked to fraud and its prevention. Of the 275,284 complaints received last year by the government’s Internet Crime Complaint Center, 24,775 were tied to credit or debit card fraud, up from 13,033 in 2007 and 9,960 in 2006.
Yet some 5 percent of the largest retailers and restaurants still have not met compliance deadlines set in 2007, according to Visa.
Even companies that meet the standards could be vulnerable should they lower their guard, Visa security executive Ellen Richey said last spring in a speech critical of Heartland.
“It was the lack of ongoing vigilance in maintaining compliance that left the company vulnerable to attack,” she said in March.
Merchants, for their part, complain via trade groups like the National Retail Federation that Visa and MasterCard are asking them to pay more than their fair share for security upgrades.
Some retail executives also say Visa and MasterCard have been slow to adopt better encryption technology and cards with high-security computer chips because of the associated costs.
“I can’t even tell you how many sour, disgruntled calls I get from retailers,” said Gartner Inc technology consultant Avivah Litan, who also works with banks.
GOVERNMENT REGULATION?
At Heartland, Gonzalez was charged with stealing more than 130 million payment card numbers, a record. Previously the biggest such hacking case was at TJX Cos Inc, where federal prosecutors last year accused Gonzalez and others of conducting an electronic break-in starting in 2005 that companies said compromised as many as 100 million card numbers.
Gonzalez, who is awaiting trial, has pleaded not guilty to the charges related to TJX, which had not met security standards at the time of the data breach.
This time, prosecutors say Gonzalez and his co-conspirators penetrated Hannaford and Heartland’s systems in late 2007 with code known as “structured query language,” which the security standards require companies to protect themselves against.
They also charged the ring breached systems at convenience store operator 7-Eleven Inc, roughly in August 2007. The company said the breach only affected transactions at automated teller machines owned by a third party at some of its stores, and wouldn’t comment further.
A spokesman for Hannaford, a unit of Belgium’s Delhaize Group, said an audit unit of Verizon Communications Inc showed it met the security standards.
Heartland said through a spokesman that its systems had been checked by audit firm Trustwave of Chicago as recently as April 2008 — about four months after prosecutors say the hackers began their theft.
The security standards represent “the lowest common denominator and the bad guys have figured out how to get around some of the weaknesses,” the spokesman said.
A Verizon spokesman confirmed it had audited Hannaford and found it to meet the standards, but declined to elaborate. A Trustwave spokeswoman said the firm wouldn’t comment.
Security is critical to Heartland because it processes card payments for merchants, and its stock dropped sharply in the two months after the attack was discovered.
In response, Chief Executive Robert Carr has tried to reassure customers and stepped up calls for better data encryption.
Ultimately, should the payment card industry fail to get its act together, it could face more government regulation, said Cynthia Larose, an attorney at Mintz Levin in Boston.
“If the stakeholders cooperate, we would see much better security,” she said.
(Editing by Matthew Bigg and Gerald E. McCormick)
Don’t throw the keys to the Fed
By Mark T. Williams | July 2, 2009
THE OBAMA administration’s plan to close the existing regulatory gap by using the Federal Reserve Bank as the main systemic-risk regulator is theoretically sound but a bad idea under existing Fed structure.
The Fed employs thousands of examiners stretching from Boston to San Francisco in an attempt to ensure a safe and sound banking system. They are the first line of defense in our banking system, ideally providing a financial firewall against excessive risk taking by physically inspecting banks and ensuring that adequate capital is available to support risk activities. Ratings provide a health scorecard and a comparison with peer institutions.
Although Fed examiners scored major banks such as Citigroup, Bank of America, and Wells Fargo, why didn’t they pick up on the bad banking behavior that President Obama characterized as “wild risk taking’’ on Wall Street? This trend should have been discovered, except that the Fed is adverse to change and its examiners are way behind the regulatory curve.
If the financial market was a gun fight, the Fed would be carrying pea shooters while the Wall Street structured-product gurus would be carrying AK-47s. The sophistication gap facing those charged with measuring and protecting our financial system is staggering.
Meantime, the corporate culture at the Fed has made examiners second-class citizens compared with the more glamorous monetary policy geeks and the economists who roam the marbled hallways. Of the 12 sitting Fed presidents, none came up through the ranks from examiner. Fed examiners continue to have a limited advancement track and salaries at least one-fifth less than those of the people who create the derivatives on Wall Street. How can the Fed attract the best and brightest this way?
The Obama plan would give more responsibility to the Fed at a time when it hasn’t earned it. The recent banking debacle makes clear the Fed has failed to demonstrate that it is capable of taking this added responsibility. Handing the Fed this new duty, given its recent track record, is the equivalent of giving your teenager a new car right after he wrecked the last one. This significant sophistication gap at the Fed, compared with market counterparts it is charged with regulating, is why the Fed didn’t detect the growing risk taking by the major banks. Examiners did not have the adequate training, skills, or tools needed to go head-to-head with the Wall Street rocket scientists.
Why, for example, didn’t the Fed examiners see the growing threat of derivatives? These financial products that got so many banks in trouble were first concocted in the financial laboratories of First Boston and Salomon Brothers back in 1983. The Fed should have had time to amass an understanding of how such derivatives worked, and what kind of financial damage they could cause if used in excess or for the wrong purpose.
But under its current charter, the Fed is not held accountable for a job poorly done. In response to the current banking debacle, there have been no penalties, demotions, firings, or even a public hearing on how and why the Fed dropped the ball. Moreover, when banks do fail (approximately 40 so far this year), it’s the FDIC, not the Fed, that must clean up the mess.
Before the Obama administration expands the Fed’s role and throws it the keys, it is important to fix the varsity-versus-jayvee vulnerability at the Fed. At minimum, this will require that more capital (human and financial) be committed to specialized hiring, training, and increased use of state-of-the-art risk-measurement tools (e.g., computer modeling). The goal is to improve the use of risk-focused exams and to create a skilled examination staff that can detect and halt wild risk taking before the company, market participants, and the economy are harmed.
In addition to the Fed being held more accountable, there must be implementation of performance-based incentives for a job well done. Equally, there needs to be clear consequences to the Fed for poor performance. Only after we plug this regulatory sophistication gap at the Fed can confidence in this agency be restored.
Mark T. Williams, a former Federal Reserve Bank examiner, teaches finance at the Boston University School of Management. 
Fed Documents Fuel Concerns About Expanding Central Bank’s Role
By DAMIAN PALETTA
WASHINGTON — Documents unearthed by congressional investigators reveal disagreements among senior Federal Reserve officials about how to handle Bank of America Corp.’s acquisition of Merrill Lynch, fueling concern on Capitol Hill over giving the central bank even more power to regulate the financial system.
Federal Reserve
The glimpse inside the regulatory machinery provided by emails, memorandums and handwritten notes show a Fed that wrestled with how tough it should be on Bank of America, one of the biggest U.S. banks. It also shows Fed officials questioning more broadly their response to the financial crisis months earlier.
In December, Bank of America approached top U.S. officials about abandoning a deal, forged in the heat of the crisis, to buy investment bank Merrill Lynch. In the end, the government arranged a $20 billion rescue package for the bank to cover growing losses at Merrill.
In between, the documents show areas of disagreement within some of the Fed’s 12 regional reserve banks.
The Federal Reserve Bank of Richmond, where supervision of Bank of America’s parent company is based, pushed for a tougher approach than other regulators, emails suggest. Bank of America officials appealed more than once to the Fed’s Washington headquarters to intervene.
Bank of America CEO “Ken [Lewis] may also raise his favorite perennial issue — that is, is the Richmond supervisory team on the same page as the [Fed] Board,” Fed governor Kevin Warsh wrote in an email Dec. 30 to Fed Chairman Ben Bernanke and other senior officials. “Richmond staff was on our call today, but prior to the call, it sounds like they may have threatened a little more than ideal…”
On Jan. 10, Fed General Counsel Scott Alvarez wrote to Mr. Bernanke and others that Richmond Fed President Jeffrey Lacker was raising some issues over the final deal. Mr. Lacker wanted the entire Federal Open Market Committee to vote on any loan to Bank of America.
Mr. Bernanke responded at 2:01 a.m.: “Thanks. If we are nimble we can manage this.”
Whether or not Mr. Bernanke threatened Mr. Lewis’s ouster over the rescue remains a source of contention. Mr. Lewis suggested in testimony to New York Attorney General Andrew Cuomo that the Fed chief did just that. Mr. Bernanke has denied making such a threat to Mr. Lewis.
On Jan. 16, just days before government aid for the deal was supposed to be announced, Federal Reserve Bank of Boston president Eric Rosengren sent Mr. Bernanke an email saying that the Fed shouldn’t dismiss too hastily the idea of tossing management at Bank of America.
Mr. Rosengren suggested such a shake up might be necessary, “particularly if we believe that existing management is a significant source of the problem.”
Mr. Bernanke, at a contentious hearing Thursday, defended the Fed against suggestions it had been too lenient with management.
“The supervisory process is not a onetime thing. It’s an ongoing process, and in an ongoing supervisory process, we have made demands of the Bank of America on terms of their board and management,” he told Rep. Dennis Kucinich (D., Ohio).
The documents reveal Fed officials questioning the central bank’s response to the financial crisis even before negotiations began on the effort to aid Bank of America’s acquisition of Merrill Lynch.
“At this point I have [the] sense that the hearts and minds war in Iraq was handled better than it has been in this crisis, particularly within the Fed system,” wrote Meg McConnell, a top Federal Reserve Bank of New York official, on the day the House of Representatives voted down the Bush administration’s first financial-rescue package, sending the Dow industrials down almost 800 points.
The Obama administration earlier this month proposed giving the Fed powers to oversee and examine the largest companies in the financial system.
The disclosures could bolster the central bank’s argument that it needs more power to manage future crises. One reason for the government’s lurching response last year, officials say, was that it didn’t have the needed tools.
The Fed has been dealing with a steady stream of criticism from Republicans. Democrats have recently joined in, and the disclosures being aired through the congressional inquiry have put the central bank on the defensive.
Write to Damian Paletta at damian.paletta@wsj.com
