Monday, August 18, 2008

Retailers Told How to Stop Scams at the Register

Merchants looking to hold on to their sales have to help protect their customers’ financial information, a fraud expert told a gathering of businesspeople yesterday. Losing that information to data thieves “can be pretty catastrophic, especially for smaller merchants,” said Visa Inc. security expert Lauren Holloway.

Holloway is traveling the country this month and next to review data-security basics with merchants around the country. Her presentations are part of a joint effort by the U.S. Chamber of Commerce and the credit-card giant to help staunch the data breaches that are plaguing businesses and ruining the finances of some Americans.  Electronic payments passed paper checks in usage in 2003 and continue to outstrip the age-old payment method.

“It’s one of those issues that can reach out and hit anyone at any time,” said Laurie White, president of the Greater Providence Chamber of Commerce, which cosponsored yesterday’s presentation with the U.S. Chamber and Visa Inc.  Yesterday’s presentation is a timely one, coming a week after 11 people, including a U.S. Secret Service informant, were charged in connection with the hacking of nine major retailers and the theft and sale of more than 41 million credit- and debit-card numbers. 

The data breach is believed to be the largest hacking and identity theft case ever prosecuted by the Department of Justice, which charged the suspects with conspiracy, computer intrusion, fraud and identity theft. The indictment returned last week by a federal grand jury in Boston alleges that the suspects hacked into the wireless computer networks of retailers including TJX Cos., BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW and set up programs that captured card numbers, passwords and account information.

In the case of TJX Cos., which operates TJ Maxx, Marshalls and other chains, hackers stole data on at least 45.7 million credit- and debit-card customers. A banking group that has filed suit against TJX Cos. alleges that more than 94 million accounts were affected.  Attorney General Patrick C. Lynch noted the breach at Framingham, Mass.-based TJX Cos. Inc., which occurred last year, and two others that affected Rhode Islanders — last year’s Stop & Shop PIN pad case and the ChoicePoint data loss in 2005.  Ross-Simons and CVS Corp. also have dealt with data-security issues in the last three years.

In the Stop & Shop case, four men diverted $132,000 from 1,100 bank accounts, using information stolen from the supermarket chain’s stores in Coventry and Cranston.  The 2005 breach at ChoicePoint Inc. compromised the financial data of as many as 145,000 Americans. In the scam, thieves posing as small-business customers gained access to the company’s database and at least 750 people were defrauded, authorities said at the time. According to the data-warehousing company, 1,122 Massachusetts residents and 203 Rhode Island residents may have been victims. The breach led to a change in Rhode Island law, which now requires businesses to disclose breaches to the public in a timely manner.

Small-business merchants accounted for more than 80 percent of the data-security breaches in 2007, according to an analysis by Visa (V:NYSE), the San Francisco-based company which operates the world’s larges retail electronic-payments network. The incidents are worrying consumers, Lynch and Holloway said. The consumer protection unit in his office handles about 40,000 questions from people annually, Lynch noted. “Never before, until this year, was identity theft in the top 10 — it shot right up,” Lynch.  Holloway agreed. “Consumers are definitely concerned; they’re more cautious about how they use [payment cards],” she said.

One simple way to protect customer data is to make sure checkout registers and electronic-payment pads are collecting only that data needed to process a payment and deleting any customer personal data as soon as it’s no longer needed, which could be instantaneously in most instances. The storage of full magnetic stripe information, security codes and PIN data is prohibited by industry agreement. Also, merchants need to train their salespeople to spot suspicious purchases, whether the transactions are made in person, over the phone or online.

Disqus for ePayment News