While it is unlikely you have ever heard of Heartland Payment Systems or RBS WorldPay or any other of the dozens of networks your credit and debit card transactions travel through to process your morning latte purchase, hackers are all too aware of these treasure chests. Processors are likely to be the top targets for mass data compromise and identity theft in the coming years yet surprisingly, these back office firms may not be responsible for your losses.
According to Ronald Mann, a professor and co-chairman of the Charles E. Gerber Transactional Studies Program at Columbia Law School, payment processors that experience data losses may be protected against class action lawsuits if they can prove PCI compliance. This may be the case with the massive Heartland Payment Systems breach, which may have lost data on over 100 million transactions. Stop to think about the size of this breach – it roughly equates to a transaction a person for 1/3 of the US population!
There have already been three class action lawsuits filed against Heartland, but Mann says it would be very difficult for plaintiffs to prove negligence since Heartland should be able to prove it met the industry’s PCI (Payment Card Industry) standard. PCI is arguably ineffective at stopping, let alone detecting today’s sophisticated cyber attacks. Avivah Litan, distinguished analyst at Gartner, recently said that card processors are more vulnerable to attacks because while payment industry rules dictate that credit card data is encrypted while being stored at retailers, processors and banks it does not have to be encrypted while being transferred on private networks. While banks and retailers can also communicate on private networks, the attacks against processors is a much newer phenomenon and can produce the biggest number of transactions since processors by nature are consolidating activities across many retailers and banks.
Take for example, a simplified card transaction: You go to your favorite coffee shop and order a latte. You swipe a credit, debit or gift card at the register. In sub-second speed the transaction goes from the retailer to the processor, to your bank to check funds and to the retailer to approve the purchase. Once approved, the processor queues your transaction in a batch process to transfer the funds from your bank account to the retailer’s bank account, usually within 24 hours.
There are dozens of major processors across the US that handle transactions from millions of vendors and banks. Processors are a major hub of the system and are therefore a lucrative target for fraudsters. Currently if a processor complies with the PCI standard, which is clearly not tight enough to protect all network vulnerabilities, that processor should not be held accountable for current and future fraud against compromised accounts. In most cases the card issuer or banks protect the consumer, but always. Debit and gift cards shift some or all liability to the consumer and any future fraud perpetrated against an individual on different account may be hard to tie back to one particular data loss event, especially since processors and banks will not generally tell you when your information has been compromised!
So what’s the moral of the story – even if you are very careful with your own information, your identity can still be stolen. Protect yourself where you can, and be cognizant of all public data breaches.
(The following were sourced for this article: Defense Seen for Heartland vs. Suits; Cardline; February 10, 2009 and Credit Card Hackers Find New, Rich Targets; MSNBC; Bob Sullivan; January 23, 2009)
According to Ronald Mann, a professor and co-chairman of the Charles E. Gerber Transactional Studies Program at Columbia Law School, payment processors that experience data losses may be protected against class action lawsuits if they can prove PCI compliance. This may be the case with the massive Heartland Payment Systems breach, which may have lost data on over 100 million transactions. Stop to think about the size of this breach – it roughly equates to a transaction a person for 1/3 of the US population!
There have already been three class action lawsuits filed against Heartland, but Mann says it would be very difficult for plaintiffs to prove negligence since Heartland should be able to prove it met the industry’s PCI (Payment Card Industry) standard. PCI is arguably ineffective at stopping, let alone detecting today’s sophisticated cyber attacks. Avivah Litan, distinguished analyst at Gartner, recently said that card processors are more vulnerable to attacks because while payment industry rules dictate that credit card data is encrypted while being stored at retailers, processors and banks it does not have to be encrypted while being transferred on private networks. While banks and retailers can also communicate on private networks, the attacks against processors is a much newer phenomenon and can produce the biggest number of transactions since processors by nature are consolidating activities across many retailers and banks.
Take for example, a simplified card transaction: You go to your favorite coffee shop and order a latte. You swipe a credit, debit or gift card at the register. In sub-second speed the transaction goes from the retailer to the processor, to your bank to check funds and to the retailer to approve the purchase. Once approved, the processor queues your transaction in a batch process to transfer the funds from your bank account to the retailer’s bank account, usually within 24 hours.
There are dozens of major processors across the US that handle transactions from millions of vendors and banks. Processors are a major hub of the system and are therefore a lucrative target for fraudsters. Currently if a processor complies with the PCI standard, which is clearly not tight enough to protect all network vulnerabilities, that processor should not be held accountable for current and future fraud against compromised accounts. In most cases the card issuer or banks protect the consumer, but always. Debit and gift cards shift some or all liability to the consumer and any future fraud perpetrated against an individual on different account may be hard to tie back to one particular data loss event, especially since processors and banks will not generally tell you when your information has been compromised!
So what’s the moral of the story – even if you are very careful with your own information, your identity can still be stolen. Protect yourself where you can, and be cognizant of all public data breaches.
(The following were sourced for this article: Defense Seen for Heartland vs. Suits; Cardline; February 10, 2009 and Credit Card Hackers Find New, Rich Targets; MSNBC; Bob Sullivan; January 23, 2009)
