X

Consumers, retailers grapple with data theft

Increase in fraud feared as the credit card industry recovers from a mega-heist.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
5 min read
Consumers are being left in the dark as the credit card industry cleans up after a digital break-in that put millions of accounts at risk.

Pressure is mounting for companies to alert individual cardholders whose details were exposed by the breach at data processor CardSystems Solutions. But representatives for JP Morgan Chase, Citigroup and MBNA said they would not notify customers unless the accounts are actually abused. At that point, the providers would close the account and issue a new card, they said.

That approach irks lawmakers who are fighting for full disclosure in the event of a data security breach. People should be able to decide themselves if they want to close their account after their personal information has been leaked, they said.

News.context

What's new:
Consumers are being left in the dark as the credit card industry cleans up after a digital break-in that put millions of accounts at risk.

Bottom line:
With the cost of the breach not yet clear, lawmakers and other parties are keeping a close eye on the impact it's having on customers and on the credit card industry's response.

More stories on personal data security

"The consumer, not the company, ought to be able to make the judgment, to the extent he wants to be at risk," said California state Sen. Joe Simitian, a Democrat from Palo Alto. "Consumers can't protect themselves if they are not informed."

With the cost of the breach not yet clear, lawmakers and other parties are keeping a close eye on the impact it's having on customers and on the credit card industry's response. Online retailers, which often bear the cost of credit card scams, are especially concerned about a possible influx of fraud.

In the break-in, reported Friday by MasterCard, the intruder got access to names, account numbers and verification codes for 40 million credit cards that could be used to commit fraud. Records covering about 200,000 cards are thought to have been transferred out of CardSystems' network. Despite this, Chase doesn't plan to inform individuals whose data was leaked.

"We are not going out to however many customers of ours that are affected," said David Chamberlin, a spokesman at Chase, which has issued 94 million credit cards in the United States. "Right now, we are dealing with potential fraud. If we find fraud or believe our customers are at high risk of fraud, we will contact them as soon as possible."

Chase's stance is echoed by Citigroup and MBNA. Representatives for both financial services providers said that they will closely monitor the accounts that are known to be exposed. The companies are advising all customers to keep a close eye on their online and monthly statements.

American Express is still weighing whether it should contact individual customers, a representative said Tuesday.

"We are not going out to however many customers of ours that are affected."
--David Chamberlin, spokesman, Chase

The issuers' approach would appear to put them in contravention of a California law that requires businesses to alert consumers if their personal information might have been stolen from a computer database. Sen. Simitian authored that law, the Security Breach Information Act, which came into effect two years ago.

"If somebody has your name and your credit card number and all the information needed make purchases on your account, you need that information to protect yourself," Simitian said. "If Chase continues to take the position that it (the law) does not require them to provide notice, I will do another bill if I have to."

On the national level, Sen. Dianne Feinstein, a Democrat representing California, is urging all credit card companies to contact affected customers. The CardSystems breach is a clear example that the industry is failing when it comes to protecting consumer data, she wrote in a letter Tuesday to the chief executives of Visa, MasterCard, American Express and Discover.

Like Simitian, Feinstein believes that notification is "vital to affording individuals the ability to protect their identity and their credit," she wrote. Feinstein has introduced a bill in the U.S. Senate that would require that consumers be notified of certain types of security breach.

Retailers may have more to lose than consumers by the lack of notification. If a fraudster makes purchases on an individual's card, then

the cardholder has to pay for the first $50 of unauthorized transactions, or nothing at all. Businesses, however, in many cases have to cover the loss--a potentially heavy burden in the CardSystems case, given the large number of accounts exposed. If consumers aren't alerted, that means the compromised cards could still be active and may be used by criminals in a transaction.

"We'd really like credit card companies to take responsibility for their mistakes," said Tom Mahoney, director of Merchant911.org, a group of online sellers focused on preventing fraud. "They are not canceling the cards and re-issuing them because it costs them too much, and the merchants bear the cost of fraudulent charges as a result."

"We'd really like credit card companies to take responsibility for their mistakes."
-- Tom Mahoney, director, Merchant911.org

Re-issuing a credit card costs around $30, according to Visa. If the credit card companies were to replace all 40 million cards that may have been stolen, it might cost more than $1.2 billion.

Web retailers in particular are considered high risk by credit card issuers because they don't see the customer's credit card and can't ask for a signature or an ID. As a result, Web retailers end up bearing the burden on more fraudulent transactions than brick-and-mortar stores.

However, there is little need to worry, according to Visa. "Fraud really is at an all-time low--in the Visa systems, only 5 cents for every $100 transacted," said Rosetta Jones, a Visa spokeswoman.

Also, according to Visa, only about 2 percent of credit cards that are exposed after a data security breach are ever used improperly. "Very few consumers will be impacted by this," Jones said.

But for business owners like Gary Howell, who runs Howell Automotive in Keyser, W.Va., any case of fraud is one too many. He wants the affected credit card accounts deactivated. About one in every 50 transactions handled by his online auto parts business is already suspect, and Howell is afraid more fraud is on its way and that he will have to pay.

"The credit card companies know that the criminals have enough information to get by the security checks that an online merchant does," he said. "I'll be out the merchandise, I will be out all of the money, and I will get charged fees for being the victim of a crime--even though I did all of the security checks and did them right."