The Death Penalty and Retailers

By Larry Seltzer  |  Posted 2007-10-29 Print this article Print

Opinion: The really big card networks have the big stick. They need to whack the retail industry in the head with it.

Retails a tough business. You and your suppliers are trying to bully each other, your customers are trying to steal whatever they can, and you just cant get good employees anymore. But the biggest, baddest bully you have to deal with is Visa. Visa is forcing you to spend big money upgrading equipment and procedures, paying consultants, buying new software and training people. Im on Visas side. Credit card security is important in the modern world, and if youre not part of the solution, then youre part of the problem. (Of course, they cant force you to do anything; you could just choose not to take Visa cards from your customers. Ha ha, I had to say that.)

You can get a good sense of the seriousness of the problem from the great reporting of our own Evan Schuman on the TJX fiasco. His most recent story talks about the fines Visa is imposing on TJX for their violations of PCI and other security rules. In fact, Visa is fining TJXs card processor, but such fines, it seems, are often passed on to the retailer.

The size of the TJX data loss keeps growing. Click here to read more.

Good, they cant be strict enough. The evidence of TJXs negligence gets more appalling all the time. Back in 2005 when TJXs CIO was trying to put off upgrading his companys wireless security from WEP (Wired Equivalent Privacy) to WPA (Wi-Fi Protected Access), it was well understood that WEP was pathetically insecure. Tools were easily available to compromise it, and once in, the door to the TJX network and their improperly stored cardholder data was open, and the hacker who attacked the company moved 80GB of data off the network using TJXs high-speed connections.

TJX will probably pay a large price in civil courts for their technological hubris, but I wonder whether it can possibly be enough. Back around the same time that TJX was blowing off their customers security, the CardSystems scandal was hitting the headlines. Their violations of both technical and business rules were so egregious that Visa and American Express both dropped the company as a processor. This was capital punishment for a company in that business, and before too long it sold out to a company not even in the processing business. CardSystems doesnt exist anymore, and many people there must have lost their jobs.

Its one thing to sign a death warrant for a credit card processor that few people have heard of (even if they are an important company). Dealing with a large retailer that has numerous famous brands is quite another. The point is to put the fear of God into the IT departments of large retailers to make full PCI compliance a high priority. That cardholder data is not something you get creative with; its other peoples identities. You use it and lose it.

Just the other day a release from Microsoft Research on cyber-crime hit the nail on the head on this point:
    The research indicates there are tensions within organizations over how data should be managed. Security and privacy professionals see customer data as an asset to protect, while in functions such as marketing where personal data is collected and used, employees are more likely to see it as a resource to achieve business objectives.
Its thinking such as that ascribed here to marketing that leads to cardholder data being retained and eventually exposed. While the Microsoft release goes to note that "...representatives from all three functions agree that the theft or loss of customer data has a potentially damaging impact on brand value and organizational reputation" clearly some data is not worth using for anything other than very limited means.

Visas got the right idea. Now they have issued a new set of requirements for applications software that processes cardholder data.

The next step is to let customers know which retailers are treating their card data securely and which arent. Even if they are now compliant, I know I wont ever trust TJX anymore.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers blog Cheap Hack More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel