Were Retailers Blamed for a Bank Breach?

Opinion: The NRF's CIO was right to pick a fight with "60 Minutes" after it implied that illegally sold personal data came from retailers.

National Retail Federation CIO Dave Hogan was featured on the popular TV news magazine "60 Minutes" Nov. 25 and made some controversial charges against Visa, namely that the worlds largest credit card company preferred fining retailers to helping them fix their security.

Visa now happens to be in the middle of its $10 billion IPO, which places them in always-fun quiet period, which is making it almost impossible for them to defend themselves against the charges.

Although one NRF official raised the question of whether Hogans quotes had been taken out of context, Hogan himself stood by his comments and said in an interview with eWEEK that they had not been taken out of context, although he said he would have rather the show aired more of his comments.

"It was part of a much longer conversation," he said.

The revenue that Visa is making from the fines from non-compliant retailers, "is part of the equation," he said, adding that "if Visa was serious, there are [actions] that would be taken today," including encouraging retailers to store much less sensitive credit card data.

But Hogan did raise a very interesting question about another part of the "60 Minutes" piece.

In the report, Shawn Henry, an FBI agent specializing in high-tech crimes, showed an undercover agent making a buy of some bogus credit card information.

Correspondent Lesley Stahl narrated what then happened, as the video shows the stolen data, with identifying details hidden: "What popped up were complete files on four Americans, one of them Pam, along with her address, her Social Security, credit card and ATM PIN. Even the answer to that security question Whats your mothers maiden name? was there."

Given that the piece is focused on retail data security problems, its logical to infer that the data shown was grabbed from a retailers database. But no retailer retains that level of detail, meaning the information would have almost certainly come from a bank, not a retailer, Hogan said.

"It was from an issuing bank. This was an inside job," he said.

From the perspective of a consumer trying to safeguard his data and prevent being the victim of identity theft, I suppose it doesnt make much of a difference. But for retail IT execs, do they really need an unjustified dig? After all, retail IT today offers such a wide assortment of legitimate security screw-ups, one would one think it wouldnt be necessary.

Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at Evan.Schuman@ziffdavisenterprise.com.

To read earlier retail technology opinion columns from Evan Schuman, please click here.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.