Every time you swipe your credit card and wait for the transaction to be approved, sensitive data, including your name and account number, are ferried from store to bank through computer networks, each step a potential opening for hackers.
And though you may take steps to protect yourself against identity theft, an Associated Press investigation has found that the banks and other companies that handle your information are not being nearly as cautious as they could.
The government leaves it to card companies to design security rules that protect the nation's 50 billion annual transactions. Yet an examination of those industry requirements explains why so many breaches occur: The rules are cursory at best and all but meaningless at worst, according to the AP's analysis of data breaches dating to 2005.
It means every time you pay with plastic, companies are gambling with your personal data. If hackers intercept your numbers, you'll spend weeks straightening your mangled credit, though you can't be held liable for unauthorized charges. Even if your transaction isn't hacked, you still lose: Merchants pass to all their customers the costs they incur from fraud.
More than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers, according to the Privacy Rights Clearinghouse. Meanwhile, many others likely have been breached and didn't detect it. Even the companies that had the payment industry's top rating for computer security, a seal of approval known as PCI compliance, have fallen victim to huge heists.
Companies that are not compliant with the PCI standards - including one in 10 of the medium-sized and large retailers in the United States - face fines but are left free to process credit and debit card payments. Most retailers don't have to endure security audits, but can evaluate themselves.
Credit card providers don't appear to be in a rush to tighten the rules. They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost.
That is of little consolation to consumers who bet on the industry's payment security and lost.
It took four months for Pamela LaMotte, 46, of Colchester, Vt., to fix the damage after two of her credit card accounts were tapped by hackers in a breach traced to a Hannaford Bros. grocery store.
"Maybe somebody who doesn't live paycheck to paycheck, it wouldn't matter to them too much, but for me it screwed me up in a major way," she said. LaMotte says she pays more by cash and check now.
It all happened at a supermarket chain that met the PCI standards. Someone installed malicious software on Hannaford's servers that snatched customer data while it was being sent to the banks for approval.
In 2006, the big card brands - Visa, MasterCard, American Express, Discover and JCB International - formed the Payment Card Industry Security Standards Council and created uniform security rules for merchants.
Computer security experts say the PCI guidelines are superficial, including requirements that stores run antivirus software and install computer firewalls. Yet tests that simulate hacker attacks are required just once a year.
"It's like going to a doctor and getting your blood pressure read, and if your blood pressure's good you get a clean bill of health," said Tom Kellermann, a former senior member of the World Bank's Treasury security team and now vice president of security awareness for Core Security Technologies, which audited Google's Internet payment processing system.
At the same time, the card companies themselves are increasingly hands-off.
Two years ago, Visa scaled back its review of inspection records for the payment processors it works with. It now examines records only for payment processors with computer networks directly connected to Visa's.
Visa's head of global data security, Eduardo Perez, said the company scaled back its records review because it took too much work and because the PCI standards have improved the industry's security "considerably."
"I think we've made a lot of progress," he said. "While there have been a few large compromises, there are many more compromises we feel we've helped prevent by driving these minimum requirements."
A key reason PCI exists is that the banks and card brands don't want the government regulating credit card security. These companies also want to be sure transactions keep humming through the system.
"If they did mind, they have immense resources and could really change things," said Ed Skoudis, co-founder of security consultancy InGuardians Inc. and an instructor with the SANS Institute, a computer-security training organization. Skoudis investigates retail breaches in support of government investigations. "But they don't want to strangle the goose that laid the golden egg by making it too hard to accept credit cards, because that's bad for everybody."
Email
Facebook
Google
Twitter
Favorites
More
Advertisement
Advertisement