Are E-Commerce Merchants at Risk in Mystery Data Breach?
Days before the Heartland Data Breach was announced, volunteer computer security experts at the Open Security Foundation had already figured out what had occurred. Many believe Heartland is going to become the largest data breach in history and will surpass the TJX caper. At this point, only time will tell.
Now the folks at the Open Security Foundation are predicting another data breach at a card processor/acquirer that hasn't been announced to the public yet. For over a week, they've been speculating about this mysterious data breach based on a tip, which was corroborated by other anonymous sources.
According to their latest post on this matter, they knew at the time it was a "card not present" breach at an acquirer/processor, but couldn't publish that it was. They are now reporting this based on it being revealed by another source.
On February 21, 2009, databreaches.net revealed evidence of this data breach based on information sifted from two credit union sites (TVACU.com and Pennsylvania Credit Union Association CardNet).
The only data elements at risk are account numbers and expiration dates. No track data, PIN, CVV2/CVC2 data or cardholder-identifying information was captured. The period of exposure being reported is from February to August of 2008.
It has also been written that the exposure was enabled by malicious software that was placed on the unknown acquirer/processor's system. Both of the credit union sources also state that it is being left up to the card issuers, whether to issue new cards or monitor the accounts for fraud. Reissuing cards has become a major expense to the card issuers after a data breach is discovered.
This makes me wonder if we will discover that the acquirer/processor was PCI DSS (Payment Card Industry Data Security Standards) compliant? PCI DSS is the payment card industry's own set of standards to protect data. In many of the recent breaches, the "breached" met this standard, which has led to questions as to whether it is really effective or not.
Both articles also indicate that Visa/Mastercard are not revealing the source of this breach until the "mysterious source" of it makes their own announcement on the matter.
Given these reports, my speculation is that this information could be used in e-commerce type transactions. If only primary account information and expiration dates were exposed — counterfeiting it on cloned cards is unlikely. It simply wouldn't be feasible to do so by the criminals involved. (Editor's Note: But purchasing online with Card Numbers and Expiration Date is easy to do, not so if they required PIN numbers which were NOT exposed...)
This doesn't mean that there are no financial risks involved to businesses in this data breach. E-commerce fraud is a big problem and its estimated impact on merchants last year was $4 billion. To fight this problem, most e-commerce merchants manually review orders to detect fraud, which can be a substantial payroll cost. The percentage loss to fraud in e-commerce has been stable for about three years, but since sales have increased, the dollars lost to it are growing.
Card-not-present chargebacks are frequently returned to merchants as chargebacks. The best way (Editor's Note: Really the second best) of avoiding these types of chargebacks is to verify transactions using the address verification service (AVS), the card verification value code 2 (CVV2), the card validation code 2 (CVC2), and the card identification (CID) when processing transactions.Editor's Note: Actually, the best way to avoid these type of chargebacks is to utilize HomeATM's PIN Debit application. Chargebacks are virtually eliminted with PIN based transactioins, and also would significantly reduce costs associated with manually reviewing orders to detect fraud. Of course, the other benefit is lower interchange costs associated with the more secure PIN based transaction. The story continues...
Smaller merchants — who ironically are charged the highest interchange fees for accepting card payments — are at the most risk because fraudsters count on the fact that they do not verify a lot of this data because of the associated costs and their ability to afford doing so.
Perhaps this one of the reasons why there is no rush to reissue cards. If the only information stolen can be used in card-not-present transactions, the card issuers are at little risk of suffering any financial losses. They will simply charge them back to the merchants, who failed to ensure the transaction wasn't fraudulent. It might be a good time for e-commerce merchants to be more cautious. Editor's Note: It may be a better time to switch over to PIN Based transactions powered by HomeATM...
From what I can gather, this matter isn't exactly confidential; having said that, it appears that primarily financial institutions are being warned and not the e-commerce merchants who logically will be the primary target if this stolen information is used. The costs in the aftermath of data breaches are substantial and who bears the brunt of them is becoming a hot topic. Editor's Note: Which I predict, will, in turn, make the idea of instituting a PIN Debit platform a hot topic as well...
To close this post, I will refer to a good information source on preventing chargebacks from Wells Fargo. There are a lot of other sources, but a lot of them are selling something. If anyone has any other good sources, please feel free to leave a comment and share them with everyone! Editor's Note: Will do!
 


 
 
 
 
 
 

0 comments