TK Maxx and banking regulation

March 30th, 2007 at 13:59 UTC by Ross Anderson

Today’s news coverage of the theft of 46m credit card numbers from TK Maxx underlines a number of important issues in security, economics and regulation. First, US cardholders are treated much better than customers here – over there, the store will have to write to them and apologise. Here, cardholders might not have been told at all were it not that some US cardholders also had their data stolen from the computer centre in Watford. We need a breach reporting law in the UK; even the ICO agrees.

Second, from the end of this month, UK citizens won’t be able to report bank or card fraud to the police; you’ll have to report it to the bank instead, which may or may not then report it to the police. (The Home Office wants to massage the crime statistics downwards, while the banks want to be able to control and direct such police investigations as take place.)

Third, this week the UK government agreed to support the EU Payment Services Directive, which (unless the European Parliament amends it) looks set to level down consumer protection against card fraud in Europe to the lowest common denominator.

Oh, and I think it’s disgraceful that the police’s Dedicated Cheque and Plastic Crime Unit is jointly funded and staffed by the banks. The Financial Ombudsman service, which is also funded by the banks, is notoriously biased against cardholders, and it’s not acceptable for the police to follow them down that path. When bankers tell customers who complain about fraud ‘Our systems are secure so it must be your fault’, that’s fraud. Police officers should not side with fraudsters against their victims. And it’s not just financial crime investigations that suffer because policemen leave it to the banks to investigate and adjudicate card fraud; when policemen don’t understand fraud, they screw up elsewhere too. For example, there have been dozens of cases where people whose credit card numbers were stolen and used to buy child pornography were wrongfully prosecuted, including at least one tragic case.

Entry filed under: Banking security, Legal issues, News coverage, Politics, Security economics

12 comments Add your own

  • 1. Ross Anderson  |  March 31st, 2007 at 16:41 UTC

    Radio 4’s Moneybox programme today had a nice piece on the TK Maxx fraud, and also on the ecrime conference in London last Tuesday.

    BTW, the talks at that conference were a beautiful illustration of the liability dumping that pervades our business. The minister said that users ought to take more care online (so fraud’s our fault). A banker came on and said it was up to the government and the ISPs. And so it went on … with everyone trying to throw the problem over the fence

  • 2. Ross Anderson  |  April 2nd, 2007 at 15:39 UTC

    Good point made in – that online retailers will miss out. Banks are not liable for cardholder-not-present fraud and so will have little incentive to report it properly


  • 3. Brian E  |  April 2nd, 2007 at 21:17 UTC

    I just don’t understand why a retailer is allowed to keep all this information. Surely once the transaction has been completed and the retailer has got its money from the Credit Card Company, the card records should be deleted. I know some companies do, I was recently due a refund, and the company needed my credit card number as it had been deleted once the original transaction had been completed. Why don’t they all do the same?

  • 4. Andrew  |  April 3rd, 2007 at 03:49 UTC

    The retailers are allowed to store card numbers after authorisation of the transaction if they are enciphered (using good cryptography and key management). The storage of full track details or the CVV2 values (the three/four digit code on the back of the card used during CNP transactions) is not permitted post authorisation – regardless of how they are stored.

  • 5. Rob Newby  |  April 6th, 2007 at 13:51 UTC

    There are so many conflicting issues at stake here that it’s hard to get to the bottom, but here it is in a nutshell:
    There is no legal requirement for retailers to protect card holder information in the UK.
    The Payment Card Industry Data Security Standard (PCI DSS) exists globally to protect against payment card fraud. This states that Primary Account Number (PAN), Cardholder Name, Service Code and Expiration Date can be stored encrypted, but magnetic strip, CVC2/CVV2/CID and PIN/PIN Block cannot.
    Whether this is sufficient to protect against fraud is a moot point because the enforcement of these standards is performed by 5 credit card companies (VISA, MC, AmEx, JCB and Discover).
    They have to therefore monitor and assess every retailer who accepts credit cards, and detect any breach. In the US, this is made easier by California Senate Bill SB1386, a disclosure ruling which has now been adopted by 37 states and is soon to be made a national law. In the UK and Europe there is no such ruling. The FSA is the only body I am currently aware of that has the power to make disclosures, but they are primarily focused on the Financial Sector rather than Retail.
    I heard on the grapevine that disclosure was up for review in Brussels in November, I have no proof of this however. We are very much due for it for our own protection. One thing we need to remember however is that just because we comply with regulations like PCI DSS, it does not automatically mean that we are secure.

  • 6. Andy Steingruebl  |  April 13th, 2007 at 21:41 UTC


    Can you summarize the protections in UK law for identity and/or credit theft?

    In the US I’m only liable for the first $50 of fraudulent charges, and banks often waive this.

    Should me identity get stolen and credit obtained in my name I have a much bigger problem.

    What are the rules there?

  • 7. Ross Anderson  |  April 13th, 2007 at 21:44 UTC

    The banks make the rules, unfortunately


  • 8. Clive Robinson  |  April 14th, 2007 at 11:59 UTC

    Brian E,

    “Surely once the transaction has been completed and the retailer has got its money from the Credit Card Company, the card records should be deleted.”

    Alas not, one fairly common form of fraud as far as retailers are concerned is that some time after the goods have been delivered and payment received the Card Holder noticies the charge and says “not mine” to the card company. The card company then takes the money back out of the merchants account irrespective of the card holders previous record. The merchant then has a very uphill struggle getting either the goods or the money back.

    A lot of small merchants having been stung this way then check transactions with the CC company, unfortunatly as the merchant finds out fairly quickly this has no effect on this. This has prompted more than one company I know of to keep all CC details relating to the transaction in DBs so that they have their own Black/Grey/White lists to work against.

  • 9. Ross Anderson  |  April 18th, 2007 at 07:20 UTC

    The BBC reports a survey showing that consumers say they will shun hacked stores. Another contribution to the growing literature on the economics of security. Interestingly, 82% of respondents believed they should be notified of security breaches affecting them – politicians take note!

  • 10. giafly  |  April 19th, 2007 at 12:50 UTC


    Re: I was recently due a refund, and the company needed my credit card number as it had been deleted once the original transaction had been completed. Why don’t they all do the same?

    How do you know who you were talking to? Handling such calls may have been outsourced to a call-centre without full access to the company’s CRM system that contained your records. Hence they needed details from you. The call-centre operator had been instructed not to admit this and so misled you.

  • 11. TillMonkey  |  April 19th, 2007 at 15:29 UTC

    Re:” I was recently due a refund, and the company needed my credit card number as it had been deleted once the original transaction had been completed. Why don’t they all do the same?”

    For all the reasons already stated plus the fact that you could give them an alternate card number for the refund. Which is money laundering, especially with the advent of barely traceable prepaid debit cards……

  • 12. Ross Anderson  |  May 4th, 2007 at 21:50 UTC

    According to today’s Wall Street Journal, it’s thought that the folks who broke into TK Maxx exploited the vulnerability of WEP:

    The article’s also interesting in that it shows up how long even the US banking industry took to cope, despite the breach disclosure laws there

Leave a Comment


Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


March 2007
« Feb   Apr »