Comments on: TK Maxx and banking regulation

By: Ross Anderson

Ross Anderson — Fri, 04 May 2007 21:50:11 +0000

According to today’s Wall Street Journal, it’s thought that the folks who broke into TK Maxx exploited the vulnerability of WEP:

http://online.wsj.com/article/SB117824446226991797.html

The article’s also interesting in that it shows up how long even the US banking industry took to cope, despite the breach disclosure laws there

By: TillMonkey

TillMonkey — Thu, 19 Apr 2007 15:29:57 +0000

Re:” I was recently due a refund, and the company needed my credit card number as it had been deleted once the original transaction had been completed. Why don’t they all do the same?”

For all the reasons already stated plus the fact that you could give them an alternate card number for the refund. Which is money laundering, especially with the advent of barely traceable prepaid debit cards……

By: giafly

giafly — Thu, 19 Apr 2007 12:50:21 +0000

Brian,

Re: I was recently due a refund, and the company needed my credit card number as it had been deleted once the original transaction had been completed. Why don’t they all do the same?

How do you know who you were talking to? Handling such calls may have been outsourced to a call-centre without full access to the company’s CRM system that contained your records. Hence they needed details from you. The call-centre operator had been instructed not to admit this and so misled you.

By: Ross Anderson

Ross Anderson — Wed, 18 Apr 2007 07:20:46 +0000

The BBC reports a survey showing that consumers say they will shun hacked stores. Another contribution to the growing literature on the economics of security. Interestingly, 82% of respondents believed they should be notified of security breaches affecting them - politicians take note!

By: Clive Robinson

Clive Robinson — Sat, 14 Apr 2007 11:59:07 +0000

Brian E,

“Surely once the transaction has been completed and the retailer has got its money from the Credit Card Company, the card records should be deleted.”

Alas not, one fairly common form of fraud as far as retailers are concerned is that some time after the goods have been delivered and payment received the Card Holder noticies the charge and says “not mine” to the card company. The card company then takes the money back out of the merchants account irrespective of the card holders previous record. The merchant then has a very uphill struggle getting either the goods or the money back.

A lot of small merchants having been stung this way then check transactions with the CC company, unfortunatly as the merchant finds out fairly quickly this has no effect on this. This has prompted more than one company I know of to keep all CC details relating to the transaction in DBs so that they have their own Black/Grey/White lists to work against.

By: Ross Anderson

Ross Anderson — Fri, 13 Apr 2007 21:44:41 +0000

The banks make the rules, unfortunately

Ross

By: Andy Steingruebl

Andy Steingruebl — Fri, 13 Apr 2007 21:41:37 +0000

Ross,

Can you summarize the protections in UK law for identity and/or credit theft?

In the US I’m only liable for the first $50 of fraudulent charges, and banks often waive this.

Should me identity get stolen and credit obtained in my name I have a much bigger problem.

What are the rules there?

By: Rob Newby

Rob Newby — Fri, 06 Apr 2007 13:51:19 +0000

There are so many conflicting issues at stake here that it’s hard to get to the bottom, but here it is in a nutshell:
There is no legal requirement for retailers to protect card holder information in the UK.
The Payment Card Industry Data Security Standard (PCI DSS) exists globally to protect against payment card fraud. This states that Primary Account Number (PAN), Cardholder Name, Service Code and Expiration Date can be stored encrypted, but magnetic strip, CVC2/CVV2/CID and PIN/PIN Block cannot.
Whether this is sufficient to protect against fraud is a moot point because the enforcement of these standards is performed by 5 credit card companies (VISA, MC, AmEx, JCB and Discover).
They have to therefore monitor and assess every retailer who accepts credit cards, and detect any breach. In the US, this is made easier by California Senate Bill SB1386, a disclosure ruling which has now been adopted by 37 states and is soon to be made a national law. In the UK and Europe there is no such ruling. The FSA is the only body I am currently aware of that has the power to make disclosures, but they are primarily focused on the Financial Sector rather than Retail.
I heard on the grapevine that disclosure was up for review in Brussels in November, I have no proof of this however. We are very much due for it for our own protection. One thing we need to remember however is that just because we comply with regulations like PCI DSS, it does not automatically mean that we are secure.

By: Andrew

Andrew — Tue, 03 Apr 2007 03:49:56 +0000

The retailers are allowed to store card numbers after authorisation of the transaction if they are enciphered (using good cryptography and key management). The storage of full track details or the CVV2 values (the three/four digit code on the back of the card used during CNP transactions) is not permitted post authorisation - regardless of how they are stored.

By: Brian E

Brian E — Mon, 02 Apr 2007 21:17:13 +0000

I just don’t understand why a retailer is allowed to keep all this information. Surely once the transaction has been completed and the retailer has got its money from the Credit Card Company, the card records should be deleted. I know some companies do, I was recently due a refund, and the company needed my credit card number as it had been deleted once the original transaction had been completed. Why don’t they all do the same?