Fraudsters Deal Big Threat to Retailers

It’s a claim that no retailer wants to top.

On Jan. 17, discount retailer The TJX Cos. Inc. divulged that more than 45 million credit- card numbers were stolen from its data-storage banks.

The crime immediately inspired newspaper headlines, but the complete damage from the security breach has yet to be measured for the Massachusetts-based off-price retailer, which operates 67 T.J. Maxx stores and 102 Marshalls stores in California, with more than 1,996 stores nationwide operating under the nameplates of Home Goods, A.J. Wright and Bob’s Stores.

Securities and Exchange Commission documents filed on March 28 noted that T.J. Maxx spent $5 million in pre-tax costs to investigate the crime and improve its security systems. The measure may have taken a relatively small bite out of a company that earns more than $17 billion in net sales annually, but the discount chain may have to pay more.

Since T.J. Maxx admitted the security breach, lawyers have filed class-action suits against the company. Other retailers may be hurt in what authorities said is the biggest credit-card heist in history.

On March 23, police in Gainesville, Fla., said that they had arrested 10 suspects for using some of the credit-card numbers to buy $8 million in gift cards and electronics. A T.J. Maxx representative said the company could not confirm that credit-card numbers stolen in its security-card breach were used in the alleged Florida crime. But the payment industry does not plan to wait for a confirmation or convictions.

On Sept. 26, 2006, an independent advisory council composed of payment companies American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International formed to manage the Wakefield, Mass.–based Payment Card Industry (PCI) Data Security Standard.

The mission of the organization is to form common security standards to protect the security of accounts and information of creditcard holders. The individual payment companies will set deadlines and penalties for retailers who do not comply with new security standards, according to a representative from PCI.

Yet the possible adoption of standards may not be the final word in the payment industry’s struggle against identity theft and credit-card fraud. Rather, it may be one of the first measures in a continuing fight against these crimes committed by thieves whom the industry has nicknamed “fraudsters,” said Mallory Duncan, a senior vice president and general counsel with the Washington, D.C.–based National Retail Federation.

“It is impossible to build an unhackable system,” Duncan said. “Commercial databases cannot be realistically expected to be more secure than the Department of Defense, and hackers have broken into the Department of Defense [in the past].”

More cards in use

If seeking ways to improve data security will be an ongoing fact of business, industry analysts such as Edward Kountz also caution retailers to put the threat of identity theft and credit-card fraud in perspective.

“It’s not out of control,” said Kountz, an Atlanta-based senior analyst with Jupiter Research.

Consumers are more apt to have their identity stolen by thieves who take credit cards and a driver’s license from a lost or stolen wallet, according to a study released Sept. 12, 2006, by Javelin Research & Strategy, a Pleasanton, Calif.–based consulting group for the credit-card industry.

The study claimed that 30 percent of American consumers were victims of data breach, in which hackers illegally took their information from retailers or organizations such as hospitals and universities. But the percentage of victims of credit-card fraud stemming from a security breach was less than 1 percent.

If credit-card fraud appears to be on the rise, it’s because the market for payment cards has expanded. But the total dollar volume has been decreasing this year, said David Robertson, publisher of “The Nilson Report,” a leading Carpinteria, Calif.–based newsletter reporting on the payment-card industry.

The peak year for dollar volume was 1992, when fraud was estimated to be 15.71 cents for every $100 spent. Credit-card fraud losses reached a historic high in 2006 of $1.24 billion, which represented an increase of 9.3 percent, compared with the previous year, according to “The Nilson Report.”

Staying vigilant

Nonetheless, retailers should always be vigilant to the threat of fraudsters, said Julie Fergerson, founder of the Seattle-based Merchant Risk Association. She said that fraudsters have been getting savvier with their methods of stealing credit-card numbers.

She said one effective tool to find fraudsters is to verify the card through a bank. Or if the retailer is delivering merchandise through mail, check whether the consumer’s billing and shipping addresses match. Fraudsters often use shipping and billing addresses that are located at a great distance from each other. Fergerson also recommended disposing of a customer’s credit-card records after six months.

If a retailer confirms that hackers stole customers’ credit-card numbers from a store’s database, retailers are required to notify consumers that their information was taken in a security breach, according to the 2003 amendment to the federal Fair Credit Reporting Act and California laws such as AB700, which was signed in 2002.

For more information on identity theft, visit the Federal Trade Commission’s Web site on the issue (www.consumer.gov/idtheft). Anyone interested in helping shape the evolving world of PCI can visit the organization’s Web site, www.pcisecuritystandards.org/join/index.htm.