The process seems simple enough. As you reach for your plastic, handing it to your favorite merchant, you pay little attention to what happens to that information once it is swiped. The labyrinth of security measures, supposedly in place as a system of checks and balances, was in fact the system's very undoing.
Once the purchasing process begins, digitized information leaves the merchant headed towards a processing company. This first stop acts as a turnstile of sorts sending the information to the right location in order to authorize payment. Once that is done, the correct bank is identified and sent the request for payment. Within seconds, you will be granted the authorization and given a receipt at the same time one is generated for the authorizing bank.
While the process seems streamlined and efficient, one breach in that data stream can compromise millions of card holders. Because of the potential size of such breaches, the odds are against your credit and subsequent information having escaped unscathed. Days after the exposure of up to 40 million accounts recently, many of the major card issuers were still unsure how bad the damage is.
CardSystems Solutions, one of the early parts of the payment process discovered a breach in their supposedly secure system. Data was stored on the company's computers at a time when that information was supposed to be redirected.
Billed as a security oversight, initial estimates suggest that 200,000 cardholders are at immediate risk but because of the number of regulatory agencies involved in the processing at the bank level, five in all, there is a glaring lack of regulation trickling down to the next stage at the processing level.
Companies such as Visa and MasterCard do their best to assure customer safety through their own standards. In fact, fraud is down year over year as a result. Their processors however are subject only to outside audits paid for by the banks. California laws requires that banks and card issuers notify customers who might be at risk if their customer's information has been compromised. It is because of that state level law that this made the news, although much of the subsequent information was neatly tucked away in the business section of your newspaper.
The Federal Financial Examination Council has begun an investigation which could take two to four weeks before any real questions are answered. The FBI is also involved. But as far as processing regulation is concerned, much of it is done internally. Card issuers are under no obligation by law to disclose those reports unless the system has been breached and even then, it is done as a courtesy.
Banks have little incentive to pass on what little information they may. The costs begin to mount for these institutions once such breaches occur, the least of which coming from the reissuance of the customer's card. The question begs to be asked, who will be held liable? The short answer is: not the card issuers. The long answer is not so appealing.
The wide spread use of credit at all levels of the economy, from card carrying teenagers on up the age and income ladder has grown at a dizzying rate. Inside these transactions, processors regularly expose sensitive data to eyes with enough savvy to look into a system.
CheckPoint and LexisNexis suffered similar breaches recently notifying almost a half million customers between the two data giants of the problem. UPS finally provided an answer to "what brown could do" for us several weeks past after announcing the loss of 3.9 million computer tapes containing credit card info and checks destined for CitiGroup. These were lost or misplaced and have still not been recovered.
The problem rests with the internal priority many of these data handlers have placed on their own systems. If they regularly audit their processes and provide immediate information to consumers about possible breaches in their secure chain, the system is easier to handle and more difficult to undermine. It is also becomes more expensive to operate.
The Gramm-Leach-Bliley Act and the security safeguard that the FTC requires as a consumer protection does not include the contracted companies used in the processing of information. Other than audits and reassurances that they are complying with card issuer requirements, the system is ripe for fraudulent operators who are able to find room to drop scripts into the system to harvest information.
There is also a liability issue at stake. Who should pay for what has happened and what should we do short of not using credit in any way, shape, or form? The card issuers should pay for any breach in the process but don't count on it. Much of the loss will be passed onto the merchant who sold the goods to a fraudulent account and ultimately those costs will be passed on to the consumer. This group has an incredibly powerful lobby to battle any regulation that would attempt to change their liability otherwise.
Much of the problem lies with the continued free flow of your Social Security numbers. Far too many companies require the use of that number as identifier. Currently, only in-house regulations by companies themselves are watchdogging over the system. You can and should refuse to offer your number during not only computer transactions but on cellular transmissions as well. Insist that the company requiring you to give them this vital piece of information has security in place to protect that number. Many people never ask what those safeguards are.
Congress should move quickly to make consumer notification of lost information a nationwide priority. As I mentioned earlier, California is the only state with such notifications in place. Should there be no breach affecting consumers from that state, banks issuing credit or other institutions that handle sensitive data can keep the information of such breaches internal while waiting to see how the data was compromised.
All credit requests should come from notarized sources. Sounds like a hassle but by authorizing credit checks, you have essentially insisted on confirmation that it was indeed you that has applied for new credit.
As technology continues to allow rapid transfer of data, password protection has become less secure as well. Software exists that can crack just about any combination of characters and numbers. This has led to an increase in "phishing" for account numbers using emails that seem to be authentic. Once again, the companies involved can add another level of protection in the form of smart cards or tokens.
Being able to turn off your credit could help immensely. The Federal Credit Billing Act protects consumers whose credit cards have been compromised for anything beyond $50 but that law does not include using stolen information used to open new lines of credit or even from illegal equity taps.
The consumer should begin a list of all those who have any credit information on you from your phone company and cable provider to brokerage accounts and banks. Check all statements monthly for any changes to your information or services that may have been added. Phone your bank for weekly statements that affect your checking and debit accounts. Protect you mail boxes from theft. And insist that your state's senators push for a widening of the Gramm-Leach-Bliley Act to include all legs of the processing of data.
And lastly, check your credit yearly with the following company:
