Sunday, February 22, 2009

Are E-Commerce Merchants at Risk in Mystery Data Breach?

Days before the Heartland Data Breach was announced, volunteer computer security experts at the Open Security Foundation had already figured out what had occurred. Many believe Heartland is going to become the largest data breach in history and will surpass the TJX caper. At this point, only time will tell.

Now the folks at the Open Security Foundation are predicting another data breach at a card processor/acquirer that hasn't been announced to the public yet. For over a week, they have been speculating about this mysterious data breach based on a tip, which was corroborated by other anonymous sources.

In their latest post, they state they knew it was a card not present breach at a processor/acquirer, but didn't initally report it. They are now reporting this development based on it being revealed by another source.

On February 21, 2009, revealed evidence of this data breach based on information sifted from two credit union sites ( and Pennsylvania Credit Union Association CardNet).

The only data elements at risk are account numbers and expiration dates. No track data, PIN, CVV2/CVC2 data or cardholder-identifying information was captured. The period of exposure being reported is from February to August of 2008.

It has also been written that the exposure was enabled by malicious software that was placed on the unknown acquirer/processor's system. Both of the credit union sources also state that it is being left up to the card issuers, whether to issue new cards or monitor the accounts for fraud. Reissuing cards has become a major expense to the card issuers after a data breach is discovered.

This makes me wonder if we will discover that the acquirer/processor was PCI DSS (Payment Card Industry Data Security Standards) compliant? PCI DSS is the payment card industry's own set of standards to protect data. In many of the recent breaches, the "breached" met this standard, which has led to questions as to whether it is really effective or not.

Both articles also indicate that Visa/Mastercard are not revealing the source of this breach until the "mysterious source" of it makes their own announcement on the matter.

Given these reports, my speculation is that this information could be used in e-commerce type transactions. If only primary account information and expiration dates were exposed — counterfeiting it on cloned cards is unlikely. It simply wouldn't be feasible to do so by the criminals involved.

This doesn't mean that there are no financial risks involved to businesses in this data breach. E-commerce fraud is a big problem and its estimated impact on merchants last year was $4 billion. To fight this problem, most e-commerce merchants manually review orders to detect fraud, which can be a substantial payroll cost. The percentage loss to fraud in e-commerce has been stable for about three years, but since sales have increased, the dollars lost to it are growing.

Card-not-present chargebacks are frequently returned to merchants as chargebacks. The best way of avoiding these types of chargebacks is to verify transactions using the address verification service (AVS), the card verification value code 2 (CVV2), the card validation code 2 (CVC2), and the card identification (CID) when processing transactions. Smaller merchants — who ironically are charged the highest interchange fees for accepting card payments — are at the most risk because fraudsters count on the fact that they do not verify a lot of this data because of the associated costs and their ability to afford doing so.

Perhaps this one of the reasons why there is no rush to reissue cards. If the only information stolen can be used in card-not-present transactions, the card issuers are at little risk of suffering any financial losses. They will simply charge them back to the merchants, who failed to ensure the transaction wasn't fraudulent. It might be a good time for e-commerce merchants to be more cautious.

From what I can gather, this matter isn't exactly confidential; having said that, it appears that primarily financial institutions are being warned and not the e-commerce merchants who logically will be the primary target if this stolen information is used. The costs in the aftermath of data breaches are substantial and who bears the brunt of them is becoming a hot topic.

To close this post, I will refer to a good information source on preventing chargebacks from Wells Fargo. There are a lot of other sources, but a lot of them are selling something. If anyone has any other good sources, please feel free to leave a comment and share them with everyone!

No comments: