Retailers are concerned that they might bear the brunt of lapses in credit and computer security, including the breach that led to hundreds of thousands, and perhaps millions, of credit card numbers being stolen from a credit processing center that was disclosed last week.
American business suffers roughly $50 billion in annual losses from credit card fraud, including identity theft, Federal Trade Commission Chairman Deborah Platt Majoras told a Senate panel last week. Consumers can't be held responsible for more than $50 of fake charges, according to federal law, and many credit companies absolve them of that - choosing to hold the merchant responsible.
"The system assumes that somehow the retailer is at fault for the fraud happening in their stores," Elizabeth Oesterle, the National Retail Foundation's government relations counsel, said in an interview yesterday.
The issue flared last week after the credit processor, Atlanta-based CardSystems Solutions Inc., was found to have compromised as many as 40 million credit card numbers when a hacker apparently broke into its system at an Arizona facility last month.
At least 200,000 numbers are confirmed stolen from CardSystems, which processes credit transactions for small and mid-sized businesses. About 68,000 of them came from MasterCard International Inc., which said it discovered the breach through its security monitoring system.
It's unclear how many numbers have been fraudulently used. The Federal Bureau of Investigation is examining the case. Reports began surfacing worldwide yesterday, outlining the effects on other countries, including Japan and Israel.
MasterCard said CardSystems Solutions shouldn't have been storing data at all, according to its policies. It was the latest lapse in the pipeline that funnels vast flows of personal data around the clock between cash registers and financial institutions.
Among them were the losses last month of personal information for 3.9 million Citigroup Inc. customers when UPS misplaced computer tapes and payroll information stolen from the car of an employee of SafeNet Inc., a Harford County information security company.
Store owners - particularly small to mid-sized merchants who don't know how to fight the system - frequently end up paying for fraudulent charges made in their establishments, Oesterle said.
Harold Smith, a manager at Acoustix Clothing in Baltimore, said his small business had to pay $1,300 when a stolen card was used there during the past year. The credit card companies "take their money right off the top," Smith said.
The National Retail Federation is asking credit companies to beef up security by adding PINs to their cards to help avoid fraud altogether.
"We did not create these cards. It's their system," said Mallory Duncan, the group's chief counsel, referring to the credit card providers. "When a thief takes advantage of the flaws in the system, the first burden should be on them rather than the retailer."
MasterCard was quick to point out that the "breach happened at CardSystems Solutions. It's not a breach of MasterCard security, that's very important," said spokeswoman Jessica Antle.
"It is the processor that had the situation," echoed Judy Tenzer of American Express, although few merchants use CardSystems Solutions for American Express transactions.
The affected credit card companies, which included Discover Financial Services and Visa USA, seemed to have had little time to sort out the details. Though they were quick to say they wouldn't hold consumers liable - they all have "zero liability" policies when it comes to fraudulent charges - they couldn't yet outline their next steps.
"We retailers very much hope that the card issuers will do the right thing. It's in their power to do that," Duncan said.
In typical credit card fraud, such as the stolen wallet kind, the burden of proof is on the store in which an illegal transaction occurred. Merchants have to prove they followed security procedures, such as checking a card for a signature, or they must pay.
This time, Duncan said, the credit companies know the numbers that were stolen and could spare merchants from having to jump through hoops.
Still, the credit giants were reluctant to comment.
Who would pay "depends on the nature of the fraud," said Leslie Sutton, a spokeswoman for Discover. "It's determined on a case-by-case basis. ... Until the investigation is completed, I really wouldn't know."
Most credit card companies have security systems in place to fight fraud.
For example, Visa USA introduced a new technology this month called Advanced Authorization. It purports to stop card fraud at the checkout line by analyzing a purchase immediately to see whether it fits the card-holder's prior spending patterns and stopping suspect transactions before they occur.
Visa estimates the system will save about $164 million in fraud losses over the next five years.
"We have been working on anti-fraud measures for years now and currently spend hundreds of millions of dollars on fraud a year," said Jean Bruesewitz, senior vice president of processing and emerging products at Visa USA.
"In the past, fraud detection service took place about 20 minutes behind the time of the actual transaction. It was too late.
"If a card was stolen, you could purchase something at one store, take 10 or 15 minutes to walk to the next store and by then, the fraud might be detected and denied."
Visa can't control the security at a third party, however. CardSystems Solutions did not return calls yesterday, but according to a statement on its Web site, it has evaluated its security system and installed additional safety measures since detecting the security breach May 22.
"We understand and fully appreciate the seriousness of the situation. Our customers and their customers are our lifeblood," the statement reads. "We are sparing no effort to get to the bottom of this matter."
That might not be enough to keep MasterCard as a customer, though. CardSystems provides payment processing for small to medium-sized businesses, handling $15 billion in credit card transactions annually at more than 115,000 locations. It is supposed to discard the information immediately afterward. Its chief executive officer told The New York Times that CardSystems Solutions had been storing numbers for research purposes.
"CardSystems was in violation of our rules," MasterCard's Antle said. "We have given them a limited amount of time to demonstrate compliance."
Simon Khalaf, chief executive of California-based Vernier Networks, said his network security firm has been inundated with calls from businesses now worried about protecting their computer systems from security breaches.
"Companies need to start thinking of how to secure the data, not how to react once it's stolen," Khalaf said, highlighting another danger for merchants. They also store personal data and credit numbers, not just the big companies.
Said Khalaf, "They could be next."