Latest Stories

OKLAHOMA CITY _No retailer wants to be the next TJX Co., victim of one of the largest data breaches in recent history, but many might as well paint a bull's eye across their marquees and post the sign "Hackers Welcome."

The TJX breach resulted in at least 45.7 million compromised debit and credit cards used at TJ Maxx, Marshalls and other TJX stores. The incident, which easily could have been avoided by a simple software upgrade, will cost TJX millions of dollars.

And many retailers apparently still aren't protected. It's surprising how many businesses are wide open for hackers, said Merrill Likes, president of Edmond-based UpTime, a business specializing in data security.

Threats abound around every corner, and to make matters worse, cyber thieves are getting better.

Crooks often enter through unprotected wireless networks, Likes said. Often employees unknowingly bring in rogue access points via a wireless bridge or router. Even equipment as innocuous as a cash register and point-of-sale systems can pose security threats -- especially if the equipment stores sensitive cardholder data.

For Likes, it's not a matter of if another huge data breach could happen again: "It's a matter of when."

According to the Federal Trade Commission, 52 million account records were stolen in 2005, and nine million Americans were victims of identity theft, with losses adding up to $54 billion. In 2006, there were 30 million records compromised by security breaches.

Currently, TJX faces lawsuits from consumers and shareholders, a class-action lawsuit filed on behalf of 300 banks that claims millions of dollars in damages and investigations from attorneys general in 30 states.

Meanwhile, credit card companies are calling for merchants to make fundamental changes in the way they protect cardholder data. In September, the payment card industry drew up a uniform code of data security standards as a way to keep cyber fraud at bay. The 221 guidelines apply not only to retailers, but anyone who processes, transmits or stores cardholder information.

Data security expert, Roger Nobel, of FTI Consulting, said retailers effectively can avoid data breaches by adopting the standards.

"Breaches happen because the majority of merchants are not compliant," he said.

Under the regulations, merchants are required to protect sensitive data by encrypting it or truncating it. The PCI (payment card industry) rules also set intrusion detection and protection standards and make logging mandatory. Plus, merchants are required to have an annual audit.

"None of these controls by themselves are perfect. Encryption of data is not a perfect, silver bullet control," Nobel said. "You need all the controls working together in order to have a secure environment."

Visa USA has implemented a combination of fines and incentives for merchants to become compliant. These won't be applied directly to the merchants but to merchant banks -- those who process the merchant's debit and credit cards.

To speed up compliance, Visa pledged $20 million in incentives in the form of lower interchange fees for merchant banks of the largest compliant merchants who haven't had data breaches.

Visa also announced plans to levy fines against merchant banks whose clients aren't compliant.

Those banks will be fined between $5,000 and $25,000 a month for each of its largest merchants that haven't achieved compliance before Sept. 30 or Dec. 31, depending on their size. So far, only 35 percent of Visa's merchants that process more than 6 million transactions a year are compliant with the card paying industry standards. And 51 percent of the largest merchants have begun the compliance process, said Eduardo Perez, Payment System Risk for Visa USA.

Among those processing 1 million to 6 million transactions a year, compliance is at 26 percent, with another 22 percent taking steps to become compliant. E-commerce businesses processing between 20,000 and 1 million annual transactions have achieved 51 percent compliance, with an additional 16 percent taking steps toward compliance.

Retailers have been slow to adopt the payment card industry standards. The National Retail Federation estimates only about 40 percent of the largest U.S. retailers are compliant.
"It's an all or nothing approach. There are no degrees of compliance," NRF vice president Dave Hogan said.

Hogan, also chief information officer, criticized the PCI standards as a "convoluted" program.

Retailers "get no clear direction from the associations," such as Visa and MasterCard, he said.

He also criticized the card associations for not responding in a timely manner to retailers' questions about their security status. Some, he said, may wait for six months or longer before a response.

Other critics say the program is too costly and complicated.

Bob Russo, general manager of the PCI Security Council disagrees.

"Is it more complicated and costly than all these lawsuits that you wind up with and all the remediation?" Russo asked. "What does it say about your brand if you're the next person they read about in the newspaper?"

(Distributed by Scripps Howard News Service, www.scrippsnews.com.)

Taxing Times

Paying taxes unites us. It also divides us. People can pay five and even six times more in state and local taxes than other folks in similar circumstances making similar incomes.

Taxes unify Americans, but rates vary by state

Identity Theft

Who's got your number?

In one of the fastest-growing forms of identity theft, crooks are stealing tax refunds by swiping personal information and using it to trick the Internal Revenue Service.

Lawmaker offers anti-ID theft law to foil crooks who profit off dead children