The case against a group of hackers charged last week with swiping over 40 million credit-card numbers from major U.S. retailers has many smaller business owners rethinking their data security efforts.
"Every time a story like this hits the news, we see a lot of retailers worried about how vulnerable they are," says Terri Quinn-Andry, a data security compliance manager at Cisco.
On Tuesday, federal prosecutors disclosed charges against 11 people in connection with a global retail hacking ring they say accessed customer payment data on computer networks at OfficeMax, Barnes & Nobles, BJ's Wholesale Club and six other retailers. The data was then stored on encrypted servers and sold online, or used to withdraw tens of thousands of dollars from ATMs, investigators say.
Attorney General Michael Mukasey has called the scheme the "single largest and most complex identity theft case ever charged in this country."
Yet, some data security experts say it's just the tip of the iceberg.
"This week's case must serve as a wake-up call for consumers, the credit industry and government agencies," says Todd Davis, the CEO of LifeLock, a Tempe, Ariz.-based identity protection firm.
According to the Federal Trade Commission, credit-card fraud and identity theft costs the U.S. economy about $50 billion every year. A recent study by Identity Theft 911, a Scottsdale, Ariz.-based data protection firm, found that nearly 1.5 million Californians were victims of identity theft last year alone, spending an estimated six million hours resolving the issue.
Despite those numbers, big and small retailers across the country have been slow to comply with a set of industry-wide safeguards known as Payment Card Industry Data Security Standards, or PSI DSS. Many retailers complain that full compliance is simply too costly. Last October, California Gov. Arnold Schwarzenegger vetoed a bill that would have codified PSI standards, among other moves, citing higher costs for small businesses.
The National Retail Federation has urged the PCI Security Standards Council, an industry body that oversees credit-card data security measures, to allow merchants to store special transaction codes, rather than actual purchase data. Card companies typically require store owners to retain purchase data for up to 18 months to satisfy retrieval requests.
"Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place," NRF Chief Information Officer David Hogan said in a letter to the council last fall. Though reconfirming the retail industry's commitment to PSI compliance, Hogan said it "makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them."
As an incentive, Visa has offered larger PSI-compliant retailers discounts on credit-card processing fees, along with fines for those that continue to lag behind.
According to Quinn-Andry, many smaller retailers also mistakenly believe that professional hackers only target big box stores. As a result, they often hesitate to make costly investments in data security. But after last week's bust, they're likely thinking twice, she adds.
"Whether it's an international ring or a 16-year-old teenager trying to get a new Xbox, your name is still going to get in the headlines," she says.