Monday, December 03, 2007
Visa fines Ohio bank in TJX data breach
Visa fines Ohio bank in TJX data breach
Card firm also faulted Fifth Third's security in '05 theft at BJ's
By Ross Kerber, Globe Staff | November 24, 2007
Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ's Wholesale Club Inc. several years ago, a court filing shows.
Fifth Third operates more than 1,150 bank branches in the Midwest and Florida and is one of the nation's leading processors of transactions for merchants.
Banks, retailers, and credit-card firms such as Visa and MasterCard Inc. have locked horns in recent years over the issue of data security. All parties agree that in the wake of major breaches such as TJX's, in which the data of nearly 100 million customers was compromised through the end of last year, consumer information needs better protection.
Visa, the largest payment system, had threatened to levy fines when merchants didn't meet a Sept. 30 deadline to upgrade their systems to current security standards that spell out requirements like keeping data behind firewalls and using robust encryption systems for their wireless networks. By Visa's most recent count in October more than a third of the largest US stores didn't meet the requirements.
In the BJ's case, hackers apparently broke into the Natick company's database and stole the credit-card information of some of its 8 million customers. The information was then used to make fraudulent purchases. BJ's settled charges with the Federal Trade Commission in 2005 that it failed to take appropriate security measures.
Neither Visa nor its competitors in the $3 trillion payment card industry will give details of what fines they may have issued. Meanwhile trade groups like the National Retail Federation complain the guidelines put too many security burdens on merchants themselves, and say that banks are more interested in generating fees from card payments than in boosting security.
The fines in the cases of TJX Cos. and BJ's underscore these issues. Technically, Visa and MasterCard can't fine merchants directly but rather levy penalties on banks the merchants pay to process transactions when customers pay with plastic.
The arrangement creates tensions because it means card networks aren't directly responsible for security, said Michael Gavin, a strategist for Security Innovation in Wilmington who audits companies to be sure they comply with the standards. "When you pass the responsibility on to them, it's kind of like playing telephone," Gavin said.
That Fifth Third was previously fined suggests the bank should have known better than to tolerate the issues at TJX, Gavin said. "Fifth Third is definitely guilty of not requiring its merchants" to meet current security standards, he said, "and it has no excuse other than it was willing to accept the risk that any of them might suffer a data breach."
Spokesmen for Fifth Third and Visa have declined repeated requests to interview executives and said they would comment for this article.
A study this year by trade publication Nilson Report showed Fifth Third was the fifth-largest processor of bank card transactions for merchants, handling 2.5 billion bank credit card and debit transactions worth a total of $137 billion in 2006, up 19 percent from 2005.
Visa fines against Fifth Third first came to light in litigation pending against TJX, which faces claims in federal district court in Boston from smaller banks who say the company didn't do enough to protect its data against hackers. These banks are suing to recover the costs of the payment cards they reissued after the breach.
TJX has denied wrongdoing, saying the banks reissued many cards unnecessarily, and the banks themselves were partly responsible for not insisting on better security technologies such as cards with integrated computer chips.
The litigation led to the public filing last month of a June 22 letter from Visa showing it had levied $880,000 in penalties against Fifth Third including what it called an "egregious fine" of $500,000 "due to the seriousness of this security incident and the impact on the Visa system." TJX has said the fine is being appealed, which could indicate the bank had presented TJX with the bill, but neither would give further details.
Details of the fine against Fifth Third in the BJ's case came in previous litigation in Pennsylvania filed against the bank, BJ's, and IBM Corp. by a Pennsylvania credit union seeking to recover the costs of replacing compromised cards.
In a memorandum dated June 16, 2006, US District Judge William W. Caldwell wrote that a forensic investigation of BJ's credit-card processing systems found it was storing all the information on the magnetic strips of customer payment cards on its systems, which could make personal data easier to abuse after it was captured by hackers.
Fifth Third was responsible for making sure BJ's systems met security standards, Caldwell wrote. Visa fined Fifth Third $555,000 in late 2004 for violations of operating rules.
In addition, he wrote, Fifth Third had paid $872,664 to date meant for banks to cover fraud costs, adding that more cases were still coming in. Parties in the case declined to comment or to give more details about the penalties.
Card firm also faulted Fifth Third's security in '05 theft at BJ's
By Ross Kerber, Globe Staff | November 24, 2007
Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ's Wholesale Club Inc. several years ago, a court filing shows.
Fifth Third operates more than 1,150 bank branches in the Midwest and Florida and is one of the nation's leading processors of transactions for merchants.
Banks, retailers, and credit-card firms such as Visa and MasterCard Inc. have locked horns in recent years over the issue of data security. All parties agree that in the wake of major breaches such as TJX's, in which the data of nearly 100 million customers was compromised through the end of last year, consumer information needs better protection.
Visa, the largest payment system, had threatened to levy fines when merchants didn't meet a Sept. 30 deadline to upgrade their systems to current security standards that spell out requirements like keeping data behind firewalls and using robust encryption systems for their wireless networks. By Visa's most recent count in October more than a third of the largest US stores didn't meet the requirements.
In the BJ's case, hackers apparently broke into the Natick company's database and stole the credit-card information of some of its 8 million customers. The information was then used to make fraudulent purchases. BJ's settled charges with the Federal Trade Commission in 2005 that it failed to take appropriate security measures.
Neither Visa nor its competitors in the $3 trillion payment card industry will give details of what fines they may have issued. Meanwhile trade groups like the National Retail Federation complain the guidelines put too many security burdens on merchants themselves, and say that banks are more interested in generating fees from card payments than in boosting security.
The fines in the cases of TJX Cos. and BJ's underscore these issues. Technically, Visa and MasterCard can't fine merchants directly but rather levy penalties on banks the merchants pay to process transactions when customers pay with plastic.
The arrangement creates tensions because it means card networks aren't directly responsible for security, said Michael Gavin, a strategist for Security Innovation in Wilmington who audits companies to be sure they comply with the standards. "When you pass the responsibility on to them, it's kind of like playing telephone," Gavin said.
That Fifth Third was previously fined suggests the bank should have known better than to tolerate the issues at TJX, Gavin said. "Fifth Third is definitely guilty of not requiring its merchants" to meet current security standards, he said, "and it has no excuse other than it was willing to accept the risk that any of them might suffer a data breach."
Spokesmen for Fifth Third and Visa have declined repeated requests to interview executives and said they would comment for this article.
A study this year by trade publication Nilson Report showed Fifth Third was the fifth-largest processor of bank card transactions for merchants, handling 2.5 billion bank credit card and debit transactions worth a total of $137 billion in 2006, up 19 percent from 2005.
Visa fines against Fifth Third first came to light in litigation pending against TJX, which faces claims in federal district court in Boston from smaller banks who say the company didn't do enough to protect its data against hackers. These banks are suing to recover the costs of the payment cards they reissued after the breach.
TJX has denied wrongdoing, saying the banks reissued many cards unnecessarily, and the banks themselves were partly responsible for not insisting on better security technologies such as cards with integrated computer chips.
The litigation led to the public filing last month of a June 22 letter from Visa showing it had levied $880,000 in penalties against Fifth Third including what it called an "egregious fine" of $500,000 "due to the seriousness of this security incident and the impact on the Visa system." TJX has said the fine is being appealed, which could indicate the bank had presented TJX with the bill, but neither would give further details.
Details of the fine against Fifth Third in the BJ's case came in previous litigation in Pennsylvania filed against the bank, BJ's, and IBM Corp. by a Pennsylvania credit union seeking to recover the costs of replacing compromised cards.
In a memorandum dated June 16, 2006, US District Judge William W. Caldwell wrote that a forensic investigation of BJ's credit-card processing systems found it was storing all the information on the magnetic strips of customer payment cards on its systems, which could make personal data easier to abuse after it was captured by hackers.
Fifth Third was responsible for making sure BJ's systems met security standards, Caldwell wrote. Visa fined Fifth Third $555,000 in late 2004 for violations of operating rules.
In addition, he wrote, Fifth Third had paid $872,664 to date meant for banks to cover fraud costs, adding that more cases were still coming in. Parties in the case declined to comment or to give more details about the penalties.
# posted by raveneye @ 5:09 PM 
