Securing Card Data Isn't an Easy Sell

Computerworld - Recent data compromises, such as one involving the Sam's Club wholesale chain, highlight the challenges that credit card companies face in enforcing the security standards that went into effect last July for all businesses processing credit transactions.
Sam's Club, a division of Wal-Mart Stores Inc., said in a statement issued this month that it was investigating a security breach that had exposed credit card data belonging to an unspecified number of customers who purchased gas at the company's stations between Sept. 21 and Oct. 2.
Beyond saying that its internal systems and databases weren't compromised, Sam's Club didn't elaborate on how the card information was accessed. Last week, company officials didn't respond to repeated requests for comment.
But Corinne Sherman, vice president of card services at the Pennsylvania Credit Union Association in Harrisburg, said that based on alerts from MasterCard International Inc. and Visa U.S.A. Inc., Sam's Club appears to have been storing customer and account information from both tracks of the magnetic stripe on the back of cards. That information could be used by data thieves to create counterfeit cards that could then be used to commit fraud, Sherman said.
Especially troubling is the fact that a very large number of merchants still appear to be capturing and storing the full magnetic stripe information off credit and debit cards even though doing so violates the new Payment Card Industry (PCI) security standards, said Ann Davidson, payment systems risk manager at CUNA Mutual Group, a Madison, Wis.-based company that provides insurance and financial services to credit unions.
Of the more than 300 fraud alerts that MasterCard and Visa have each issued this year, the majority involved cases where magnetic stripe information was stored after a transaction, Davidson said.
"This is in direct violation of card association rules," Davidson said. "I would love to know why merchants are doing this." She added that CUNA Mutual has had several meetings with MasterCard and Visa to discuss the data storage issue.
In April, the insurer filed a lawsuit against BJ's Wholesale Club Inc. seeking to recover losses incurred as a result of a security breach that compromised 40,000 credit and debit cards. The lawsuit, which BJ's is contesting, alleges that the retailer stored account and customer information in violation of MasterCard's and Visa's regulations.
Many of the problems stem from the older point-of-sale systems that some merchants use to process card transactions, said Michael Petitti, a senior vice president at Ambiron TrustWave, a Chicago-based provider of security and PCI compliance services to the