New Zealand retailers are being warned to check the detail of their credit card contracts or face being left with a huge bill should a stolen credit card be presented, as retailers are not legally protected from some liability.
The warning follows the news that a US credit card processing company, CardSolutions of Arizona, had exposed 40 million credit card transactions to the internet and had definitely lost at least 200,000 — with 13,000 New Zealand credit card accounts being compromised.
As Computerworld went to press, New Zealand banks were phoning affected customers to let them know their cards would be cancelled and new cards issued.
The chief executive of the Retailers Association, John Albertson, says merchant liability differs depending on whether the transaction is conducted face to face or without the card being present, such as in an online environment.
"If it's face to face then the retailer is generally okay so long as they follow the listed steps. If it's online, however, it really depends on the contract they've signed with the bank. Some banks will take all of the liability but some won't, depending on the level of information gathered by the merchant."
However, the sudden rise in severity of information thefts from credit card companies, banks, insurance houses and other agencies isn't due to security standards slipping because the standards have always been low, says local security expert Nick FitzGerald.
FitzGerald, the editor of Computerworld's Virus and Security Watch email newsletter, says the cynic in him sees another reason for the sudden rash: self-preservation.
"It all started about 18 months ago, about the time the new law in California kicked in requiring companies to alert customers should hackers gain access to unsecured servers containing their information. I don't think there's been a sudden drop in security procedures, I think this means these companies have always been lax about security and our identities."
FitzGerald says the Californian law, AB 1386-Peace/Chapter 915, coupled with the US Sarbanes-Oxley Act, means company directors will find themselves personally liable for huge fines, if not imprisonment, if they don't disclose information about security problems in a timely manner.
"Suddenly it's become cheaper for them to announce the breach of security and take the publicity hit that's associated with it, than to pay the fine even if they were caught out by some existing legislation."
FitzGerald says Sarbanes-Oxley is costing some sectors, such as health and financial sectors, as much as Y2K as they try to cope with demands imposed on record-keeping, continual reporting and other aspects of the laws.
The Californian law, which has been copied in varying degrees by other US States, requires any company which believes a breach to have occurred contact the individuals involved if there are less than 500,000 people involved. For larger instances of data theft, a message on the company website and advertising in major newspapers is required. FitzGerald says while that seems to be relatively minor, the law appears to be working well.
"Initially I thought it was quite weak, quite small in its reach, but it seems to have struck just the right balance between carrot and stick to make it work."