The ShippingPass pilot program launched last year and offers free shipping on all orders.
Criminals also obtained the associated expiration dates, giving thieves the information they would need to make an online purchase on some e-commerce sites. E-retailers should pay careful attention to any early warning signs of fraud, says one security expert.
Target Corp. confirmed today that criminals may have obtained 40 million credit and debit card numbers that shoppers used at Target’s stores from Nov. 27 to Dec. 15. The expiration dates associated with those cards were also compromised, giving the thieves the data they would need to make a purchase at some retail web sites.
The breach occurred in Target stores and the thieves also obtained the CVV, or Card Verification Value code, on the magnetic stripe of credit and debit cards. However, they did not get the CVV2 code, the 3- or 4-digit code used by many online retailers to verify the a consumer making a purchase has the card in her hand.
However, not all retailer ask for the CVV2 code. There is, therefore some risk to e-retailers, and they should be on the alert, says one security expert.
“With that big of a compromise, about all merchants can do is look for suspicious activity,” says Julie Fergerson, vice president of emerging technologies at payment security service Ethoca Ltd. “Any tool they have that might be an early warning, they should definitely pay attention to those tools.”
Target, No. 18 in the 2013 Internet Retailer Top 500, says it has notified law enforcement authorities and the financial institutions that issue the credit and debit cards. The retail chain also posted a note on Target.com notifying consumers of the data breach. “You should remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports,” the statement says.
Visa says it is aware of the Target data breach, which the company notes impacts all major card brands. “When such incidents occur, Visa works with the breached entity to provide card issuers with the compromised accounts so they can take steps to protect consumers through fraud monitoring and, if needed, reissuing cards,” a spokeswoman says. “Because of advanced fraud-monitoring capabilities, the incidence of fraud involving compromised accounts is actually rare, and Visa fraud rates remain near historic lows.”
CyberSource, an online payment security company that is now part of Visa, has reported that North American retailers lost 0.9% of their online revenue to fraud in 2012, for an estimated $3.5 billion.
Target, which operates 1,778 bricks-and-mortar stores in the U.S. and Canada and sells online at Target.com, says the data breach may impact “certain guests making credit and debit card purchases in its U.S. stores.” A spokesman says Target.com customers were not affected.
It should not impact many online retailers, however, because the thieves did not get the 3- or 4-digit CVV2 value many e-retailers require when a consumer makes a card purchase online or on the phone, says Larry De Palma, president and CEO of TDG-Phenix Inc, a payments consulting firm. In addition, he says, web retailers typically check verify that the billing address the consumer enters matches that on record for the card being used. Since the thieves wouldn't have that address, a retailer who verifies the address and requires a match should not be defrauded.
In light of the compromise, Fergerson says when online retailers identify any orders as fraudulent they should not all the order details, such as shipping address and e-mail address. “It is more likely that fraud details will be used repeatedly during a data breach and this will help prevent repeat criminal attacks if it is the same organized crime group,” she says.
They should also take note of any increase in the number of orders being routed for manual review, as that could be an indication that the criminals responsible for this attack are using the card numbers to commit fraud at e-retail sites. They should also review chargeback complaints from legitimate cardholders. Although there is typically a delay of four to six weeks between the fraud and the cardholder complaining, any “may be the first indication that the merchant is a victim of increased fraud volumes due to the data compromise,” Fergerson says. She notes that services like Ethoca Alerts notify merchants when card issuers begin to see fraudulent activity, and that those warnings can come within days, rather than waiting several weeks for chargeback to arrive.
“Be vigilant,” Fergerson advises. “Educate your fraud team to look for patterns that seem unusual or out of the ordinary. Often there are signs that in isolation don’t seem like a warning, but in the context of a data breach they can help to more quickly identify and shore up any holes the criminals may be attempting to exploit.”
Incidents like these underscore the importance of retailers paying close attention to protecting payment card data, says John Kindervag, a vice president and principal analyst at Forrester Research Inc. He says a breach in 2007 at TJX Cos., operator of such retail chains at TJ Maxx and Marshalls, likely cost the company between $100 million and $250 million.
“Usually in credit card security, people are very penny-wise and pound-foolish,” Kindervag says. “This is a business of 'pay me now or pay me a lot later.'”
Fraud-prevention vendors are moving into action in the wake of the disclosure, including Retail Decisions, also known as ReD. "ReD is actively working with a number of issuers, obtaining lists of potential compromised cards for enhanced monitoring, to identify card testing behaviors as well as other fraudulent trends, then alerting both issuers and merchants for prevention and remedial actions,” says Erika Gallo, director of global risk management.