Estimated read time: 3-4 minutes
This archived news story is available only for your personal, non-commercial use. Information in the story may be outdated or superseded by additional information. Reading or replaying the story in its archived form does not constitute a republication of the story.
Ashley Hayes Reporting Most people are careful when giving out personal information for fear of having their identities stolen.
But for millions of people, their personal information has been compromised just by swiping their credit cards to pay for daily purchases. Hackers have been targeting businesses that accept credit cards and in many cases have been successful in stealing the information stored on those cards.
Now some of those companies are pushing for tighter security.
Credit card companies like Visa want to make sure hackers don't swipe their cardholders' information. The companies are working to enforce a security standard for merchants who accept their cards.
We sat down with a security company in Orem that helps businesses meet an ever-changing standard.
In an industry where consumers are bombarded with competing offers like free air travel, money back, shopping incentives, it's unheard of for credit card companies to team up. That was, until their cardholders' information became vulnerable to hackers.
Wenlock Free of Security Metrics said, "Visa and Mastercard and American Express and Discover ultimately got together and said, 'We are all going to agree on this standard.' Ironically, it is the first time all four cards have agreed on one principle as a standard."
They created a security council called PCI, Payment Card Industry, to maintain the standard. The council lays out 12 steps to protect credit card users from hackers who steal identities of both online and offline shoppers.
John Bartholomew, also of Security Metrics, explained, "Most people are afraid of shopping on the Internet, and it turns out today that is not the prime target for criminals. It happens to be retail organizations."
Take for example retail giant TJX, owner of TJ Maxx and Marshalls. Reports indicate a data breech in December leaked the account information of some 40 million Visa and Mastercard users. The stores were not PCI certified.
"It's like breaking open a feather pillow in the breeze," Free said. "Once the data has been spread, all you can do is stitch the pillow back up and restuff the feathers in it, and away you go."
The consequences for the merchants that lose the information can be just as damaging as for consumers whose information is taken.
"The brand damage or bad press about your name when you lost data is almost ... many companies have not recovered," Free said.
Morgan Leppinik of PrintTix USA said, "There's a $100,000 per incident fine that can be levied against a merchant who loses cardholder information through failure to be PCI certified."
In the fine print, financial responsibility for leaks are passed from the card company like Visa, to the bank lending the credit, such as CitiBank, and ultimately to the merchant, such as PrintTix. That means if the company isn't PCI certified at the time of the breech, they're paying for it. For mom and pop stores it generally means going out of business.
"It's a new era," Leppink said. "It's a new time for us to think about keeping ourselves secure and particularly our information secure in the age of identity theft."
Online you can find a list of businesses that lost card user information. It includes universities, banks and just about every industry that takes plastic.
We called TJX to find out if the company is now PCI certified. Our calls have not been returned.
