Longtime Omaha florist Frank Piccolo remembers taking orders for bouquets by hand, writing down all the customer's information — including the customer's credit card number.
“Looking back at those days, at how insecure credit card privacy was, it's amazing,” Piccolo said. “You had all kinds of people having access to orders with these numbers on them.”
Today, Piccolo's flower shops use Teleflora's secure point-of-sale network to process sales, and customers' credit card information is no longer kept at the shop or on its computers, Piccolo said.
“It's not in anything that anybody could come back a few hours later and get their hands on,” Piccolo said.
Keeping credit card numbers off retailers' servers is just one strategy in an escalating fight against hackers who break into retail sales networks and sell credit card numbers on the black market.
A number of firms with operations in Omaha, including First Data and PayPal, are at the front line of fighting hackers, not an easy game to win.
When the payment processor says, “I'm going to build a bigger wall,” the hacker says, “I'm going to build a bigger slingshot,” said Cliff Gray, who consults on payment data security for an Omaha-based company, the Strawhecker Group.
The stakes are high for merchants whose customers trust them to keep their information safe.
“Security is everything,” said Mark Pitt, web developer for the Scranton, Pa.-based McCarthy Group of Florists, which bought Piccolo's and other mom-and-pop florists. “If you get compromised security, a family firm such as ours doesn't need the adverse publicity.”
Data breaches happen often and they happen to big businesses with trusted names. Consider these recent examples:
» In February, Twitter said a quarter-million usernames and passwords may have been compromised in an “extremely sophisticated” data breach.
» Just last week, Bashas' grocery store chain in Arizona said hackers gained access to customer payment card information through a “highly sophisticated piece of malware that has never been seen before in the industry.”
» In September 2012, hackers broke into credit card swipe keypads at 63 Barnes & Noble stores to steal customers' credit card information.
» In March 2012, in one of the biggest breaches ever reported, payment processor Global Payments, a competitor of Omaha firms First Data and TSYS, said 1.5 million consumer accounts were exposed, including credit cards from all major card brands. The firm said in a financial report that the breach cost it $94 million, including investments it made to enhance security and ensure compliance with an industry security standard.
Even corner stores aren't safe. Douglas County sheriff's deputies said in January that northwest Omaha gas station customers were defrauded when data thieves installed credit-card reading devices at gas pumps. They were alerted to the scam by the Secret Service.
Cybercrime is common and costly for businesses and organizations that are victims. According to a 2012 study from the Ponemon Institute, a cybersecurity research organization, the average cost was $8.9 million a year for the 56 U.S. organizations in the benchmark group. The costs included revenue loss, business disruption, information loss, detection and recovery.
In response, giant payment processing firm First Data, which employs 5,000 in Omaha, developed a security measure called TransArmor to help its customers combat the hackers. TransArmor encrypts credit card numbers as they pass through the merchant's point-of-sale system and decrypts them in their data centers before getting approval from the financial institution.
“If, say, a hacker or fraudster were to be able to get into the merchant's system and put some malware into that system that was capturing card numbers, because it is encrypted, there's really no data for them,” said Tim Horton, vice president of global product management for First Data.
The system converts the number into a “token” that the merchant can use to study and track individual customer shopping behavior, but that is useless to a hacker.
First Data also recently launched a new service called PCI Rapid Comply, which helps smaller businesses reach compliance with the standards of an organization that most shoppers don't realize is behind the security measures of most credit card transactions they make.
The Payment Card Industry Security Standards Council, founded by global payment brands including Visa, MasterCard and American Express, sets a widely used “data security standard” used by merchants and processors that handle credit, debit, ATM and gift cards. Those organizations must validate their compliance annually, by an external inspector for organizations that handle large volumes of transactions, and through self-assessment for smaller companies.
While PCI compliance doesn't make a system 100 percent secure, a 2012 Verizon annual report on data breaches found that 96 percent of breach victims were not PCI compliant.
Another Omaha payment processor, TSYS Merchant Solutions, also assists clients in ensuring their compliance with PCI standards, according to its website. The firm declined to discuss its services.
Online payment platform PayPal, with a La Vista call center, has its own PCI compliance product, called Payflow Link, that allows online merchants to set up a checkout page template, matching the look of their website, but that is hosted by PayPal, “so our experts handle security on your behalf,” the company says.
PayPal has been encrypting card data for more than a decade, said chief information security officer Michael Barrett.
“Back then, that was not the norm,” Barrett said.
He said the encryption technology has evolved.
“It's vitally important that you do it right,” Barrett said. Today, “the threats are quite different. Then, there were viruses. There weren't large-scale organized criminal gangs of enterprising individuals in other countries — or indeed in the U.S. — who are willing and able to use the Internet to victimize customers, victimize companies to steal as much money as they could.”
Still more fraud protection could be on the way for U.S. cardholders. Common in Europe are EMV credit cards, which contain an embedded microprocessor chip and are considered more secure than cards that use a magnetic swipe strip.
“The U.S. is the last country to really adopt this technology,” Horton said. He believes it will become prevalent here in the next few years.
“As thieves bcome more sophisticated, merchants will get the card data completely out of their systems,” he said.
Mandates for EMV technology from card issuers like Visa and MasterCard won't endear them to retailers, which would have to install new point-of-sale technology to accept the cards, Gray said. But countries that have adopted the cards see fraud rates that are “a fraction” of those in the U.S., he said.
Gray said consumers can also expect to see more “pay at the table” technology, where, for example, a waiter would bring a handheld credit card-processing terminal right to a diner, instead of taking the card to a back room for processing — and possible “skimming.”
Payment firms say their technology enables merchants to focus on what they do best; in Piccolo's case, that's creating and selling floral arrangements.
Until he started using TeleFlora's system, which allows him to see only the last four numbers of a customer's credit card number, “I never realized how uncomfortable it can be with your number floating around there.”
Keeping personal information safe
How can consumers protect themselves? Paul Stephens of the Privacy Rights Clearinghouse of California has this advice:
» Use a credit card instead of a debit card. Debit cards offer less legal protection and, with a credit card, you don't have to pay a disputed charge while the card issuer investigates.
» Monitor your credit report for errors and fraud. Order one free credit report each year from the three credit bureaus: Equifax, Experian and TransUnion.
» Protect the personal information on your smartphone. Password-protect your smartphone and use the security lockout feature.
» Secure your computer and portable devices with up-to-date anti-virus and anti-malware programs and firewalls.
» Avoid using the same password for multiple online accounts. Instead, use strong passwords that are unique to each account.
» Use the “front page” rule on social networks. Don't post anything online that you wouldn't mind seeing on the front page of the newspaper.
» Safeguard your Social Security number. Keep your card in a secure location. Push back when companies ask for your number — ask them to explain their authority for requiring it, and what the consequences are if you do not provide it.
More tips are available at www.privacyrights.org.
Contact the writer: 402-444-1336, email@example.com