The Human Cost of Credit Card Fraud
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks for the Visa Canada Security Symposium
March 26, 2008
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(CHECK AGAINST DELIVERY)
I’d like to begin by expressing my sincere thanks to Visa Canada for inviting me to participate in this symposium. I appreciate the opportunity to speak to a group of people dedicated to combating credit card fraud.
It’s hard not to think about credit card security – and the enormous challenges all of us here face – over the course of a typical day….
More often than not, the cashier doesn’t check to ensure that the signature on the back of my credit card matches with what I’ve signed.
It’s still not unusual to be handed a receipt that includes my full credit card number and expiry date.
Easy credit offers and convenience cheques arrive in the mail.
In Canada, total credit card fraud losses are approaching $150 million a year, according to a report prepared for your industry.
The challenges are numerous, but we are clearly not powerless against this epidemic of fraud.
I would like to offer a few thoughts on how we could enhance credit card security by addressing some of the issues I’ve just mentioned. I also believe mandatory breach notification will be an important step forward.
First, allow me to provide a quick sketch of Canada’s privacy laws.
Canada’s private-sector privacy legislation – the Personal Information Protection and Electronic Documents Act, or PIPEDA – began coming into force in 2001. It covers virtually all commercial activities in Canada, with the exception of provincially regulated businesses in a few provinces with their own similar legislation. The law is enforced by the Privacy Commissioner.
We take a strong interest in credit card fraud because it involves the misuse of personal information.
The security of credit card transaction information was a key focus of our investigation into the massive data breach at TJX. We have also conducted investigations involving other credit cards issues, notably unsolicited convenience cheques as well as the processing of credit card information in the United States.
A Less Familiar Perspective on Fraud
Credit card fraud is expensive – for your companies, for the Canadian economy and for individual Canadian consumers. Visa’s global payment system deals with approximately $3.5 billion US in fraud each year.
Our tendency in the business and regulatory world has always been to focus on this kind of dollar figure. To some extent, fraud is seen as a cost of doing business. I would argue, though, that this is a stance which may actually encourage identity theft.
I would argue we also need to begin to emphasize the human cost of fraud as well as the bottom line. Who is really paying for this lucrative new territory for criminal activity?
Almost 250,000 credit cards were fraudulently used in Canada in 2005. There are a lot of people behind that number.
Credit card fraud has an emotional impact. Quite frankly, it’s unnerving to get a phone call saying someone has just tried to use your credit card number across town, never mind in Malta or Russia.
In general, individual cardholders are not on the hook for fraudulent charges. Financial institutions and merchants shoulder immediate financial liability and are considered the victims.
This means the cardholder is left out of the investigation process and is not provided with information about the fraud – where it happened, how it happened and so on.
In fact, in my own personal experience, that information is not available on request.
The individual is left with the unsettling question: How – and through whom – did a crook get his hands on my credit card number?
We should not underestimate the human impact of credit card fraud. People feel violated when a criminal uses their credit card number.
And while they may not always be conscious of it, individuals are also paying for this fraud. When losses are written off, they don’t disappear into thin air. Losses do trickle down in the form of higher credit card interest rates and fees and higher prices for retail goods.
Security – The TJX Case
Attitudes about credit card fraud are important in another way: Too often, organizations underestimate the risk to credit card numbers and other personal information. As a result, this kind of information is not adequately protected.
We still see evidence that payment card systems are operating in unsecured environments. Choice Point, Card Systems Solutions and TJX are only some of the better-known examples.
I’ll focus on the TJX case, because it’s the one my Office investigated along with my Alberta counterpart, Commissioner Frank Work.
You all know the basics of the case: According to TJX, the intruders initially gained entry into the TJX system outside two Miami stores by hacking into wireless local area networks. Close to 100 million payment cards were compromised.
Our investigation pointed to a few major failings:
- TJX collected too much information and kept it too long.
- TJX failed to update its security systems in a timely way.
- TJX did not adequately monitor its system for intrusions.
It was clear to us that TJX simply underestimated the risk to the personal information they were holding.
The TJX investigation raised a couple of key issues for the credit card industry …
Payment Card Compliance
First, TJX did not adhere to the Payment Card Industry data security standard. Its plan to switch from WEP to WPA took two years, during which time the breaches occurred.
TJX repeatedly told us during our investigation: We were only doing what a lot of other retailers were doing. Indeed, many retailers were not complying with the industry standard.
I understand the picture in the US and Canada has been improving somewhat.
According to Visa Canada, compliance rates for Level 1, 2 and 3 merchants rose 12 per cent – up to 58 per cent – in the year after the TJX breach first made headlines.
I encourage you to keep pressing retailers to upgrade to the PCI standard. I do this because I know the credit card industry has a key role in setting and maintaining standards.
Retention of Data
Data retention is another issue we need to look at following the TJX disaster.
There is growing debate between card companies, issuers and merchants over liability for data loss. Retailers blame card issuers for requiring them to retain credit card data in order to trace contested purchases.
It’s not my role to settle this debate, but I will say this: Credit card companies need to work closely with retailers on this issue to ensure personal information is kept for only as long as is absolutely necessary. Retailers also need to take a close look at the personal information they collect and store. Finger-pointing won’t get us far.
If poor security and retention issues lead to another TJX-type fiasco, governments and consumers will no doubt take further notice and regulatory pressure could increase.
Incentives to Invest
The TJX incident has prompted my Office to think about the incentives to invest in information security.
When companies such as TJX decide whether or not to implement new security measures they presumably weigh the costs and benefits of doing so.
But in looking at the costs and benefits they are unlikely to take into account the costs they might impose on third parties – what an economist would call an “externality” – if their security measures fail.
In the TJX incident, we know the costs incurred by other parties were significant. Some of these costs were borne by the credit card industry, but we shouldn’t lose sight of the less tangible impact on individuals who had to worry about whether their personal information was compromised – the human cost of fraud I mentioned earlier.
This has caused me to wonder whether other measures are needed to encourage organizations to invest in security. Breach notification requirements – which I will discuss later – are one obvious example.
Other Key Issues
I would like to flag a few other issues which could help inform discussions about addressing credit card security issues.
These are: privacy training; truncating numbers on receipts; and convenience cheques.
I cannot overemphasize the importance of privacy training for employees.
Not too long ago, a member of my Office found a credit card on the sidewalk in Ottawa. When the discovery was reported to the card issuer, a call centre rep – no doubt thinking she was being helpful – provided the cardholder’s home telephone number so the card could be returned.
Policies and procedures won’t protect personal data if a company fails to ensure its employees understand basic privacy concepts.
A poll conducted for my Office last year found only one third of all businesses have trained staff about their responsibilities under Canada’s privacy laws.
Good training for employees is a key factor in preventing privacy breaches. It is the way to convince cashiers to check credit card signatures.
Let’s turn now to an issue we might call “dangerous receipts.”
We are still seeing credit card slips which have complete credit card numbers printed on them.
I realize the issue lies with credit processing organizations, however, the weight of pressure from the credit card companies would undoubtedly go a long way in fixing this problem.
Chip and PIN
The switch to chip-accepting terminals – a security technology which European consumers have benefited from far ahead of people in North America – should also help address the situation.
Chip and PIN features will no doubt raise new kinds of security challenges, such as the migration of credit card fraud onto the Internet, which is what has happened in Europe.
We hope you are thinking of solutions to that problem already!
Unsolicited Credit Cards/Convenience Cheques
In 2004, my Office raised concerns about unsolicited credit cards following an investigation into an individual’s complaint that a bank had collected his personal information without consent and issued him a credit card.
We are very pleased to see that Canadian banks have stopped this practice and congratulate them for taking this step.
I remain concerned about unsolicited convenience cheques – an issue I would urge financial institutions to take another look at.
I readily acknowledge that convenience cheques represent only a very small portion of the credit card fraud picture. However, they raise significant concerns about how personal information is used.
The risks associated with convenience cheques were highlighted for us in a case we investigated a few years ago.
The complainant’s mail had been stolen from his apartment building. His credit card statement – which was accompanied by unsolicited personalized convenience cheques – was among the pieces of mail taken.
The thief forged a $900 cheque and successfully cashed it – even though the complainant had notified his bank his mail had been stolen. The bank continued to bill this gentleman for the $900 plus interest before finally reversing the charges.
Another case recently came to our attention. A woman received convenience cheques coded with her account number. She wasn’t interested in the unsolicited offer from her bank, and tossed it into the recycling bin. A week later, her bank called asking whether she had written a $16,000 cheque.
We have approached the Canadian Bankers Association about our concerns. We have been disappointed by the industry’s response. We hope to meet with stakeholders in the near future in order to come up with common guidelines and best practices.
I understand that the credit industry is responding to consumer interest in obtaining quick and easy credit. But we are seeing in the markets what can happen when credit becomes too freely available.
As Privacy Commissioner, the piece of the easy credit era which concerns me is the fact that the proliferation of credit offers provides more opportunities for people to engage in fraudulent activities.
I would also like to touch on breach notification.
I was pleased to see that both Visa and MasterCard supported mandatory breach notification in their submissions to public consultations on possible PIPEDA amendments. I commend both companies for their understanding of the role knowledge plays in fraud prevention.
Last year, in a widely cited report comparing various US jurisdictions’ adoption of breach notification, security professionals and legal researchers came to some common conclusions about privacy breaches:
- First, the size of a breach doesn’t always matter, and should not be the major determining factor in notification, given small breaches can still pose grave risks for individuals.
- Individuals do matter, and even if some consumers ignore breach notices, this does not dispense with a duty to notify consumers.
- The report, by the University of California’s Berkeley law school, also concluded that notice spurs change. Company chief security officers noted new laws motivated executives to take data protection far more seriously – stronger access controls were added, new audit measures introduced, better encryption practices rolled out and wider privacy awareness in general.
Canadians clearly want to be told about breaches involving their personal information.
A poll conducted for my Office last year found 77 per cent of Canadians believe government agencies and affected individuals should be notified if sensitive personal information is compromised. Two-thirds of Canadians support notification if non-sensitive information is compromised.
Canadians want to know what is happening with their personal information.
One of the broad tenets behind PIPEDA is the notion that individuals should have control over their personal information. Breach notification offers people a choice: To take action following a breach – or not to take action.
What’s important is that the individual has the knowledge to take control.
Action on Identity Theft
Also on the legislative front, the federal government announced a few months ago planned Criminal Code amendments aimed at addressing the growing problem of identity theft.
The bill creates new offences related to obtaining, possessing and trafficking in identity documents or identity information. As well, identity thieves will face the possibility of reimbursing their victims for the costs incurred as a result of the fraud.
The House of Commons committee studying this legislation has invited me to appear next week. I see the bill as an important first step, however, my Office will continue to urge the government to develop a broad-based identity fraud strategy, starting with common shared reporting methods.
Transborder cooperation between enforcement authorities also needs to be a central element of this kind of strategy.
Credit cards numbers and associated transaction information are both sensitive personal information. There is a financial cost – higher credit card fees – for every Canadian when these numbers wind up in the wrong hands, but there is also a significant human cost. We need to ensure that the consumer does not get lost in the equation.
The lessons gleaned from the TJX case and other investigations can help improve credit card security.
As I wrap up, I would once again urge credit card companies and issuers to:
- Reinforce efforts to ensure PCI compliance by retailers;
- Push forcefully on the issue of masking numbers on receipts;
- Re-examine polices and practices related to both data retention and unsolicited convenience cheques;
- Continue to seek more secure technologies such as chip and PIN and its eventual successor;
- Work to ensure that everyone who handles credit card numbers has received the best possible privacy training;
- And, finally, think ahead to the challenges of credit fraud via the Internet.
Focusing on these issues will make an important contribution in our efforts to reduce credit card fraud.
My Office welcomes opportunities to cooperate with the credit card and security industries, as well as with law enforcement. Our door is open.
- Date modified: