Sam's Club, a division of Wal-Mart Stores Inc., said in a statement issued this month that it was investigating a security breach that had exposed credit card data belonging to an unspecified number of customers who purchased gas at the company's stations between Sept. 21 and Oct. 2.
Beyond saying that its internal systems and databases weren't compromised, Sam's Club didn't elaborate on how the card information was accessed. Last week, company officials didn't respond to repeated requests for comment.
But Corinne Sherman, vice president of card services at the Pennsylvania Credit Union Association in Harrisburg, said that based on alerts from MasterCard International Inc. and Visa U.S.A. Inc., Sam's Club appears to have been storing customer and account information from both tracks of the magnetic stripe on the back of cards. That information could be used by data thieves to create counterfeit cards that could then be used to commit fraud, Sherman said.
Especially troubling is the fact that a very large number of merchants still appear to be capturing and storing the full magnetic stripe information off of credit and debit cards even though doing so violates the new Payment Card Industry (PCI) security standards, said Ann Davidson, payment systems risk manager at CUNA Mutual Group, a Madison, Wis.-based company that provides insurance and financial services to credit unions.
Of the more than 300 fraud alerts that MasterCard and Visa have each issued this year, the majority involved cases where magnetic stripe information was stored after a transaction, Davidson said.
"This is in direct violation of card association rules," Davidson said. "I would love to know why merchants are doing this." She added that CUNA Mutual has had several meetings with MasterCard and Visa to discuss the data storage issue.
In April, the insurer filed a lawsuit against BJ's Wholesale Club Inc. seeking to recover losses incurred as a result of a security breach that compromised 40,000 credit and debit cards. The lawsuit, which BJ's is contesting, alleges that the retailer stored account and customer information in violation of MasterCard's and Visa's regulations.
Many of the problems stem from the older point-of-sale systems that some merchants use to process card transactions, said Michael Petitti, a senior vice president at Ambiron TrustWave, a Chicago-based provider of security and PCI compliance services to the credit card industry. The POS systems often capture information that the merchants operating them don't even know about, Petitti said.
Under the PCI standards, all companies that accept credit cards must comply with 12 security requirements, such as encrypting transmissions of cardholder data, periodically running network scans, using logical and physical access controls, and doing activity monitoring and logging.
But there continues to be a lot of confusion about the steps needed to fulfill the requirements, the validation processes and the consequences for failing to meet the mandates, said Avivah Litan, an analyst at Gartner Inc.
"None of it is very clear at all, and it's proving to be very frustrating for the merchants," Litan said. "The card associations are just not set up to deal with what they have started." But she added that based on information from some of Gartner's clients, there are indications that the card associations and the banks that authorize merchants to process card transactions will start cracking down next year.
Incidents such as the one at Sam's Club are also a test of just how far Visa and MasterCard are willing to go to enforce the penalties associated with noncompliance, particularly when dealing with large merchants, said an internal financial analyst at a New York-based insurer.
"This opens up some questions on how objectively they will deal with this issue," said the analyst, who requested anonymity. "Will they pay favorable attention to large retailers like Wal-Mart but be willing in a split second to cut off the mom-and-pop liquor store?"
MasterCard and Visa didn't respond to numerous requests for comment last week.