Small Retailers Are Culprits for Data Leaks

Press enter to search
Close search
Open Menu

Small Retailers Are Culprits for Data Leaks

NEW YORK -- As credit cards become an increasingly popular form of payment for smaller purchases, numerous mom and pop retailers are violating rules designed to protect consumers' personal data, many of which are doing so unknowingly, reported the Wall Street Journal.

Smaller retailers have fallen short on the ability to secure credit card information, the report stated. Since 2005, more than 80 percent of incidents that caused unauthorized access to card data involved small merchants, the Journal reported, citing Visa USA Inc., the largest payment-card network. In addition, smaller retailers make up 85 percent of the seven million locations nationwide that accept credit cards, according to Visa.

While all retailers are required to follow credit card-industry rules, in order to prevent data leaks, the credit card industry has generally focused on larger retailers, the report stated. For example, beginning Oct. 1, large merchants can face $25,000 in fines per month for noncompliance, the report stated.

The problem is exacerbated by the fact that many small merchants aren't aware that these rules exist, the report stated. Store owners "are provided with no information and, sometimes, with erroneous information," Anita Boomstein, a lawyer representing small merchants at Hughes Hubbard & Reed LLP, told the Journal.

One such retailer was Lodi Beer, a small microbrewery and restaurant owned by Roger Rehmke and based in Lodi, Calif. In January, Lodi Beer was named as a common point of purchase among cardholders whose accounts were compromised and thus exposed to potential fraud, the report stated. Rehmke found that his computer system stored account data from 11,728 customers, which violates card industry rules, the report stated.

Rehmke told the Journal he had no idea of the violation. "All someone had to do is tell us 'you can't do that,'" he said. "We would have changed it."

An audit of Lodi Beer's computer system found it was storing cardholders' data, including account numbers, for three years. Visa and MasterCard fined the company's card processor, Abanco International LLC, $27,000 for Lodi Beer's noncompliance, according to the report. Abanco then passed on the fine to the Rehmkes. Since then, the Rehmkes spent thousands of dollars to upgrade the computer system, the report stated.

And in February, Ohio Red Pig Inn restaurant owners, Richard and Paulette Schnipke, were surprised when they were told by the police that some of their customers' cards were compromised, the report stated.

"When we purchased the computer system and saw that the [account] numbers weren't showing up on the customer receipt, I just assumed we were compliant," Paulette Schnipke told the Journal.

Many account holders are not held liable for fraudulent purchases that come from data leaks, the report stated. Instead, card issuing companies cover the costs. U.S. financial institutions saw a record $1.24 billion in losses from fraud last year, a 9.3 percent increase from 2005, the report stated, citing a Carpinteria, Calif.-based Nilson Report.

There are no nationwide laws against storing account data, however the card industry allows some data to be stored, but prohibits vital data -- such as the three- or four-digit security codes on the back of cards -- from being stored, the report stated.

In spite of this, a recent survey of more than 600 businesses with less than 250 employees found that 52 percent stored sensitive customer information on computers, the Journal reported, citing Visa and trade group the National Federation of Independent Business.

"You wonder how they got hacked, and then you find that there is no security on their system whatsoever," Bryan Sartin, vice president of data-security firm Cybertrust Inc., told the Journal.