On 18 February 2003, Visa, MasterCard and American Express confirmed that a computer hacker had recently accessed 8 million credit card records, including 2.2 million MasterCard accounts and 3.4 million Visa accounts. The hacker targeted Data Processors International, a merchant processor that mainly processes catalog and other card-not-present transactions. The card associations began to notify their member institutions in early February 2003. The card companies said that none of the information accessed was used fraudulently and that all card issuing banks were alerted. But fraud could potentially occur later on using these compromised records.

Although zero-liability policies protect card holders from paying for unauthorized or fraudulent charges, they do not protect consumers from identity theft and credit report nightmares that can follow. Seven percent of online adult consumers surveyed by Gartner in September 2002 reported being victimized by credit card fraud, and 1 percent reported having their identity stolen. However, since stolen credit card data makes stealing identities easy, Gartner believes identity theft will affect substantially more than 1 percent of this population. The credit card industry has focused too much on reducing its fraud costs and not enough on protecting consumer information.

Up to now, no one had much incentive to address the problem. Card issuers seldom notify consumers about hacking incidents they learn about through merchants or processors. The issuers claim they don't really know if a card was compromised, so they wait to see whether a consumer reports fraud against the card. Giving consumers replacement cards costs the issuer about $35 each. When fraud occurs in a physical store, the issuer bears the cost, but the merchant bears the cost of fraud for Internet, telephone and mail orders. If the present case follows typical patterns, the card associations will probably fine the processor whose site was hacked or possibly just issue a stiff warning.

However, rising levels of identity theft and consumer anger will lead to onerous legislation unless credit card companies move aggressively. Indeed, a recent California law (SB 1386) will require any company that sells to California citizens (just about every online merchant) to notify consumers. Accordingly, Gartner recommends:

• Card companies should enforce requirements that all online credit card databases use encryption or other methods to ensure they aren't compromised.
• Card companies should improve the vulnerability scanning of their online merchants and processors to find weaknesses before attackers do.
• Card issuers should immediately inform consumers when their card information has been compromised so that they can try to protect themselves against identity theft by notifying credit bureaus and monitoring their own credit reports to catch problems early.

Analytical Sources: Avivah Litan and John Pescatore, Gartner Research

Recommended Reading and Related Research

• "Credit Card Companies Provide Little Relief for Online Fraud" — Through 2005, online retailers will have to rely primarily on their own fraud-fighting systems and staff. By Avivah Litan
• "Holiday Fraud Causes Huge Losses for Online Retailers" — E-tailers must continue working on their back-end fraud prevention programs so that they don't turn away good sales and don't turn off convenience-seeking consumers. By Avivah Litan

(You may need to sign in or be a Gartner client to access all of this content.)