The Real Cost of Stolen Credit Cards

Joe Pereira of the Wall Street Journal recently wrote an excellent article on the world's largest-ever theft of credit card numbers - an incident that involved a wireless hacker and various divisions of the TJX retail business.

According to the Wall Street Journal, over 45,700,000 credit card numbers, mostly of US residents, an undisclosed number of driver's license records, and approximately 451,000 social security numbers, were stolen by a hacker sitting in a parking lot outside a TJMaxx store, who used a laptop and a telescopic antenna.

TJX, it appears, utilized such poor network security that the hackers were not only able to break into their database with relative ease, but felt comfortable enough to leave encrypted messages lying around for each other alongside the files, detailing what work had already been done (i.e. "I've copied all the cards in this file"), in order to make the process of stealing the consumer information more efficient.

Let's pause for a second and consider the real costs of this fraud. According to the article, fraudulent charges are showing up on the credit card reports of consumer customers of banks up and down the country, as carders snatch up the cards and use them everywhere from FL-based Walmarts, to Mexico, to Australia.

As a result of the wide-ranging nature of the fraudulent spending, many of the affected banks have either had to replace the cards of their consumers, or draw up plans to do so. Needless to say, the banks are *not* happy with TJX - some 21 banks in the NorthEast have come together in a law-suit and Barney Franks has legislation on the boiler.

Why are the banks not happy? The reason is the *$690 million* cost they will now potentially have to bear to replace all those cards. Read on.

I decided to ask a few sources about the cost of replacing these compromised cards. The lowest estimate I received was $8 per card, not including re-issue, database update costs, shipping and handling, and customer service calls. The highest? $50 per consumer, all-in, including customer service costs.

According to the WSJ, TJX has made a private allocation of $20 million to cover the risks associated with the massive theft: that is the amount of fraudlent transactions they expect will result from use of the cards. However this ignores the real cost to the banks - and to consumers - in time, handling and replacement of physical materials.

$20 million doesn't even come close.

Let's draw the line down the middle and assume a $30 credit card replacement cost - in reality, the small issuers are going to be closer to $50, and the larger banks closer to $20, just based on ability to scale, and quality of service. If you draw this line here, and assume that the "50% of the cards were expired" data is correct, the "cost" to banks of the TJMaxx credit card database theft lies in the region of $1.38 billion/2 or $690,000,000.

No wonder congressmen are drawing up legislation - there are whole industries in this country that don't generate $690,000,000 in business.

What can be done? Obviously, every business that handles credit cards needs to treat this incident as a "wake up call" and run an audit on their security - as soon as possible. Laws need to be passed that place the burden of loss on the retailer, not the bank. Shareholders need to educate themselves.

And, finally, Congress and the Secret Service need to act - and start mandating the use of stronger database security technologies and emerging "secure client" technologies such as our own Authentium TSX-based VirtualATM. The costs of these technologies are far less than the costs quoted above.

There are a lot of ways in which we can improve the security of consumer transactions, and the longer we wait to implement them, the more risk there is of another TJX incident exploding onto the scene and draining yet another half-billion dollars from the banking system.