Tuesday, June 26, 2012

Close to the Edge With Credit Card Security Lapses

Criminals keep getting their hands on credit card data, but the three data breaches mentioned in the Federal Trade Commission (FTC) complaint against Wyndham Hotels (which includes Days Inn) are something different. In this case, it is the authorities who seem to be know everything about the data breaches, while the business that is at fault is relatively clueless.

For example, the FTC estimates that Wyndham customers’ credit card accounts were used for $10 million in fraudulent purchases, but a Wyndham executive said they had no knowledge of any customer losses from its data breaches.

Criminals obtained probably less than one million credit card account profiles, but more than half a million, in at least three separate breaches at Wyndham. This is small compared to other recent breaches, but not small in terms of the potential for financial damage. The FTC is reluctant to pursue these cases through the courts, so one has to wonder whether this case is meant to embarrass the hotel operator into taking steps to effectively secure its network. Perhaps the FTC is hoping to obtain a court order to that effect.

Security flaws will likely destroy the credit card business in the end, and the industry knows this, so it’s easy to imagine that everyone is doing everything they can to make credit cards secure. But there are still businesses that aren’t taking the threats so seriously, and today’s FTC filing is a reminder of that.

It is hard to understand a hotel operator putting itself this close to the edge. If there were to be further and escalating lapses, in the worst case, regulators or the credit card transaction networks could tell it to stop processing card transactions. That’s an order that would effectively turn out the lights at a hotel.