Identity Theft and Careless Merchants

Suppose you do everything you're supposed to in order to protect your identity. You don't give your credit card or bank account numbers out to people who call you, you're too smart to fall for the phishing scams, and you keep your social security number private. You change your online passwords regularly, and you don't pick passwords based on pet names, children's birthdays, or your maiden name. In short, you play it smart with your personally identifiable information. Unfortunately, the biggest potential vulnerability is out of your hands. Security expert Christopher Spence says, "You can keep your own personal data locked up tighter than the gold in Fort Knox, but there's no guarantee that the companies with which you do business will do the same." According to security experts, mis-handling of your data by businesses is much more likely to result in your data being compromised by identity thieves than any mistakes you might make.

The credit card industry imposes mandatory security standards on merchants and processors, known as the Payment Card Industry (PCI) Data Security Standards. Non-compliance with the standards can be quite costly, including liability for losses incurred because of data breeches. Non-complying companies can also lose their affiliation with the parent organizations (Visa, MasterCard, etc.).

In addition to these compulsory standards, there are regulatory government rules merchants are required to follow, for example, the federal Fair and Accurate Credit Transactions Act (FACTA). In addition to liability for damages caused when someone's identity is stolen, the penalties for non-compliance to FACTA can also include class-action lawsuits and severe fines.

In spite of the potential consequences and dangers of non-compliance, it is fairly common. The PCI Security Standards Council, which develops and maintains the industry's security standards, reports that the vast majority of security breaches resulting in identity theft originate at merchants that aren't compliant. The smaller companies are the worst offenders, probably because their more limited resources make compliance more difficult. Among tier 3 and tier 4 companies (those that process less than a million transactions annually), compliance is generally less than 50%, according to analysts. Larger organizations that process over a million transactions a year do much better, averaging 90-95% compliance. Given that the smaller companies collectively process more transactions than their larger counterparts, there is some cause for concern.

The reasons for failure to comply are varied. Often, small businesses will outsource their credit card processing to cut-rate service providers, with no real idea how compliant these providers are. Storage problems also factor in. The more data a business retains, the greater the damage in the event of a breech. Instead of simple credit card fraud, if a business loses social security numbers and addresses, wholesale identity theft can result.

Other factors involving compliance problems include employees with more access than they need, and insecure networks. Companies are supposed to keep data on a strictly "need to know" basis, but in small to mid-sized businesses where employees perform a number of different roles, passwords and access codes are often shared. Businesses are supposed to keep firewalls, anti-virus software, and encryption practices up to date, but companies lacking full-time IT personnel rarely have the time and resources to maintain the required level of vigilance.

So what is the answer? What further steps can you take to protect yourself? Here are some of the steps Christopher recommends:

* Set fraud alerts with the major credit bureaus. This indicates to the credit agencies that you suspect you've been a victim of fraud. Any lender should verify with you if there is an attempt to open new lines of credit, or extend any existing ones. Fraud alerts expire every 90 days, so to keep up this protection you'll have to remember to re-set them.

* Opt out of pre-approved credit card lists. You can opt out at https://www.optoutprescreen.com.

* Check your credit report. This can be done for free once a year at http://Annualcreditreport.com.

None of these steps will make your data any safer in the hands of irresponsible merchants, but can help to mitigate the damage should your information fall into the wrong hands. If this seems like a lot of trouble or you just don't have the time, consider a credit monitoring agency. The reputable ones do all this plus offer various forms of legal and financial assistance should your identity be stolen. In the meantime, we have to hope that the credit industry works to improve their levels of compliance to security standards.