51 UPS Stores Credit Card Data Hacked

UPS Store hacked, possibly compromising user data

​The shipping store discovered malware in the computer systems of 51 US stores in 24 states. Customer credit and debit card information may have been leaked.

The UPS Store is the latest retail chain to be targeted in a data breach leading to the theft of customers’ credit card information.

The shipping and business services store announced Wednesday that 51 US stores in 24 states had been hacked via a malware intrusion on the store’s computer systems. The breach affected about 1 percent of all UPS Stores.

The company has determined that customers who used a credit or debit card at these stores between January 20, 2014, and August 11, 2014, could have been exposed to the breach. Private customer information that may have been leaked includes names, postal addresses, email addresses, and credit and debit card data.

The company became aware of the breach after the US government notified the chain it had discovered a “broad-based malware intrusion” in its system. The UPS Store hired an IT security firm to investigate further. This firm then located the malware in the 51 stores’ systems.

The hack into The UPS Store comes amid an apparent uptick in security breaches at retail locations. Retail giant Target revealed in December that hackers obtained credit card data for more than 110 million customers who shopped in its stores late last year. And, over the past few months, arts and crafts retail chain Michaels Stores, department store Neiman Marcus, and restaurant chain P.F. Chang’s revealed they were victims of security breaches aimed at stealing customer’s credit card information.

The UPS Store said it eliminated the malware as of August 11 and has notified potentially affected customers of the breach. The company is offering identity protection and credit monitoring services to those customers.

DOJ knew Operation Choke Point Negatively Affected Legitimate Gun Dealers

Report says DOJ knew Operation Choke Point negatively affected legitimate businesses

T he Federal Deposit Insurance Corp. eliminated from its documentation lists of what has been termed “high-risk” merchant types. The move is seen as a response to the controversy over the U.S. federal government’s Operation Choke Point program that allegedly targeted businesses unfairly by denying them the ability to process transactions electronically.

On July 28, 2014, the FDIC said it was clarifying its role in supervising relationships between merchants and their payment processors. (This FDIC action was mentioned briefly in a sidebar to our lead article, “Operation Choke Point draws fire from Congress, industry,” published Aug. 11, 2014, issue 14:08:01, which was going to press when this news broke. This follow-up story provides further details.)

“FDIC guidance and an informational article contained lists of examples of merchant categories that had been associated by the payments industry with higher-risk activity when the guidance and article were released,” the agency said. “The lists of examples of merchant categories have led to misunderstandings regarding the FDIC’s supervisory approach to TPPPs [third-party payment processors], creating the misperception that the listed examples of merchant categories were prohibited or discouraged.”

The FDIC stated that the list contained various types of telemarketing or e-commerce categories, with businesses in those categories associated with higher-risk activity. The agency defined higher-risk activity as that which could be subject to “complex or varying legal and regulatory environments, such as those that may be legal only in certain states; those that may be prohibited for certain consumers, such as minors; those that may be subject to varying state and federal licensing and reporting regimes; and those that may result in higher levels of complaints, returns, or chargebacks.”

Additionally, the FDIC claimed the lists were “incidental to the primary purpose of the guidance, which was to describe the risks associated with financial institutions’ relationships with TPPPs, and to provide guidance to insured institutions on appropriate risk management for relationships with TPPPs.” The FDIC’s lists of “high-risk” merchant categories reportedly included firearms and ammunition, adult entertainment, check cashing, and payday lending businesses.

A ‘no choking’ matter

Operation Choke Point was launched by the U.S. Department of Justice in the spring of 2013. The program seeks to “choke off” high-risk businesses’ access to electronic payments by mandating that payment processors terminate that access; by year’s end the DOJ reportedly issued over 50 subpoenas to banks and payment processors to force them to terminate processing relationships with certain businesses.

In May 2014, the House Committee on Oversight and Government Reform headed by Rep. Darrell Issa, R-Calif., released a report entitled The Department of Justice’s “Operation Choke Point”: Illegally Choking Off Legitimate Businesses? that characterizes the program as a strong-arm tactic against financial service providers – comply or be investigated themselves.

“The initiative is predicated on the claim that providing normal banking services to certain merchants creates a ‘reputational risk’ sufficient to trigger a federal investigation,” the report said. “Acting in coordination with Operation Choke Point, bank regulators labeled a wide range of lawful merchants as ‘high-risk’ – including coin dealers, firearms and ammunition sales, and short-term lending. Operation Choke Point effectively transformed this guidance into an implicit threat of a federal investigation.”

The report also charges that the DOJ is aware that its program is negatively impacting legitimate, legally operating businesses. “Internal memoranda on Operation Choke Point acknowledge the program’s impact on legitimate merchants,” the report said. “Senior officials informed Attorney General Eric Holder that as a consequence of Operation Choke Point, banks are exiting entire lines of business deemed ‘high risk’ by the government.”

According to the report, the DOJ does not have the legal authority to force processors to comply with Operation Choke Point dictates. By law, the subpoena power is for use in pursuing “civil penalties against entities that commit fraud against banks, not private companies doing legal business,” the report said. In fact, the report alleges that the DOJ has “radically and unjustifiably expanded” its authority to target high-risk businesses via processors.

Operation Choke Point apparently used the FDIC’s high-risk merchant lists as a way to force processors to comply or face federal probes.”Suddenly, doing business with a ‘high-risk’ merchant is sufficient to trigger a subpoena by the Department of Justice,” the report said. “Banks are put in an unenviable position: discontinue longstanding, profitable relationships with fully licensed and legal businesses, or face a potentially ruinous lawsuit by the Department of Justice.”

Vicarious liability

The Electronic Transactions Association sponsored a July 2014 report by the NERA Economic Consulting firm that advocates for industry self regulation as the most effective and efficient means of weeding out fraudulent merchants. In Economic Effects of Imposing Third-Party Liability on Payment Processors, Jeffrey A. Eisenach Ph.D. argued that the financial services industry already has a strong economic incentive to ensure against fraudulent activity.

Eisenach stated that the cost of chargebacks have caused processors to “internalize” fraud risk management. “Thus, processors already have strong incentives to monitor merchant conduct and to reflect the costs of high levels of consumer dissatisfaction back onto the responsible merchants through higher reserve accounts or the threat of termination,” he wrote.

Eisenach believes that the DOJ is undermining its own efforts by imposing third-party liability, also called “vicarious liablity,” on payment processors. He said the “imposition of vicarious liability on payment processors through Operation Choke Point is generating significant economic costs while generating little or no apparent benefits.”

Eisenach added that federal regulators and processors are ultimately in alignment about the need to eliminate “bad actors” from the economy. But he believes industry self-regulation is a more effective means to that end, as it doesn’t throw the proverbial baby out with the bath water.

“Industry self-regulation avoids the additional costs of third-party liability to processors and therefore does not distort the market or reduce competition by driving out important lawful merchants,” Eisenach said.

firearms payment processing

Consumer spending growth hit an 11-month high

Consumer spending growth hit an 11-month high in July as consumers traveled on summer vacations, according to First Data’s SpendTrend, a monthly analysis of the previous month’s consumer spending activity across the payment processing firm’s channels.

The report issued Tuesday compared the period July 1-July 31, 2014, to July 2 –August 2, 2013.

The payments processor reported spending in hotel and travel rose by 7.9% and 4.6%, respectively. In addition, spending grew at food and beverage stores by 5.3%, and food service and drinking places grew by 4.4%, the report said.

First Data also reported overall retail spending growth was at its strongest levels in a year as nearly all retail categories turned in improved numbers. Led by categories such as building material/garden equipment and furniture/home furnishings,  the growth suggests the impact of fewer foreclosures and increased construction. Still, consumers remained hesitant to make big ticket and non-essential purchase, First Data said.

“It is also notable that both credit spending growth, which was 6.2% in July, and credit transaction growth, at 7.5% this month, were up significantly over June growth results,” said Krish Mantripragada, SVP for information and analytics solutions at Atlanta-based First Data.

“That growth was driven by the categories we’ve detailed in this report, where credit is the preferred method of payment. Consumers are once again motivated to travel, while those who opted for ‘staycations’ increased spending in home-related categories. Looking ahead, we anticipate August’s back-to-school sales and state tax-free holidays should spur spending growth in related categories, Mantripragada said in the company’s announcement.

All payment channels except for checks saw growth this past July over the same period in 2013, First Data said. Credit card dollar volume rose 6.2%, signature debit transaction volume rose 0.4%, PIN debit transaction volume rose 3.9%, and prepaid card volume rose by 3.3%.  Check dollar volume dropped by 5.7%.