ARLINGTON, Va. – B.J.'s Wholesale Club, HSBC, Polo Ralph Lauren, Fifth Third, DSW, Lexis-Nexis..as the roll call of major U.S. retailers and financial institutions who have had card data stolen has grown, card security experts say that the problem may only grow, at least in the short term. Earlier in 2004, B.J.'s Wholesale Club and Fifth Third, its acquiring bank, experienced a card security breach that resulted in credit unions and banks around the country having to re-issue plastics. At the time the incident seemed to be relatively isolated, but it appears now that it may have been the start of an entire parade of firms with similar breaches involving hundreds of thousands of consumers' accounts. DSW, one of the latest victimized firms, has estimated 1.4 million cards have been compromised, Polo Ralph Lauren said 180,000 records were accessed and the latest, Ameritrade, said that 200,000 accounts were compromised. While each of these cases differ significantly, they appear to share the qualities of having data from consumers' cards stored someplace and then having that data stolen – and sometimes the data stolen has been far more than should have been held in the first place. The more than 100 credit unions which have joined with CUNA Mutual to sue B.J.'s wholesale club and Fifth Third Bank over its card may hear echoes of their case in the current card breach involving Ralph Lauren. The fashion giant has admitted that its point of sale software retained the credit card information of hundreds of thousands of its customers between June 2002 and December 2004. The credit unions have alleged that B.J.'s and Fifth Third did something similar earlier in 2004 when, they allege, the retailer violated Visa and MasterCard's rules and retained card data at their point of sale terminals that they should not have kept. Ralph Lauren has not indicated the precise nature of the security breach that forced it to reveal its practice but said that, so far, no cases of fraud have been documented. It's unclear whether card issuers will have to issue new plastics because of the breach. But in the Ameritrade case, as in a similar case from Bank of America in February, lost or stolen magnetic data tapes, not point of sale terminals, are being implicated. The relatively rapid pace of the breaches and the number of accounts compromised have led many to the impression that the card security problem may be industry wide, and one card security expert said that it might be. Barry Smith, president of Bankcard Fraud Solutions of Arizona, put the origins of the problem in the widening distance between Visa and MasterCard, the card issuers and the merchants. "Before you had a lot of close linkages between these three and a lot of communications among them," Smith explained. "But as more distance arose between them and there began to be third party transaction processors and other intermediaries, it began to be harder to keep that connection," he said. The end result of that distance, Smith opined, was that the companies wrote software for the point-of-sale terminals widely used by retailers, along with the software used for Internet sales, which is not in compliance with Visa and MasterCard regulations. Visa and MasterCard have reaffirmed their rules and begun working with the software companies to revise their products and make them compliant, but both associations declined to comment on specifics of their compliance efforts citing confidentiality agreements. But credit unions and other financial institutions are often paying the price for these breaches, even though they are not responsible and even often going beyond the cash outlay for new plastics. "Often member cardholders will blame the credit union for the security breach, even though it is not the credit union's fault," explained Mark Krasnick, senior vice president for CUNA Mutual. "So each one of these breaches undermines that close relationship between a credit union and its members and can undermine the confidence members have in using their cards." -

[email protected]