THE SOURCE of the security breach which has resulted in hundreds of Irish credit cards being cancelled has been narrowed down to three or four online retailers.
It emerged on Wednesday that details of several hundred credit cards had been stolen by cyber criminals. The cards were used to make a number of small purchases of less than €1 from a US website.
It is believed they did this to check whether the card details were still valid, as the actual theft occurred some months ago. The activity triggered the anti-fraud systems of the issuing banks which began to block cards and contact customers.
Last night, Una Dillon, head of card services with the Irish Payment Services Organisation, said that if consumers had not been contacted by their bank they were not at risk.
"This looks like a success story for the banks' fraud management systems," said Ms Dillon. "We have had no reports of major fraudulent activity as a result of this."
She said it might not emerge which retailer was the source of the security breach. The cardholders in question had carried out a large number of small value purchases online, so it was a matter of finding a common denominator. "There are three or four different possibilities at the moment," she said. Technology security experts were highly critical that the incident ever happened at all.
Seán Flynn, a director of Rits, a specialist information security firm, said Irish banks had been slow to insist on retailers implementing latest security standards.
Mastercard and Visa have produced a standard called PCI DSS, which details the security steps required from retailers who store credit card details. Mr Flynn said he expected banks now to start insisting on compliance with PCI DSS and this was likely to have "a big cost impact for retailers", particularly for larger chains which had customised their point of sale systems.
Last month, the ESB announced it would no longer accept credit cards for direct debit payment in part because of the costs of implementing the new standards.
Brian Honan, a computer security consultant, said the incident showed there was a need for breach disclosure laws, which would oblige organisations who are the victims of data theft to make it known. "Without them we may never know what happened and so nothing will be learnt from this," said Mr Honan. The revelation of the theft comes in the same week that 11 people were charged in the US over the theft of 40 million credit cards from a number of American retailers.