Visa's fingering of Fujitsu-made software for allegedly storing confidential customer data, including PINs, is a "cheap shot," said an identity theft analyst Monday.
Last week, Visa warned retailers that two point-of-sale (POS) programs produced by Fujitsu Transaction Solutions, Inc., a Texas-based subsidiary of Japan's Fujitsu Ltd., could be storing debit card PINs in violation of credit and debit card rules.
Although Visa would not confirm that it had named Fujitsu's RAFT and GlobalStore software, Fujitsu Transaction's chief operating officer, Ed Soladay, acknowledged that his company's products were the focus of the Visa alert.
"I wish we could have talked [with Visa] before the alert came out," said Soladay. "Our software doesn't capture PIN data, and anything in clear text is encrypted," he said in rebutting Visa's allegations that RAFT and GlobalStore put retail customers' bank accounts at risk.
Visa's charges and Fujitsu's denial are notable because both came on the heels of a debit card breach that has exposed an estimated 200,000 bank accounts to criminals who, armed not only with the magnetic stripe data but also the necessary PINs, have pillaged accounts.
The two events are no coincidence, said Avivah Litan, a Gartner research vice president and identity theft expert. "They're definitely linked," she said.
But although she's "89 to 90 percent certain" that the breach or theft involved Fujitsu's software, Litan called out Visa for naming names without all the facts. "I think it's a cheap shot to blame Fujitsu. It makes sense that the problem is at the point-of-sale environment, but I think it's probably much more likely that it was an add-on package's [fault]," Litan continued. "Likely some customized code. I can't imagine that Fujitsu's software would be keeping PINs."
Fujitsu Transaction's Soladay seized on Litan's take to point the blame elsewhere. "Retailers often use tracers, programs that can capture all kinds of data, during pilots," said Soladay, "and sometimes they forget to remove them when they go live. We recommend that retailers never use a tracer in a live environment, simply because the data could be at risk.
"I think it's a good assumption [that if PINs were stored], they were captured by a tracer."
So far, two major retailers -- Sam's Club and OfficeMax -- have dominated the reports which have named common retailers among the consumers whose accounts have been sacked. OfficeMax has vehemently denied a breach, going so far last week to release a statement claiming that an independent audit cleared the company.