Data Security

The American public was reminded of this issue recently when Target Corp. reported that as many as 70 million credit and debit-card customers were exposed to potential fraud when using their cards at its stores during the holiday shopping season. Target acknowledged that customer names, credit or debit card numbers, expiration dates and encrypted security codes, as well as encrypted debit card PIN data were stolen when its systems were breached.

Perhaps the most frustrating issue for consumers is the slow-motion, piecemeal response by retailers, according to a recent Bloomberg editorial. Having a uniform federally-mandated method of reporting data breaches would greatly improve the various state-by-state laws currently in effect.

This issue should be of top concern for lawmakers this year, said U.S. Rep. Mick Mulvaney. “Cyber security breaches are a very real threat to our country. That is why the House has twice passed, and I supported, legislation to enable the real-time sharing of cyber threat information between private companies and the federal government. Congress must help find a private, market-driven solution to this problem, while maintaining strong protections for privacy and civil liberties of individuals.”

Many industry leaders believe it is time to adopt smart-chip cards. This style of card has an encrypted chip embedded in it and often requires a password. Shoppers in 80 countries now use the card, which has been linked to a reduction in fraud and identity theft. A target date of October 2015 has been set for switching to this type of card in America, although it is a complicated process that requires cooperation between card issuers, financial institutions and retailers, all with conflicting priorities.

Having smart-card technology would not have prevented what happened to Target, which involved malware installed on registers. However, it would have made it more difficult for hackers to make counterfeit cards, thus reducing the incentive to attack in the first place. In Great Britain, where PIN and chip cards were introduced in 2004, losses from card counterfeiting has declined 68 percent, according to the Bloomberg article.

A frustrating issue for financial institutions, aside from bearing the cost ($5-$10 per card replacement), is the lack of merchant accountability. Merchants bear little – if any – of the costs associated with a breach. To further complicate matters, financial institutions are forbidden to tell consumers the name of merchants who get compromised, according to sources with The National Association of Federal Credit Unions. Consequently, consumers often assume wrongly that the compromise is the result of negligence by the financial institution.

Hopefully, recent hearings in Washington on data security will be the first step towards improving a payment system that is outdated and vulnerable.