The blockbuster theft of credit card data from Target during the holiday shopping rush was just one example of the way outdated cards are leaving Americans more vulnerable to fraud and identity theft than shoppers are in other developed countries. The good news is that the credit card industry is in the process of fixing part of the problem. The bad news is that squabbling among retailers, banks and payment processors is getting in the way of a more complete solution.
The United States is one of the few remaining places where credit and debit cards rely on a magnetic stripe, rather than a microchip, to store and transmit account information. Magnetic stripes are easy to steal information from and to counterfeit, but that’s next to impossible with chips. That’s why, as other countries switched to chip-based “smart cards,” hackers shifted their attention to U.S. targets.
Belatedly, the companies that process credit card transactions (such as Visa and MasterCard) have given banks and retailers until October 2015 to adopt smart cards. If a bank issues the new cards but a retailer doesn’t equip itself to read them, liability for any losses caused by fraud will shift from the bank to the retailer. That’s as far as banks and credit card companies want to go; thus far they’re refusing to require consumers to use personal identification numbers with smart cards, arguing that many retailers don’t the necessary PIN pads.
But requiring PIN use would help combat the unauthorized use of legitimate cards, which seems worth the cost that the added equipment would impose on some retailers.
Unfortunately, even more sophisticated cards can’t stop fraud in online shopping, where there are no smart-card readers or PIN pads. The key there is to prevent hackers from stealing account information in the first place, which means that any company storing such data must keep it encrypted.
Several Senate Democrats have called for federal regulators to set minimum standards for protecting stored data. As tempting as this may be, however, the federal government should not be telling companies which technologies to use. Such mandates can’t possibly keep pace with the techniques being developed by hackers and the security companies trying to stop them. Instead, lawmakers should make it more expensive for companies that lose credit card data by requiring them to do more to protect customers in the event of a breach. For starters, companies could be required to cover the cost of issuing new cards and, in the case of stolen debit card data, new checks.
Today, too many retailers behave as if it’s costlier to protect credit card numbers than to lose them. It’s time to flip that equation around.