In hindsight, the security gap is stunning. Even as the nation took decisive action after the Sept. 11, 2001, attacks to safeguard U.S. borders, landmarks and airspace, it continued relying on vulnerable, decades-old technology — credit cards with easy-to-counterfeit magnetic data strips — to power the vital economic engine of day-to-day commerce.
In the wake of Target Corp.’s massive breach of consumer financial and personal information, it’s obvious that this ill-advised complacency left the nation’s banks, retailers and consumers with, well, a giant target on their backs as plastic increasingly replaces checks and cash. The richest nation in the world has what appears to be one of the least secure systems in the world when it comes to card purchases. As a result, the United States accounts for about a quarter of global payment transactions and about one-half of global card fraud, according to the well-regarded industry publication Nilson Report.
That more high-level hacking of U.S. retailers hasn’t happened is fortunate. “There isn’t any retailer in this country who isn’t saying ‘There but for the grace of God.’ That’s how good this malicious software is,’’ said David Robertson, the Nilson Report’s publisher.
It’s not yet clear who infiltrated Target or exactly how they did it. Still, the hometown retailer’s crisis illustrates why the sluggish move to a new, more secure “chip and pin number” system needs to happen at a faster pace, as soon as possible. It’s mind-boggling that this technology is not already widespread in the United States.
Countries around the world, particularly those in Europe, have moved to more-secure chipped cards since the early 2000s. The main advantage: The chipped cards are difficult to counterfeit by data thieves. In contrast, cards with magnetic strips are easy to manufacture, with the equipment to do so widespread and inexpensive. That’s how card counterfeiters crank out working replicas once they have stolen data.
The computer chips also interact with data systems in more sophisticated ways to verify card authenticity. Requiring an individual pin number vs. a signature would further guard against fraud.
U.S. banks and retailers have dragged their feet on moving to the new card system for several reasons. Doing so is expensive. Chipped cards cost more to issue, and new point-of-purchase equipment will be needed to process them. “Billions,” was the response the National Retail Federation spokesman gave this week to an editorial writer inquiring about the price tag.
Card fraud has historically been at a stable level considered manageable by industry — slightly less than 6 cents per $100 spent. The stable rate, however, ignores an underlying reality: Card payments are growing. The rate may be stable, but the amount swiped by fraudsters is increasing, Robertson said.
The size of the Target breach — hackers compromised 40 million card accounts and personal information on 70 million customers — and subsequent data theft at upscale retailer Neiman Marcus should galvanize the industry to speed up the transition and minimize the window of vulnerability. The rollout is slated for 2015, when liability for fraud will shift to those in the industry that haven’t moved to this more secure technology. But if something can be done sooner, it should be.
Minnesota Sen. Al Franken astutely is asking industry to expedite this move if possible. He and other politicians delving into the Target breach should also push for requiring pin numbers with the newly chipped cards. This is a quick, extra step that will build additional security into the system. Banks may resist this, however, because some make more money on card transactions that require a signature only.
The chipped cards are no panacea and provide little additional protection for online purchases. But the upgrade is better than the current system and a bridge to a future in which consumers will rely on their smartphones to buy goods. Some critics of chipped cards contend that we should wait for phone payment technology to become widespread rather than invest in a transitional system. But that point is still far off. And there will always be late adopters of technology.
“Chip and pin” is a solid safeguard, not only for consumers but to guard the U.S. economy against criminals or even terrorists. Target, to its credit, attempted to pioneer this technology in the early 2000s but backed off for competitive reasons when the rest of the industry declined to move forward with it. Today the Minnesota retailer is struggling with a retail nightmare, but it can regain consumer confidence by leading the way forward on a more secure payment system for the future.