The blockbuster theft of credit card data from Target during the holiday shopping rush was just one example of the way outdated cards are leaving Americans more vulnerable to fraud and identity theft than shoppers are in other developed countries. The good news is that the credit card industry is in the process of fixing part of the problem. The bad news is that squabbling among retailers, banks and payment processors is getting in the way of a more complete solution.

Belatedly, the companies that process credit card transactions (such as Visa and MasterCard) have given banks and retailers until October 2015 to adopt smart cards. If a bank issues the new cards but a retailer doesn’t equip itself to read them, liability for any losses caused by fraud will shift from the bank to the retailer. That’s as far as banks and credit card companies want to go; thus far they’re refusing to require consumers to use personal identification numbers with smart cards, arguing that many retailers don’t have the necessary PIN pads. But requiring PIN use would help combat the unauthorized use of legitimate cards, which seems worth the cost.

Unfortunately, even more sophisticated cards can’t stop fraud in online shopping, where there are no smart-card readers or PIN pads. The key there is to prevent hackers from stealing account information in the first place, which means that any company storing such data must keep it encrypted.

Several Senate Democrats have called for federal regulators to set minimum standards for protecting stored data. As tempting as this may be, however, the federal government should not be telling companies which technologies to use. Instead, lawmakers should make it more expensive for companies that lose credit card data by requiring them to do more to protect customers in the event of a breach.