Friday, 24 January 2014 00:00
Details about the Target security breach fiasco are slowly dripping out, and the news gets worse and worse. Nieman Marcus has also announced a similar hacking of consumer card data, and more incidents may be announced. Stolen card data has appeared for sale on the cybercrime black market, and it’s from this point on that we’ll have an idea of what kind of damage may have been done to Long Island consumers and small businesses.
And already, the whole thing has devolved into a gigantic misdirection of attention away from those most responsible. Target is hardly blameless, but the large banks and other credit card issuers could have been issuing Americans the significantly safer cards that are standard around the world and have slashed data theft in other countries. The card issuers don’t want to pay several dollars per card to do it.
Consumers and merchants eat the bulk of credit card fraud costs. Banks mostly see fraudulent purchases as just a “negative externality,” an unexpected cost to those down the line from a transaction. Not really their department. Credit card issuers do pay the cost of replacing the card (up to $10 including time, postage and plastic). For years, the financial services mega-lobby in Washington has tried to shift that cost to others, and the Target fiasco is giving them the leverage to finally pull it off. The Banking Committee in the U.S. Senate has already announced hearings to consider just that.
The entire payments infrastructure in this country is decades out of date.
The simple magnetic strips on almost all American credit and debit cards can be read and captured by anyone with a simple and cheap handheld digital reader. Outside of the U.S., most consumers are issued cards with integrated circuits that use “two-factor authentication,” often called “chip-and-PIN.”
These “smart cards” are hardened against easy information theft in two ways. The microchip makes the card extremely hard to copy or counterfeit. The consumer must enter a Personal Identification Number to use, just like they do now with a debit card. The card digitally encrypts and matches up the information. No match, no transaction.
The public doesn’t know yet exactly where the breach was in the Target system, but chip-and-PIN certainly makes stolen data harder to use, reducing incentives for criminals from the start. These cards can’t stop all types of theft, particularly some types of online payment fraud, but one study estimates that they’ve eliminated 80 percent of card-related payment theft in France. The French have had them since 1992.
In Asia, Africa, South America, everywhere, most credit cards use this technology. American card issuers are slowly rolling out the technology over the next several years.
There are over one billion credit and debit cards in circulation that need to be replaced with the better technology. Over eight million merchants in the U.S. accept credit cards and they need to upgrade. It costs thousands of dollars for even a small retail operation to upgrade its card swipe equipment, but card issuers aren’t even offering a fee discount to those that do. Instead, card issuers already have retailers on defense in Congress, and media coverage is heavily one-sided.
It’s hard to be moved to tears for the Target executives who are now under heavy fire. The $20.6 million compensation package for CEO Gregg Steinhafe, about 1,144 times greater than the $18,000 typically earned by full-time Target cashiers and salespeople, has been criticized by analysts and by stockholders (47.9 percent voted against the pay package at last June’s meeting).
However, focusing on only the retail end of the problem misleads everyone into thinking this was just a “Target thing.” No worries.
This is a big problem and we need to see the bigger picture.
Michael Miller is a freelance writer, designer and strategic consultant who has worked in state and local government. Email: firstname.lastname@example.org