The Target breach is just the beginning, experts told Credit Union Times. Thieves will continue to find ways to access valuable financial and personal data.
Here are three reasons why:
1. Because they can.
By far, the main reason thieves have begun to steal card data from U.S. firms, some experts say, is because they can.
“The U.S. payments industry has become the one household in the neighborhood that has not upgraded its security system while everyone else has,” explained Karisse Hendrick, program manager in payments and fraud for the Merchant Risk Council, an international trade group that is organized to help firms fight card fraud. “When you are perceived to have security that is the easiest to beat, she added, thieves will try to beat your security.”
Breaches have their roots in the three large shifts in the global payments, technology and U.S. economic and political environments. Hendrick pointed out that the payments industry in the U.S. is perceived as among the richest, further heightening its desirability as a target.
“Those two things combine to make U.S. firms the biggest targets for data security breaches and subsequent fraud,” Hendrick said.
Further, the U.S. has not become the leading data theft target overnight in the country, Hendrick noted. International criminal interest in the U.S. has been growing for years, as Verizon documented in its 2013 Data Breach Investigations Report.
As other countries have gradually tightened their security systems and implemented tools such as smart-chip cards with the EMV standard, the U.S. fraud prevention protocols have fallen farther behind, the Verizon report said. It’s not that the Payment Card Industry Data Standards have not done a good job, the technology they were protecting is simply not as secure as other payment’s technology, Hendrick explained.
2. Thieves have upgraded their programming skills.
The second reason data breaches are here to stay is because thieves have gotten better at writing programs to steal the card data, industry watchers have found.
For instance, even though the phenomenon of a malware package that infected POS terminals came to widespread attention with the Target breach, the FBI has reported there were at least 20 breaches that used a similar approach. Further, the agency said it appeared thieves had used at least one malware package to test out firm’s defenses. When that package they were developing had not performed well enough, the thieves created another one that worked better from their point of view.
3. Card issuers and retailers lack unification.
The third reason that breaches are likely to continue is the lack of a coordinated or unified approach to the challenge they represent. Previously, the U.S. payments industry was cohesive because card issuers and retailers agreed they better when consumers used a card to pay for goods and services as opposed to cash.
Retailers benefited from not having the risk of theft that came with cash and from the quick and guaranteed payments that cards represented over checks. Card issuers also gained from the interchange that card transactions generated by not having to pay for check processing. But the unified front has largely broken down in the face of retailers’ legal and legislative challenges to interchange and the resulting controversy has undermined the payments industry’s ability to work together to confront the problem.
Executives with the National Retail Federation, one of the organizations that supported the Durbin Amendment’s cap on debit interchange for issuers with more than $10 billion in assets and sued the Federal Reserve to lower them, complained that the current approach to card data security does not work and is costly to retailers.
Doug Kantor, a partner with the Washington-based law firm of Steptoe and Johnson, helped represent the NAR in its legal fight with the Federal Reserve and laid out some of the trade group’s complaints about the current card data security regime in an interview with Credit Union Times.
Kantor said retailers already pay nearly all the costs of card data security on the acquirer side by making sure their systems comply with industry security standards. However, those retailers currently have no say in setting those standards.
“The data security standards come entirely from the card brands and card issuers without any input from retailers,” Kantor said. “Also, the data security standards don’t provide full proof protection from breaches and, if there is a breach, the retailers face enormous expenses in fines from the card brands and possible legal action.”
He said retailers believe the new chip cards on the EMV standard provide a very promising means of combating the threat but retailers want to play an active part in the new technology.
To illustrate, the card brands are currently adopting a standard for EMV cards that will not always require a PIN. These cards will have a magnetic stripe that will allow them to be swiped and a chip to provide data in real time which authenticates the transaction and the card.
Retailers believe this leaves them open to greater fraud risk and want the U.S. to mandate the use of PINs, Kantor said. Visa and the other card brands argue that in an economic environment like the U.S., where almost all transaction are going to be online and thus verifiable in real time, the PINs are not needed.