Target breach shows need to update obsolete cards
Forty million credit and debit cards belonging to Target customers were compromised over the holidays in a predictable and preventable data breach. The full extent of the breach became known a month later, further dispiriting customers, retailers, and banks alike; hackers got access to information — including such data as PIN numbers, e-mails, and addresses — on over 70 million people. Unfortunately, the old-school technology used in the American credit card system all but invites these intrusions. Because hackers find it easy to make counterfeit cards with stolen information, there’s ample incentive to seek out security holes.
For now, the United States needs to move aggressively to adopt the more secure chip-and-PIN technology that is widely used overseas. But it must also recognize that even that technology is aging, and that keeping ahead of ever more sophisticated hackers will require banks, retailers, and consumers to adopt future improvements much faster.
The United States is among the few advanced countries still using archaic magnetic stripe credit card technology from the mid-20th century. Our system predates floppy disks and word processors. But once a technology becomes entrenched, it’s hard to displace. Moreover, the banks and retailers that shape the credit card system have long been at odds over swipe fees and other issues, and up to now neither side has been eager to assume the costs of switching to an updated security system. There’s also a trade-off: Tighter security measures, depending on what they are, can make transactions slower and inconvenience customers.
But the massive breach at one of the nation’s largest retail chains illustrates that inertia, too, has a cost.
To speed the adoption of chip-and-PIN terminals, Visa, MasterCard, and other credit card firms have adopted rules under which the least-secure link in a transaction will be liable for the costs of fraudulent use. So, after October 2015, stores that keep using magnetic-stripe terminals will generally be responsible for costs incurred because of hacks. But there’s already grumbling that chip-and-PIN systems are themselves becoming obsolete as successor technologies, such as near-field communication, come into widespread use. It’s a legitimate concern, but it’s not an excuse to cling to existing systems.
A key question is whether the federal government can play a constructive role in nudging the process along. Unfortunately, credit card security comes under the jurisdiction of multiple congressional committees and several different federal agencies — none of which seems eager to intervene. If the stalemate among banks and retailers continues, though, the Obama administration should seek to bring the parties together and broker a transition plan that includes a move to chip-and-PIN technology — but also a path toward evaluating and adopting still newer security improvements.
We have reached the tipping point for transaction technology to move into the 21st century, and this should happen quickly, before more Target-sized hacks occur.