The Senate Judiciary Committee heard testimony today from Target’s chief financial officer about the massive data breach that hit the company during the holiday shopping season last year.
Target CFO John Mulligan mainly confirmed news we’ve already heard about the breach, including the scope, method, and timeline of the hack. He said he was unable to divulge detailed information because of the continuing forensic and criminal investigation into the attack.
Every member of the Judiciary Committee who spoke agreed: data breaches aren’t going away any time soon. Stolen credit card numbers are a lucrative business for the criminals who can sell and use them. The FBI and Department of Homeland Security have warned of more major hacks on the near horizon.
So other than abandoning the 21st century and going exclusively back to cash, what is a nation full of consumers to do?
If there is a silver lining to the massive cloud of the recent data breaches, perhaps it is that US lawmakers and retailers are discussing making an overdue nationwide card security upgrade a reality at long last.
Mulligan yesterday published an opinion piece for The Hill calling for “smart” chip card adoption in the US, a point that he then reiterated extensively in his testimony today.
Where standard credit and debit cards keep all of their information encoded solely in the magnetic strip along the back, smartcards also have tiny chips embedded in them that encrypt the card’s information. The chips cut back on card fraud because their existence makes cards significantly harder to clone: even if you get all of the information from a card’s magnetic strip, as through a skimmer, without the chip actually being present the card data is useless in a physical transaction.
Technically called EMV cards, chip-enabled smartcards have been in use in much of the rest of the developed world for years. The UK converted over to the chip-and-PIN system nearly a decade ago, where all credit cards are chip-enabled and transactions also require the purchaser to enter a PIN to continue.
“The rest of the world does it” is clearly never enough reason for the United States to do anything. If it were, we’d measure our temperatures in Celsius and our weights in kilograms. Still, vague motions toward bringing the US to chip-enabled cards have been floating around for ages.
American banks have tested the system for international travelers since 2011, and back in 2003, Target tried to bring chip technology to their own Target-branded REDcard. The retailer ended the experiment three years later due to high costs made not worthwhile because chip-reading technology was not being adopted at any other large retailer.
However, it looks like this time, chip-and-signature or chip-and-PIN cards might finally be making actual inroads in the United States. During the hearing, several senators called attention to the need for higher security in credit cards. Representatives from Neiman Marcus, Symantec, and Consumers Union also testified at the hearing, and all agreed that the increased security would help businesses and consumers alike.
Visa and MasterCard have planned milestones for EMV adoption in the United States in 2015 and 2017. Both companies have a series of liability shifts planned. The liability shifts push compliance by shifting the burden for the costs of fraudulent card use. After a liability shift at point-of-sale terminals, if your card info gets swiped from a non-EMV compliant cash register, the retailer will have to bear the loss–not the card issuer. That’s a strong incentive for retailers to upgrade their terminals.
Why has it taken so long to get the ball rolling on the move? For the same reason most systemic changes take so much time: they’re expensive to do, and they require a huge number of participants across industries–retailers, card issuers, the financial sector, information security–to work collaboratively, on the same timetable with the same goals.
Smart cards wouldn’t let retailers or consumers universally off the hook for constant vigilance; fraud can and does still happen. Point of sale terminals for chip-and-PIN cards in the UK have been tampered with, and large-scale fraud has happened. Additionally, the EMV system doesn’t help prevent fraudulent use of credit card data in online transactions; it only helps with physically stolen or cloned cards.
Still, as Mulligan noted, although fraud still happens, chip-enabled cards can make the rates drop significantly:
In the United Kingdom, where smart card technology is widely used, financial losses associated with lost or stolen cards are at their lowest levels since 1999 and have fallen by 67 percent since 2004, according to industry estimates. In Canada, where Target and others have adopted smart cards, losses from card skimming were reduced by 72 percent from 2008 to 2012, according to industry estimates.
During the hearing, Senator Al Franken (D-MN) noted that although the United States has roughly one quarter of all the world’s credit card transactions, we have half of the global incidences of credit card fraud.
Such a mismatch speaks to a definite need for more secure systems, and soon. Franken and other senators asked several pointed questions about October, 2015 as a timeframe for upgrading, wondering if the process could perhaps be expedited in any way.