We all read with some trepidation over the recent Holiday season how hackers got into Target’s database and stole credit card information of over 110 million Christmas shoppers followed by a January revelation that Neiman Marcus and Michaels Arts and Crafts shoppers may have also been hacked and compromised. This became front page news in an ongoing drone of stories relating to fraud and identity theft perpetrated by hackers. We recall the last big story of the 2007 hacking of credit card information from TJX, the parent company of TJ Maxx, Marshalls and HomeGoods that victimized over 45 million credit card holders but this latest haul was significantly higher.
People are asking us, what should I do? Is there any way to avoid being the victim of credit card theft? Some have suggested the only alternative is to shop with cash but that is for the most part, impractical and walking around malls and shopping plazas with rolls of cash brings about its own security risks.
Reality is that there is a rather simple solution in the form of an imbedded “chip and PIN” security measures that has been implemented with significant success in Europe but the U.S. banking and credit card companies seemingly continue to put their head in the sand. Why? The answer is two-part and not surprisingly, both involve cost and money. One is the cost that it will take to change the security features built into credit cards and secondly, the massive potential loss of data that can be gleaned on shoppers.
Let’s recap what occurred in the most recent haul by hackers. Using simple software called BlackPOS developed by a Russian teenager, hackers corrupted Target’s Point of Sale (POS) debit and credit card readers enabling them to capture all the personal data once a credit card was swiped. That data includes the account number, the cardholders name and the expiration date. It also includes what is called the CVV data which is used to confirm in-store purchases. (CVV is different than the 3-digit CVV2 security code found on the back of your card). Amazingly and boldly, the hackers actually stored and then retrieved the data within Targets own internal system to which they had gained access.
The problem is, as we have eluded, two-part. First, we are currently using 1960’s magnetic strip technology when it comes to the security of credit card data and it is obviously, quite vulnerable. In the “chip and PIN” system all credit and debit card stored data is stored on an encrypted chip within the card and a PIN access number is required to fulfill a transaction; hence, a more secure system.
So why would retailers be resistant in what would seem to be a logical response to a massive security issue affecting millions of Americans? For one, the new process would slow done the checkout lines and secondly, but more importantly, it would cut off the collection of tons of information for retailers on card-holders shopping and buying habits. Have you ever wondered why when you bought a new pair of running shoes within days you received a deluge of info about other running gear?
The bottom line is if hackers don’t have access to your data, neither do the retailers and this changes the whole dynamic of collecting data on consumers and marketing to specific target groups; a phenomenon which could have a huge deleterious impact on retailers in an already sluggish retail economy.
The second costly dynamic causing pushback for the retailers and the banks is the cost of the conversion to a more secure “chip and PIN” System. Industry experts claim it could cost $8 Billion to convert the nation’s 610 million credit cards, 520 debit cards along with the 15 million card terminals and the nearly half a million ATM machines. Nonetheless, something has to be done and fortunately the issue is getting some attention on Capitol Hill. Federal laws clearly setting out the rules wherein a bank or credit card company must notify its cardholders seems inevitable along with mandate for the implementation of more secure cards. The process worked in Europe. In England, for example, once “chip and PIN” technology was implemented, within six years, credit card fraud dropped 34%.