The fallout from the late 2013 security breach that compromised the credit and debit card data of nearly 40 million Target customers is playing out in both the courts and the court of public opinion.
Banks and the retail powerhouse are pointing fingers as they debate which “side” has more responsibility for guarding sensitive customer data. It’s impossible to overstate the relevance of the issues because financial dealings are moving more toward cashless transactions that leave a trail of personal information leading back to bank and credit card accounts.
The banks
Banks say that it’s up to retailers to do a better job of protecting data as it processes electronic payments in stores and online. They say retailers often don’t have appropriate security systems in place themselves or don’t require contractors to comply with security measures. Attorneys for the banking industry say there’s a pattern of retailers failing to meet accepted data protection standards, meaning that in many cases, retailers don’t know about a breach until banks notify them.
The retailers
Offering a different perspective, Target and other retailers counter that banks need to put electronic-chip technology into all of their debit and credit cards – something already accomplished in Europe and Canada, but not the U.S. They argue the signature line on the cards, along with the magnetic strip, leave cards vulnerable and make it more difficult for retailers to adequately protect data. Banks contend the chips would not have prevented this kind of breach.
Potential causes
There’s also ample debate over what caused the security breach that compromised so many people’s sensitive financial information. One of the most recent theories involves phishing emails sent to one of Target’s contractors two months prior. Security experts speculate the criminals gained access to Target’s network after employees of the contractor clicked on links in a phishing email.
If it turns out that a large-scale phishing scam produced such catastrophic outcomes, it’s a strong reminder about the importance of not getting hooked by phishers. Whether you access email on your mobile device or laptop, be leery of clicking on embedded links, even if the email appears to come from a legitimate source. The Target breach could end up being the most serious cautionary tale yet about the consequences of getting caught by phishing.
Ramifications for debit cards
Mark Calvey of the San Francisco Business Times wonders if this breach will fundamentally change debit cards and how we use them. He notes that the magnetic strip on the cards is the same mechanism for storing data that you find in cassette tapes, meaning they’re outdated and easy to copy. In his story, he quotes a consumer who says the breach prompted him to stop using his debit card altogether. Calvey speculates that cards will change to provide better protection to data because most consumers don’t want to give up the convenience of paying with a card.
Push for new policies
As if the Target breach didn’t present its own compelling reasons for policy changes, statistics show the U.S. is consistently a prime target for scammers. According to analysis by the Ponemon Institute, companies based in the United States and Australia see the greatest number of compromised records, and the U.S. and Germany experience the highest costs from data breaches. Since Canada adopted the chip and PIN standard for its financial cards, counterfeiting incidents have plummeted.
Finger pointing aside, both the bank and retail industries are asking Congress to establish federal guidelines for a consumer notification procedure following data breaches. Reports show the Republican chairman of the House Energy and Commerce Committee suggesting it’s time to evaluate whether the “patchwork” approach to regulation and industry self-regulation need to change. Meanwhile, some Democrats in the House say they don’t want a new federal standard that weakens tough safeguards some states have enacted. Some Democrats also say they want to empower the Federal Trade Commission to go after companies that fail to put proper security measures in place.
In the coming months, lawmakers will discuss ways to balance a desire to ramp up consumer data protection with an unwillingness among some to place strictures on businesses. As that debate plays out on Capitol Hill, lobbyists for banks, retailers, and consumer groups plan to provide their own input on any data security legislation under consideration.
