The Target breach that took place over the holidays is now believed to have affected as many as 110 million Americans — about one in three. Target's stock price dropped about three dollars, the New York Attorney General has opened a nationwide investigation into the breach, and members of Congress have called for an investigative hearing. Meanwhile, Neiman Marcus and three other retailers are also said to have suffered similar data breaches around the same time as Target's.
These security breaches have become impossible to ignore. Even JPMorgan Chase CEO Jamie Dimon said Tuesday that the threat to cardholder information "is a big deal, it's not going to go away" as the bank announced it is replacing two million payment cards as a result of the Target breach.
Have we reached a tipping point — will the U.S. banking and payments industries finally summon the strength, consensus and cash needed to take the firm steps needed to prevent such breaches in the future?
Gary Olson, president and CEO of ESSA Bank in Stroudsburg, Penn. ($1.5 billion in assets), says no.
"This is an issue nobody pays attention to," he says. "I've been harping on it for 10 years, always on deaf ears. I think a couple more breaches would have to happen relatively soon to get anybody's attention. If nothing happens for another six months or a year, they will forget about Target." The entire card payment system is very weak and the PCI standard is "not effective at all," he believes.
Olson himself was an early card-fraud victim when his bank first launched debit cards in the mid-90s. "I had used my card at a sporting goods chain and within three days I realized someone was using my card to make long-distance calls. Right from the get-go, I knew this was going to be a problem," he says.
The first large-scale data breach that caught Olson's attention was the one that hit BJ's Wholesale Club in 2004. This was followed by break-ins at Heartland Payment Systems and TJ Maxx.
"When you have thousands of cards and you have to reissue 1,000 or 2,000 cards for each breach, it's an overwhelming expense in terms of time, dollars and inconvenience to the customer," Olson says. The recent Target breach affected 1,000 ESSA card accounts. The bank reissued all of them, at a cost of more than $20,000.
MasterCard and Visa ought to be doing more to protect the card payment system, Olson believes.
"MasterCard and Visa drive these programs," he points out. "They have various touch points hitting customers who use their cards, banks that issue the cards and merchants who use the cards to process payments. Somebody has to be in control of the process." (Visa and MasterCard did not respond to interview requests for this story.)
Olson also believes retailers ought to take more responsibility for security. "[The card associations] give retailers a free pass and every time something goes wrong they charge the banks," he says. "Unless something happens on the retail side, as long as there are debit cards this is going to be a problem, because the retailers' systems are too easy to hack into."
He's a proponent of EMV, the chip card standard used throughout most of the world. Data stored on the chips embedded in the cards is encrypted. (Chip cards do not address card-not-present fraud, in which card data is entered online and there's no device to read the information on the chip.)
To date, the industry has been reluctant to spend the money to convert or replace all existing point of sale terminals and ATMs to accept chip cards and to replace all magnetic stripe cards with smart cards.
"The inertia is simply the retailers don't care because they know the banks will pay," Olson says.
This blame-the-retailers attitude has been echoed by others in the industry. Retailers, in turn, accuse banks of failing to safeguard the payments system.
Information Sharing As a Breach Cure
But Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (a Washington, D.C. organization that gathers threat information from bank and card processor members, anonymizes it and distributes it back), points out that there's little value in pointing fingers.
"This hit banks pretty hard, because they have to reissue cards," he acknowledges. "There's a lot of concern, but understand that Target is the victim and nobody wants this to happen again. We need to think, is there a way for us to work together? Maybe there are lessons learned from the financial community that we could share with retailers."
Nelson does believe the card industry as a whole has reached a boiling point and that it will improve card security — through the use of chip-and-PIN and better information sharing.
"The sharing of information has prevented a lot of fraud and massive attacks that a lot of people don't know about," he says.