= Subscriber content; or subscribe now to access all American Banker content.

Is the Target Breach a Tipping Point for Card Security?

The Target breach that took place over the holidays is now believed to have affected as many as 110 million Americans about one in three. Target's stock price dropped about three dollars, the New York Attorney General has opened a nationwide investigation into the breach, and members of Congress have called for an investigative hearing. Meanwhile, Neiman Marcus and three other retailers are also said to have suffered similar data breaches around the same time as Target's.

These security breaches have become impossible to ignore. Even JPMorgan Chase CEO Jamie Dimon said Tuesday that the threat to cardholder information "is a big deal, it's not going to go away" as the bank announced it is replacing two million payment cards as a result of the Target breach.

Have we reached a tipping point will the U.S. banking and payments industries finally summon the strength, consensus and cash needed to take the firm steps needed to prevent such breaches in the future?

Gary Olson, president and CEO of ESSA Bank in Stroudsburg, Penn. ($1.5 billion in assets), says no.

"This is an issue nobody pays attention to," he says. "I've been harping on it for 10 years, always on deaf ears. I think a couple more breaches would have to happen relatively soon to get anybody's attention. If nothing happens for another six months or a year, they will forget about Target." The entire card payment system is very weak and the PCI standard is "not effective at all," he believes.

Olson himself was an early card-fraud victim when his bank first launched debit cards in the mid-90s. "I had used my card at a sporting goods chain and within three days I realized someone was using my card to make long-distance calls. Right from the get-go, I knew this was going to be a problem," he says.

The first large-scale data breach that caught Olson's attention was the one that hit BJ's Wholesale Club in 2004. This was followed by break-ins at Heartland Payment Systems and TJ Maxx.

"When you have thousands of cards and you have to reissue 1,000 or 2,000 cards for each breach, it's an overwhelming expense in terms of time, dollars and inconvenience to the customer," Olson says. The recent Target breach affected 1,000 ESSA card accounts. The bank reissued all of them, at a cost of more than $20,000.

MasterCard and Visa ought to be doing more to protect the card payment system, Olson believes.

"MasterCard and Visa drive these programs," he points out. "They have various touch points hitting customers who use their cards, banks that issue the cards and merchants who use the cards to process payments. Somebody has to be in control of the process." (Visa and MasterCard did not respond to interview requests for this story.)

Olson also believes retailers ought to take more responsibility for security. "[The card associations] give retailers a free pass and every time something goes wrong they charge the banks," he says. "Unless something happens on the retail side, as long as there are debit cards this is going to be a problem, because the retailers' systems are too easy to hack into."

He's a proponent of EMV, the chip card standard used throughout most of the world. Data stored on the chips embedded in the cards is encrypted. (Chip cards do not address card-not-present fraud, in which card data is entered online and there's no device to read the information on the chip.)

To date, the industry has been reluctant to spend the money to convert or replace all existing point of sale terminals and ATMs to accept chip cards and to replace all magnetic stripe cards with smart cards.

"The inertia is simply the retailers don't care because they know the banks will pay," Olson says.

This blame-the-retailers attitude has been echoed by others in the industry. Retailers, in turn, accuse banks of failing to safeguard the payments system.

Information Sharing As a Breach Cure

But Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (a Washington, D.C. organization that gathers threat information from bank and card processor members, anonymizes it and distributes it back), points out that there's little value in pointing fingers.

"This hit banks pretty hard, because they have to reissue cards," he acknowledges. "There's a lot of concern, but understand that Target is the victim and nobody wants this to happen again. We need to think, is there a way for us to work together? Maybe there are lessons learned from the financial community that we could share with retailers."

Nelson does believe the card industry as a whole has reached a boiling point and that it will improve card security through the use of chip-and-PIN and better information sharing.

"The sharing of information has prevented a lot of fraud and massive attacks that a lot of people don't know about," he says.


(5) Comments



Comments (5)
Marc, exactly... Once the transaction is done, why keep that information? The transaction is done. Convenience and security will always be at the opposite ends of this conversation. Even Amazon was to store your credit card of easy transactions. Of course, I use a unique ID & password, as with all my various logins (except where email addresses are required... like this site). I use a password manager with a lot of randomly generated passwords, which is not as easy as storing that same ID/PW combo for everyone that I can memorize. This is what we end up doing with card information that is static. Then, it is saved... why? Convenience. For Amazon, I use Shop Safe to generate a one-time disposable card number with a finite amount on it and an expiration time. That is not so static. If the information were not on the systems at the time of the breach, it would not have been available for theft. EMV is supposed to help solve this, and our Core provider is still a year out getting it implemented... 4 years in the works for the USA. Bit Coin... Not ready for prime time, for sure. Ant you say there were static keys on a digital storage device... Why? That is the way Bit Coin works, and will be a major flaw in how it works. It really does work like currency.
Posted by Jim.Lloyd | Wednesday, January 15 2014 at 7:37PM ET
Oops, meant to put the air quotes around "operators," not "Bitcoin" here. Sorry. The "Bitcoin" operators who were hacked
Posted by Marc Hochstein, Editor in Chief, American Banker | Wednesday, January 15 2014 at 9:27AM ET
@Just Saying: The "Bitcoin" operators who were hacked were third party "wallet" services that were holding bitcoins on behalf of customers -- or more accurately, holding the private keys. This is why careful Bitcoin users store their private keys offline, and use online wallets only to hold small amounts.

Bitcoin is far from a perfect system as is, certainly not ready for the average consumer to use for day-to-day commerce, but there's a lot to be learned from it. In the legacy system we all use, we reveal the private keys to our financial accounts to numerous third parties we interact with. Like, uhm, Target.
Posted by Marc Hochstein, Editor in Chief, American Banker | Wednesday, January 15 2014 at 9:21AM ET
I guess Ms. Litan is choosing to ignore the numerous Bitcoin operators that have been hacked with accountholders having millions of dollars stolen from their accounts. While the hack is a different than the transaction hack, the criminals will always go after the weak point in a system's defenses. P2PE combined with tokenization is probably the best way to go.
Regardless, the finger pointing needs to stop and the entire payments industry move forward with a solution that is cost effective and reasonable for all stakeholders.
Posted by Just Saying | Wednesday, January 15 2014 at 8:59AM ET
Yes, the "industry" is slow, in my opinion. In November 2013, PCI (PCISecurityStandards.org) issued PCI-DSSv3 & PA-DSSv3, which are intended to address what is likely the issue behind these breaches. That would be insecure software practices, inappropriately maintained operating systems, and lax network/wifi security practices. User awareness and training is also in the mix. It takes a while for these guidelines to take hold and become practice. PCI-DSSv2 came our 3 years prior, and it took almost 2 years to get our ATMs updated to follow it. Vendors were just not able to address it any more quickly.

If the data was not stored on the systems, it would not have been available to be stolen.
Posted by Jim.Lloyd | Tuesday, January 14 2014 at 7:14PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.