When thieves hacked into credit and debit card data of as many as 40 million Target customers over the holidays, the breach rattled nerves and roiled Christmas shopping.
But the truth is, if you shopped at Target
between Nov. 27 and Dec. 15 while thieves were hacking data, you’re unlikely to lose a dime. Federal law and industry practices protect virtually all customers from any liability for fraudulent charges.
The real problem is that so many breaches occur in the first place. Credit and debit card fraud has nearly quadrupled in the past decade, hitting $11.3 billion in losses worldwide last year, according to the Nilson Report. That hurts profits and raises the cost of goods.
The United States accounts for more than its share of fraud, and hardly a month goes by when there isn’t a breach from some large U.S. retailer, in part because the United States lags other countries in card security.
After the Target breach, the stolen account information flooded underground markets that operate on the Internet, selling batches of data that allow thieves to counterfeit cards and shop till they drop.
The best thing that could happen is if this latest megabreach forced the industry and Congress to fix some of the system’s most vulnerabilities. Three ideas for curbing cybercrime:
Get with the 21st century. The U.S. is far behind Europe, which almost a decade ago replaced the magnetic strip on cards with a digital chip that prevents thieves from counterfeiting cards with stolen data. That’s one reason the U.S. has become a mecca for hackers. The U.S. industry is migrating to these “EMV” cards, but it has moved slowly. The players fight among themselves over everything from who pays to the type of security. Requiring cardholders to use PIN numbers would provide the best security. Whatever the decision, the industry needs to get moving to meet a self-imposed 2015 deadline.
Put stronger protections on debit cards. Credit cards carry the gold standard in protection against having to pay for fraudulent charges. Federal law limits losses to $50, and most issuers take that down to zero. After a data breach, debit cards are similarly protected. But if your debit card is lost or stolen, by law you could lose up to $500, and reimbursement may depend on how quickly you report the loss. There’s no sound reason for the gap.
Set federal standards to protect data. The industry has always provided its own security standards to keep data safe. They’re not working. Federal standards could help, especially if backed by sanctions for flouting them. The Federal Trade Commission has some authority, but the law is nearly 100 years old, and some companies have challenged the agency. Since the Target breach, several senators are calling for more federal authority. They’re right.
Cyberthieves are growing more sophisticated, and nothing can prevent every data breach. But when a company as big as Target can be hacked for 19 days to the tune of 40 million records, consumers deserve more tougher protections.
— USA TODAY