Smart cards can stop another breach
Three days of hearings on Capitol Hill about the jaw-dropping data breaches at Target and Neiman Marcus brought to light one new apology and at least two familiar lessons. The lessons are worth reiterating.
First, there’s fresh evidence retailers have a hard time admitting when they’ve been hacked. Once they do, they find it hard to tell the whole story.
Target said nothing about the breach until an independent security researcher disclosed it on his blog. In its initial statement, the company said the attack involved 40 million card accounts. Three weeks later, Target revealed other records affecting 70 million customers also were stolen. Finally, after repeating “how sorry we are that this happened,” a Target executive divulged the breach lasted three days longer than initially admitted. Neiman Marcus has been similarly evasive.
This is the kind of slow-motion, piecemeal response that infuriates consumers. A uniform federal standard mandating how retailers report data breaches, which some in Congress are advocating, would be an improvement compared to the varying state-by-state disclosure laws now in effect, which can allow companies to investigate for months before announcing anything. On this, most retailers and banks agree.
The second lesson is to speed adoption of smart-chip cards with encrypted chips embedded in them, often requiring a password to use. Consumers in about 80 countries now use the technology, which has been shown to significantly reduce fraud and identity theft, but it hasn’t caught on in the United States, where most cards still use antiquated magnetic-stripe technology.
Switching to the new cards is a complicated and expensive process that requires cooperation between several parties — card issuers, banks and merchants — with conflicting priorities. Merchants don’t want to shell out for new smart-chip terminals, for instance, unless they’re sure issuers will pay up to produce the cards.
Yet, it’s worth it: Although these cards wouldn’t have prevented the data theft at Target ... they would have made using that data to create counterfeit credit cards much harder — and thus substantially reduced the incentive to try. ...
Merchants and issuers are expected to finally adopt the technology in the United States by October 2015. Target, commendably, now plans to accelerate its transition and have the gear in place by early next year. As other retailers watch Target contend with investigations, lawsuits and the ire of consumers and investors alike, doing the same might start looking cheaper and cheaper.
— The Bloomberg View
Rules for posting comments
Comments posted below are from readers. In no way do they represent the view of Oahu Publishing Inc. or this newspaper. This is a public forum.
Comments may be monitored for inappropriate content but the newspaper is under no obligation to do so. Comment posters are solely responsible under the Communications Decency Act for comments posted on this Web site. Oahu Publishing Inc. is not liable for messages from third parties.
IP and email addresses of persons who post are not treated as confidential records and will be disclosed in response to valid legal process.
Do not post:
- Potentially libelous statements or damaging innuendo.
- Obscene, explicit, or racist language.
- Copyrighted materials of any sort without the express permission of the copyright holder.
- Personal attacks, insults or threats.
- The use of another person's real name to disguise your identity.
- Comments unrelated to the story.
If you believe that a commenter has not followed these guidelines, please click the FLAG icon below the comment.