Hackers stole payment records on as many as 110 million customer accounts from Target over the holiday shopping season, in one of the largest data security breaches in history. The company has struggled to regain customers’ trust, with noticeable drop-offs in sales since they disclosed the breach on December 19. And Target is not alone in what looks like an identity theft epidemic. Neiman Marcus announced a similar hack of payment records, and at least three more major retailers could come forward in the next several weeks. As more and more customers have reported fraudulent charges, Congress has begun to ask questions about why this happened.
Here’s an answer: The United States has one of the worst payment systems in the entire world, inviting fraud and increasing hassles for anyone who wants to exchange money. In this case, a simple credit protection available on virtually all payment cards outside the U.S. could have dramatically narrowed the scope of the Target breach. It hasn’t happened here, mainly because banks don’t want to spend the money to upgrade the system, writing off the hassle and expense of your identity fraud as a cost of doing business.
Almost alone among developed nations, U.S. credit and debit cards have a magnetic stripe that contains all the financial information necessary to make a purchase. Once information gets stolen from a merchant, it can be encoded into a magnetic stripe and used with a new card. Smart cards in Europe and elsewhere encrypt that data and store it on a microchip, which is much tougher to replicate. More important, the cards also require a personal identification number (PIN) to work. This “chip-and-PIN” system introduces a second authentication, forcing thieves to have both pieces of information to successfully use the card. It’s a combination of advanced technology and simple common sense.
Chip-and-PIN would not have prevented hackers from stealing payment information from Target’s databases, but would have made it more difficult to use the records. Because of this, says Georgetown law professor Adam Levitin, would-be identity thieves would have a lower incentive to steal the data in the first place. “Like Willie Sutton says, bank robbers go where the money is,” he said. “Fraud will always find the weakest link. Now that the rest of world has gone to chip-and-PIN, we’re the weakest link.” Nearly half of all card losses in 2012 occurred in the U.S., according to the trade journal the Nilson Report.
Though 130 countries around the world have phased out their magnetic stripe cards (which you may have noticed if you’ve tried to use a credit card overseas), the U.S. has lagged behind, with both merchants and banks assigning the blame to each other. Retailers need new card readers to handle chip-and-PIN cards, and they can be costly; it’s why only 10 percent of U.S. merchants have upgraded. The merchants don’t want to spend the money until they know banks will issue chip-and-PIN cards. And the banks don’t want to spend money on the more expensive cards until merchants install the card readers. So both sides are effectively telling the other to go first. With no regulatory mandates for anyone, this standoff could continue for years, with consumers paying the price.
“This is different than it has worked everywhere in the world,” said Adam Levitin. “Elsewhere, issuers and merchants have moved in lockstep.”
Some analysts place the blame squarely on banks, arguing that merchants eat the majority of the fraud costs, giving banks no incentive to upgrade. In addition, blogger and author Yves Smith notes that the banks sell the card reader equipment to the merchants, and they have inflated the price. “The impediment is almost assuredly the price point the banks have set,” Smith writes.
Credit card networks like Visa and MasterCard introduced the Payment Card Industry (PCI) Security Standards, which are supposed to provide more anti-fraud controls. But that effectively tries to band-aid an inherently insecure magnetic stripe system. More recently, the card networks proposed a shift in liability rules that they hope will nudge banks and merchants toward upgrading. By October 2015, if the merchant has a chip reader and the card has a traditional magnetic stripe, the bank will be liable for any fraud. Likewise, if a chip-and-PIN card is presented to a merchant with no chip reader, the merchant will be liable. In other words, both sides will be penalized for not upgrading to the chip-and-PIN system.
But again, this is voluntary. And in the meantime, both merchants and issuers manage to absorb the costs of fraudulent purchases (which total around five cents per $100 charged, according to the industry). They consider this cheaper than the costs of upgrading. In fact, one facet of the current system is a profit center for the banks. When a fraud transaction goes through, merchants reverse it through something called a charge-back. Merchants must pay the same fee to reverse a charge that they do to swipe one through, along with additional fees. “The retailers say, ‘we’re having to pay to not be paid,’” Adam Levitin said.
This reluctance to upgrade in the U.S. has led to a general creakiness in the payment system. Most U.S. retailers don’t even have real-time authorization capabilities, making it more difficult to detect fraud at the point of sale. The Automated Clearing House (ACH) system can take days to process transactions, wasting time and increasing costs for customers. Banks have outdated processing systems and have been similarly reluctant to upgrade them. Says Levitin, “We’re still using horse and buggies.”
Meanwhile, other countries have leapt past the U.S. In Kenya, the M-Pesa system allows consumers to pay for virtually anything by mobile phone. It has become widely adopted by merchants, making the African nation a world leader in mobile money. Mobile transactions over M-Pesa hit $19.6 billion in 2013. (Attempts to create mobile payment systems in the U.S. are in the startup phase, with entrepreneurs literally going from one business to the next to find retailers willing to use it.)
Levitin argues that America’s previous position as a payments system leader led to its slow pace in keeping up with new technologies. “The reason we’ve lagged behind is because we were ahead,” he said. “Everyone else had to upgrade, while our card system networks were making money. Kenya just didn’t have a regular banking infrastructure. The alternative to M-Pesa is paying in cattle.” Similarly, Europe upgraded to chip-and-PIN because credit card authorization was typically done through phone lines, and 10 years ago, European telecom costs were fairly expensive. “Our technology was not bad enough to upgrade,” Levitin says.
Congress is highly unlikely to get involved in an argument between banking lobbyists and retailer lobbyists. They learned their lesson when trying to legislate “swipe fees,” what banks charge retailers to process credit and debit card transactions. The result was a knock-down, drag-out affair that took months to negotiate.
But the Target breach, and the reputational risk to the big box store, has both merchants and banks rethinking the consequences of maintaining a substandard old system. Mallory Duncan, general counsel for the National Retail Federation, said this week at the trade group’s annual convention that they now encourage members to upgrade to chip-and-PIN card readers, saying “The technology that exists in cards out there is 20th-century technology and we've got 21st-century hackers.” And banks have responded to complaints by gradually distributing dual-use cards with magnetic strips and chip-and-PIN technology, mostly to frequent foreign travelers. U.S. Bank expects all its customers to have the cards by next year.
So there’s a chance that the U.S., like a lumbering giant, will finally make the move to more secure payment systems. Failing that, there’s always Bitcoin.