Tomorrow, Saturday morning, 11/29, I'll discuss data breaches and card security on C-Span's Washington Journal with Pedro Echevarria beginning at 8:40 AM Eastern. Why now? It's the biggest shopping weekend of the year, with Black Friday and Cyber Monday bracketing 2 more big shopping days. By the way, if I shop at all this weekend, it'll be with credit, not debit, cards.
Why do I shop with credit cards? Two reasons: First, your legal rights are much stronger with credit cards. Second, and even more importantly, credit card fraud usually involves just one or two phone calls with the bank and then they mail you a new card. With debit card fraud, the bad guy has taken your money from your checking account. You need to wait for the bank to do an investigation (up to ten days or more) before you get it back, which could lead to you being unable to pay other bills. (Our tips for breach victims are here.)
An empty checking account is a much bigger hassle than me getting polite requests to "update my account information" from my various credit card "auto-pays" after my bank spots fraud and sends a new credit card.
Quite a bit has been happening in this space since some of the biggest retailers (Target, Home Depot, Michael's, to name a few) and the nation's biggest bank (JPM Chase) admitted to massive data breaches affecting their systems.
At Congressional hearings earlier this year, I pointed out some of the problems that have exacerbated our current data breach/card fraud mess. I mostly blame the banks, for their insistence on using clunky, hackable, and risky 1970s-era magnetic stripe technology even after other countries have been using the safer "Chip-and-PIN" system for years. Even today, as the banks are finally rolling out chip cards, they would prefer to stop at the lesser level of "Chip-and-Signature," or as it is being re-framed by their flacks, "Chip-and-Choice."
(1) In my testimony, I noted that fifteen years ago, when the nation's biggest banks and card networks wanted to increase the number of transactions across their cash-cow, signature-based magnetic stripe payment systems, they took secure PIN-based ATM cards and morphed them into risky signature-based debit cards. When they ask "debit or credit?" the little machines are really asking "safe PIN or risky signature?". But the project was a success for the banks and card networks and a headache for merchants. Debit card transactions substituted for cash transactions, and total plastic transactions (debit, credit and prepaid cards) now dominate over cash in the retail space while consumers have been both confused by the "debit or credit" questions and encouraged by rewards to select "credit" (or "risky signature"). Meanwhile, retailers that have seen "swipe fees" for accepting plastic cards rise dramatically as a cost of doing business have fought back with lawsuits, the "Durbin amendment," and their own alternative payment platform.
(2) Second, I urged Congress not to enact a federal data breach notice law if the effect would be to both override stronger state data breach notice laws and prevent states from further data security innovations, even if the new federal law only addresses the partial issue of data breach notices. States have been our first responders on other data security improvements, including passing 49 security freeze laws following a U.S. PIRG/Consumers Union campaign. New account identity theft occurs because bad guys apply for credit in your name, which requires access to your credit report. If your report is frozen, that's a big clue to the store that requests it and the credit will be denied.
By the way, over-priced, deceptively marketed credit monitoring -- while extremely profitable to banks and credit bureaus -- doesn't stop either new account identity theft or existing account fraud. Don't buy it.
Chip-and-PIN will go a long way toward stopping in-person fraud. Smart chips in cards mean that your card cannot be cloned; PINs show you are the legitimate user. With a chipped card, merchants will not get your actual credit card number, just a one-time-use number useless to the thieves on the dark side of the Internet. However, much more will need to be done to stop "card not present" online fraud; work is proceeding in that space.
I've been encouraged by two recent announcements. First, there was the September roll-out of Apple Pay as an alternative to plastic cards. It appears to be a secure and convenient system that will stimulate additional, healthy technological competition for better payment systems. The banks, however, such as JPM Chase, that are aligned heavily with Apple Pay, may eventually find that Apple's real goal is to take over, not share. In response, the merchants are pushing their own (mostly potential) alternative payment mechanism, Merchant Customer Exchange (or MCX).
Second, the President's October Executive Order on customer transactions and data security was important because the President ordered that all new government cards and payment systems be Chip-and-PIN based. You can be sure that that the banks lobbied for the weaker Chip-and-Signature. Significant government procurement of cards and devices will help drive innovation. Watch for a follow-on White House summit on the issue soon.
However, as I noted recently in this blog:
But it is important to understand that this fight is like the old Mad Magazine "spy-vs-spy" Cold War cartoons, with increasing escalation each time a new cyber-weapon or cyber-protection is brought to bear. When we build a 10-foot wall, the bad guys go and get an 11-foot ladder.