A customer signs his credit-card receipt at a Target store in Florida. Target was among the retailers that had their customers’ data breached last year.
ASSOCIATED PRESS Enlarge
If ever there were a cause for bipartisan support in Congress, it is protecting Americans’ personal information following the holiday 2013 credit-card debacle.
It now appears that information on as many as 110 million customers was breached by hackers who got access through systems at Target, Neiman Marcus, and several other unnamed retail outlets.
Decades-old technology akin to cassette tapes of yore apparently is to blame, experts say. Retailers and credit- card companies in the United States continue to use 20th-century magnetic- stripe cards that allow data to be accessed more easily, rather than 21st- century chip-imbedded cards that make it nearly impossible to duplicate.
About 10 years ago, retailers and bankers in Europe moved to more secure cards with embedded chips that require a PIN (personal identification number) and enter data differently for each transaction — two features that thwart cyberpunks.
It’s been argued that U.S. companies have stuck with the cheaper, insecure stripe cards because they considered the accompanying losses manageable — ignoring, of course, the hassle customers go through when their information is breached.
It’s time now for the suits in America to think about customers first and shareholders second. Security analysts say MasterCard, Visa, American Express, and Discover have set October, 2015, as the target date to phase out stripe cards.
Businesses should spend the extra money now to accelerate the switch to the more secure chip technology by the next holiday season.
Companies push patrons to the Web for everything these days — heaven forbid they actually talk to someone on the phone — so the least they can do is accelerate the move to modernize their Web technology.
Likewise, it is time to update the nation’s data breach laws and give more power to the Federal Trade Commission to investigate company security practices.
Sen. Patrick Leahy (D.,Vt.) has reintroduced a Personal Data Privacy and Security Act, which he has been pushing since 2005. Congress ought to pass it.
The bill spells out tough criminal penalties for those who intentionally conceal a security breach that causes economic damage to consumers; requires companies to protect data privacy and security, and makes attempted computer hacking and conspiracy to commit computer hacking punishable under the same criminal penalties as the underlying offense.
Credit-card transactions in the United States have been ripe fruit for easy picking by Web punksters who take the information and sell it on the black market.
Let’s make it more difficult for them to bring in the harvest.