Big American retail stores have become a top target of cybercriminals, but the retail industry has very little incentive to beef up its security.
Massive retailers have resisted expensive changes to their point-of-sale systems and security standards that could help thwart the kind of major attacks at Target and Neiman Marcus last year. For one thing, they fear that newer credit card technology could slow down checkout lines.
"You have a system that's designed to be as cheap and frictionless as possible, and that convenience came at the cost of security and consumer privacy," said Kevin O'Brien, an executive at data security firm CloudLock.
But retailers also see more to gain from collecting consumer information than protecting it. That magnetic stripe shares your name, bank and card information with anything it touches. Tell a cashier your ZIP code, and that arms them with information to send a marketing blitz your way. Harnessing that data promises up to 60 percent higher returns, according to the McKinsey Global Institute.
That lucrative flow of data could dry up if retailers adopt more advanced, chip-based cards. Chip-and-PIN payment systems promise stronger security at the checkout by immediately encrypting your information. That means hackers won't have access to your data -- but retailers wouldn't either.
Meanwhile, banks and retailers have waited on one another to implement chip-and-PIN. It will cost at least $8 billion to upgrade the nation's 610 million credit cards, 520 million debit cards, 15 million card terminals and 360,000 ATMs. Banks and retailers are engaging in what identity theft expert Adam Levin calls "a dangerous game of chicken."
Retailers' current standards just aren't cutting it. The industry regulates itself through the Payment Card Industry Council. But the relatively relaxed PCI standards are often misinterpreted as the pinnacle of security instead of the bare minimum to protect consumer information, said SilverSky analyst Richard Westmoreland. The council levies fines when fraud occurs, but most hacks are small-scale and don't significantly impact retailers' bottom lines.
Cybercriminals have taken notice. Hackers that once targeted banks exclusively now aim at retailers. In 2013, they recorded the highest number of data breaches in a decade, according to the Open Security Foundation. Meanwhile, the underground market for credit cards and personal information has exploded, noted Javelin Strategy & Research senior analyst Alphonse Pascual.
That's why hackers were able to steal personal data on up to 70 million Target customers, plus 40 million debit and credit cards swiped there and another 1.1 million cards from Neiman Marcus.
These exposed the personal or financial data of nearly a third of U.S. adults, dire enough that Congress recently held three hearings asking those retailers and experts how to prevent massive data breaches from happening again.
One possible step is to force companies everywhere to notify consumers when their data has been exposed -- instead of relying on a patchwork of 46 different state laws.
"There should be a single federal law that sets out very clearly to companies that are breached: Here is what you have to do, when you have to do it, and how you have to do it," said Jason Oxman, CEO of the Electronic Transactions Association trade group.
Another is to force the adoption of chip-and-PIN cards. It worked in England, where credit card fraud plummeted 34 percent in the six years after British banks and merchants implemented them. Credit card companies already have that in the works for October 2015, when any bank or retailer that doesn't have the technology will be liable for fraud losses. The federal government could speed that up and require additional protections.
The retail lobby says it's now on board for those changes -- but they still want banks to make the first move on new credit cards. Until both industries get their act together, however, be on guard for further Target-style breaches.
"This problem is systemic to the U.S. and won't go away anytime soon," said David Burg, the top cybersecurity consultant at PricewaterhouseCoopers.