How many credit card breaches need to happen before retailers and consumers begin to demand a change? From experience I can say with confidence that the average consumer doesn’t know enough to ask for a change until they are dealing with identity theft at the fault of an entity out of their control. Retailers are going to do the bare minimum from a regulatory standpoint in a delicate balance of keeping the customers happy. Unfortunately fast and easy is prioritized over safe and secure. Billions in theft and fraud have happened over the last 10 years and still the United States is doing very little to change it.
The problem at the core is the transaction systems at the point of sale which is the process for a retailer to capture your payment information to charge you for your goods or services. The retailers want that process of be smooth and as painless as possible as the customers want a swipe and pay, in and out flow. Unlike the rest of the world that have moved on to cards that have more security built into them, generally in the Unites States the credit/debit cards used are still on the ‘old’ way of dong things. That means that every single piece of data a retailer needs to charge the account is on the card. The account number, expiration data, the customer’s name, and even the ‘security’ code on the back of the card is needed. Anyone that has the card can use it, there is no security challenge beyond that.
When retailers get hacked like TJ Max and more recently Target, the information needed to drain the accounts are right there in broad daylight, open for the world to see and use. That’s the problem. Change the payment methods and you can start making fraud exponentially more difficult. There is a trade-off though, when additional security is added that means more steps or a change to existing steps which impacts the end-user. Security over convenience. Target has attempted to tackle this security problem before but backed down because it was slower to checkout with more security than the stores across the street with less security. In the money-making game you sometimes have to make sacrifices to keep the dollars coming through the doors.
In the early 2000s, the Minneapolis-based company installed “smart card” technology at all its U.S. stores, designed in part to thwart the kind of security breach that Target is now scrambling to contain. The company said it ultimately abandoned the three-year pilot because no other retailer adopted the technology, which put Target at a disadvantage because the emerging technology slowed down checkout times.
“We went out on our own and did something innovative and ultimately the industry didn’t keep pace with Target,” Chief Financial Officer John Mulligan said in a recent interview. “So there wasn’t a lot of benefit outside Target for our guests. And the in-store experience was adversely impacted because it was a slower checkout process.”
Their experiment 10 years ago and the reasons why they stopped shows that security has been and still does get de-prioritized by convenience. Perhaps if Target stuck with their plans and kept their smart card technology and grew it, last month’s breach would never have happened and 4.6 million accounts wouldn’t have been put at serious risk. Security in today’s age shouldn’t be ignored, it should be embraced. In fact there’s a marketing angle here to stand tall and show off your up front focus on protecting all data. Shop at Store X and you can sleep soundly that your accounts are safe unlike Store Y across the street. In order for that message to be told marketers would have to work with IT to understand security and Marketing and IT are natural-born enemies in the corporate world, like Lions and Hyenas.
It all sounds good and easy but at the end of the day until the average customer is willing to adopt it, security tends to die on the vine and doesn’t change until a negative happens and is realized.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.