Stop Pretending That Your Credit Card Information Is Secure

NEW YORK (TheStreet) -- The recent Home Depot  (HD) and Target  (TGT) credit card information breaches told consumers what banks, retailers, credit card companies and experts have known for a long time: U.S. credit cards are absolutely not secure.

Home Depot announced earlier this month that a credit card breach put millions of its customers' information, money and credit at risk. Security blogger Brian Krebs discovered that the software used to infiltrate Home Depot's system was similar to that used last year to snatch the data of more than 70 million Target shoppers.

Back in 2007, 94 million shoppers had their data compromised after using their cards at TJX  (TJX) stores including T.J. Maxx and Marshall's. In January, the data of more than 300,000 cardholders was accessed during a breach at Neiman Marcus. In August, hackers lifted data from 33 P.F. Chang's restaurant locations. Those aren't leaks: Those are bursting dams adding to a devastating flood.

"The bottom line is that we can't simply afford to stick our heads in the sand anymore,” says Curtis Arnold, founder of credit card industry rating and monitoring sites founder of CardRatings.com and BestPrepaidDebitCards.com. "This financial crisis [I'll call it what it is] is costing all of us way too much...financial institutions, retailers, businesses and consumers alike."

Credit protection firm BillGuard estimates that losses from fake charges tied to the Home Depot breach could reach upwards of $3 billion after a hacker sold millions of stolen credit card numbers on the Ukraine-based site Rescator. While most of the blame for these breaches lies with the hackers themselves, Arnold and other experts note that the decades-old credit card technology still being used in the U.S. is largely at fault.

U.S. retailers, banks and credit card companies still rely largely on cards magnetic strips that contain far more data than any consumer should be carrying in his or her pocket. They're easy to read, easy to duplicate and easy for hackers to exploit.

"Virtually ever cardholder has been affected directly or indirectly," Arnold says. "Our current swipe and sign system is quite antiquated . . . a dinosaur when it comes to payment technologies."

Yet, that's the system currently and overwhelmingly used at point-of-service payment and automated teller locations throughout the United States. Proposed solutions either haven't caught on or have been costly to implement.

Chase (JPM) , Citigroup  (C) and Bank of America  (BAC) all use programs that offer randomly generated card numbers for consumers to use with online merchants to protect their accounts. However, Arnold notes the extra steps required to use those programs turned off many consumers, while the differences between Bank of America's ShopSafe, Citi's Virtual Numbers and other programs met with varied success.

That consumer sloth isn't to be underestimated. A recent CardRatings survey found that 25% of all cardholders had been victims of data theft. Among those victimized, though, only 51% checked their credit card statement, 45% checked their credit report, 54% checked their bank accounts and a scant 24% either signed up for credit monitoring or put a credit freeze in place.

That leaves security in the hands of card issuers and merchants. The National Retail Federation has advised banks, credit card companies and its retail members to embrace technology that replaces sensitive account data with a unique token or symbol to make it less vulnerable. Apple's (AAPL) recently announced Apple Pay and Google's (GOOGL) own Google Wallet both use versions of this "tokenization" strategy to protect user information.

"There are a lot of hurdles for these technologies to overcome in order to be fully adopted," Arnold says. "For example, major retailers like Walmart (WMT) aren't quickly adopting Apple's new service as they want to have more control over the payment process. I think we are moving in that direction -- but it's gonna take time and maybe considerable time."

But even tokenization is being embraced by the U.S. faster than so-called EMV or chip-and-PIN technology. Used to great effect in Europe since the early 1990s, EMV cards -- which take their name from Europay/MasterCard/Visa -- contain an embedded microchip that is authenticated using a personal identification number. A reader detects the chip and asks the card user for a PIN that matches the one found on the chip. There isn't a magnetic strip with all a user's data embedded in it and there's a far lesser chance of a chip-and-PIN user's data being stolen.

It’s estimated that 40% of the world’s cards and 70% of its terminals outside the U.S. are using the EMV cards. Visa (V) says 62% of its transactions outside the U.S. use EMV technology. However, neither merchants nor banks, credit unions or other financial institutions are in any rush to embrace EMV for one big reason: cost. According to market research firm Javelin Strategy and research, there are 15 million card readers, 360,000 ATMs and more than 1.1 million credit and debit cards that would have to be replaced at a cost of roughly $8.65 billion.

"Merchants don't want to pay for new POS terminals until they have to," says Ellen Cannon, editorial director of CardRatings.com. "Unlike in Europe, merchants in the U.S. aren't on the hook for fraud; the card issuers are. So there is no incentive to adopt new technology."

Fortunately for cardholders, that's about to change in a hurry. Visa, MasterCard (MA) , Discover (DFS) , American Express (AXP) and their banking partners have set a deadline of October 2015 for a "liability shift" that, for the first time, would make merchants liable for any fraudulent charges that result from using point-of-service readers that can't read EMV cards. The issuers will be doling out the new technology, but it will be up to companies including Home Depot, Target, Neiman Marcus and others to implement it or be on the hook for the resulting fraud associated with data stolen from magnetic strips.

"The bottom line is that the technology is currently there to protect consumers," Arnold says, "but there is a chasm as big as the Grand Canyon between having technology and actually implementing it to the masses."

At the time of publication the author had no positions in any of the stocks mentioned.

This article is commentary by an independent contributor, separate from TheStreet's regular news coverage.

Follow @notteham

 

More from Opinion

Elon Musk's Latest Twitter Tirade Is the Dumbest Thing on Wall Street

Elon Musk's Latest Twitter Tirade Is the Dumbest Thing on Wall Street

Elon Musk's Twitter Tirade Is the Dumbest Thing on Wall Street

Elon Musk's Twitter Tirade Is the Dumbest Thing on Wall Street

Why Google's Search Momentum Won't Be Badly Hurt by New EU Rules

Why Google's Search Momentum Won't Be Badly Hurt by New EU Rules

Flashback Friday: Amazon, Chip Stocks, Memorial Day

Flashback Friday: Amazon, Chip Stocks, Memorial Day

Time to Talk Tesla: What Happened This Week, Elon?

Time to Talk Tesla: What Happened This Week, Elon?