Given the recent credit card mega-breach at Target, it’s no surprise that the Feds will soon be jumping in to add a new layer to the already existing compliance guidelines and regulations. I’m sure this seems like a reasonable response for many, given the publicity around this breach and the potential for widespread fraud that could result. But as usual, I am concerned that Congress will be placing an undue burden on credit card processing companies instead of taking a balanced look at the industry as a whole.
Thankfully, Congress is considering ways to make credit and debit cards more secure. I’d suggest they take a good look at Europe, which has been ahead of the US for some time in this area. For starters, the smart card technology that many European countries have adopted is extremely difficult to duplicate or forge and has built-in tamper-resistance. It’s been about a decade since card issuers in EU and Japan started using smart chips. And in that time, it’s no coincidence that the US has become a high-value target in the fraud game.
Unless Congress adopts new regulations that require card issuers to update their technology, the real issue will never be addressed. By avoiding new technology mandates and simply imposing penalties on the thieves and their targets (no pun intended), Congress will never achieve true in credit card security. Instead, in true Congressional fashion, the solution will all be smoke and mirrors and the endless cycle will just continue.
I’m still holding out hope that I may be surprised by the legislation. But in the near term, I’m not expecting any traction in driving change within the credit industry. After all, they have a pretty effective lobbying force the US government who will fight this tooth and nail.
Other parts of the bill seek to make it more illegal to steal credit card data. In other words, harsher penalties will be levied against people who cannot be tried in a US court of law. Last I heard, a 17-year-old Russian kid was at the heart of the Target breach. And I haven’t heard a thing about him giving himself up for extradition to the US to face charges.
There are other sections of the bill, however, that outline increased responsibility for customer notification in the event of a breach. This is a good thing, but there are some who seek to place more responsibility on those that accept credit cards. This may be quite misguided, however, unless the industry is prepared to buck-up and provide something more secure than an easy-to-duplicate magnetic strip.
Frankly, we’re sitting ducks if we don’t change the way we look at credit payments. To use an analogy (which I love to do), asking merchants or payment processors to secure credit card data in the US is the equivalent of putting Jell-o in a sieve and expecting it not to leak. While the sieve may hold most of the Jell-o, in the end there’s not much anyone can do (without constant surveillance and a lot of help) to stem the flow.
Rather than continuing to place additional restrictions on those that accept credit cards in the US, let’s get real about the issue. The current US implementation of credit cards is outdated and prone to theft by design. Let’s take steps now to redesign and, over time, implement changes in credit card technology that make it more difficult for thieves to prosper. Penalizing the merchant is certainly due in some cases, but continuing to do so without regard to better card security would be like penalizing citizens for a break-in on their own property when they’re forced to use standard-issue doors with cheap locks.