Target data breach pits banks against retailers
Banks and big retailers are locked in a debate over the breach of consumer data that gripped Target Corp. during the holiday season. At issue: Which industry bears more responsibility for protecting consumers' personal information?
The retailers' argument: Banks must upgrade the security technology for the credit and debit cards they issue.
The banks' counterargument: Newer electronic-chip technology wouldn't have prevented the Target breach. And retailers must tighten their own security systems for processing card payments.
The finger-pointing is coming from two industries with considerable lobbying might. Their trade groups have been bombarding lawmakers with letters arguing why the other industry must do more -- and spend more -- to protect consumers.
"Nearly every retailer security breach in recent memory has revealed some violation of industry security agreements," the Independent Community Bankers argued last month. "In some cases retailers haven't even had technology in place to alert them to the breach intrusion, and third parties like banks have had to notify the retailers that their information has been compromised."
The National Retail Federation has fired back:
Retailers must accept "fraud-prone cards" issued by banks that are attractive to thieves, the federation's general counsel testified at a Senate subcommittee hearing last week. "Unlike the rest of the world, the U.S. cards still use a signature and magnetic stripe for authentication."
In the middle are American consumers, many of whom say they're alarmed about the safety of their personal information since the Target breach. And Congress is examining data security breaches and what to do about them.
An estimated 40 million credit and debit card accounts were affected by the Target breach. Stolen were customers' names, credit and debit card numbers, card expiration dates, debit-card personal identification numbers and the embedded codes on the cards' magnetic strips.
Also stolen was non-card personal information -- names, phone numbers and email and mailing addresses -- for up to 70 million customers.
The Target theft could prove to be the biggest data breach on record for a U.S. retailer. Minneapolis-based Target, the No. 2 U.S. discounter, has acknowledged that news of the breach has scared some shoppers away.
Retailers are trying to shore up consumers' confidence by upgrading and testing their systems for accepting payments. But their trade association says the billions that merchants are spending won't prevent breaches unless the banks adopt more secure card technology.
The banks plan to put digital chips for storing account information on debit and credit cards by the fall of 2015. Compared with the current magnetic strips, it's a system that typically makes data theft harder and is common in other countries. This would be a step forward but hardly a guarantee against cyber attacks, the banks caution.
Retailers want the chips, but they also want each debit or credit card transaction to require a PIN instead of a signature. Experts say it's harder for criminals to steal PINs than to forge signatures.
The magnetic strips use the same technology as cassette tapes to store account information and are easy to copy. By contrast, a digital chip generates a unique code each time it's used. Criminals can steal and sell data from cards with chips, but they can't create fraudulent cards.